How to tell if a file is encrypted?

Discussion in 'Highly Technical' started by VirtualLarry, Nov 5, 2012.

  1. VirtualLarry

    VirtualLarry Lifer

    Joined:
    Aug 25, 2001
    Messages:
    33,675
    Likes Received:
    86
    Is there a way to check yes/no whether a stream of bytes has been encrypted? Rather than compressed? Some way to check entropy?
     
  2. CycloWizard

    CycloWizard Lifer

    Joined:
    Sep 10, 2001
    Messages:
    12,352
    Likes Received:
    0
    I'm sure the answer is yes, but I have no idea how to go about it. You might want to post this in the programming forum.
     
  3. Wizlem

    Wizlem Member

    Joined:
    Jun 2, 2010
    Messages:
    94
    Likes Received:
    0
    If something has been compressed, it will have a near flat distribution of values(otherwise you could compress it again and achieve better compression).

    If something were compressed before encryption then it would maintain that flat distribution.

    If you are confident something is either compressed or encrypted but not both or neither than you just have to look at how the values are distributed. Nonrandom data will have some values more common than others. Compressed data will look random.

    The big problem is probably that encryption is going to use some huge number of bits, so there could be a huge number of possible values.
     
    #3 Wizlem, Nov 6, 2012
    Last edited: Nov 6, 2012
  4. imagoon

    imagoon Diamond Member

    Joined:
    Feb 19, 2003
    Messages:
    5,199
    Likes Received:
    0
    There was some discussion about this on truecrypt's website at one point. The only way to know "for sure" was to decrypt it with the key however you could infer encrypted data if you had some idea of what was in the "file." IE an encrypted truecrypt file typically emulated a disk so there was certain 512byte patterns and 4k patterns (NTFS in this case) that could deduce there was higher odds that the file contained encrypted data. They also mentioned under no case should you backup the encrypted file as is since if an attacker had access to both files, the deltas would give away that it was an encrypted file. They basically said "encrypt your encrypted backups."

    They also mentioned what Wizlem mentioned about distributions. Encrypted vs Random data should look the same. It is harder fro the Encrypted data to be truly flat though.

    This was really above me though since my crypto level is pretty low.
     
  5. unokitty

    unokitty Diamond Member

    Joined:
    Jan 5, 2012
    Messages:
    3,349
    Likes Received:
    0

    My experience is that a compressed file looks a lot like an encrypted file. Though, the goal of an encrypted file is to have a perfectly random character distribution.

    The only entropy checker that I've used is the one that comes in Cryptool. Don't know enough about your situation to know whether or not it would work for you. But you may want to check it out.


    Best of luck,
    Uno
     
Loading...