How to tell if a file is encrypted?

Discussion in 'Highly Technical' started by VirtualLarry, Nov 5, 2012.

  1. VirtualLarry

    VirtualLarry Lifer

    Aug 25, 2001
    Likes Received:
    Is there a way to check yes/no whether a stream of bytes has been encrypted? Rather than compressed? Some way to check entropy?
  2. Loading...

    Similar Threads - file encrypted Forum Date
    I need a very comprehensive program or script to tag and rename approx 60,000 karaoke files Highly Technical Jul 16, 2017
    Undelete encrypted files under /home/$USER/.Private folder Highly Technical Apr 1, 2015
    Circuit board in Gerber files Highly Technical Mar 18, 2015
    Can a File System Be Optimized for Flash/Memristor Storage Highly Technical Jun 18, 2014
    encrypted files Highly Technical Jan 23, 2005

  3. CycloWizard

    CycloWizard Lifer

    Sep 10, 2001
    Likes Received:
    I'm sure the answer is yes, but I have no idea how to go about it. You might want to post this in the programming forum.
  4. Wizlem

    Wizlem Member

    Jun 2, 2010
    Likes Received:
    If something has been compressed, it will have a near flat distribution of values(otherwise you could compress it again and achieve better compression).

    If something were compressed before encryption then it would maintain that flat distribution.

    If you are confident something is either compressed or encrypted but not both or neither than you just have to look at how the values are distributed. Nonrandom data will have some values more common than others. Compressed data will look random.

    The big problem is probably that encryption is going to use some huge number of bits, so there could be a huge number of possible values.
    #3 Wizlem, Nov 6, 2012
    Last edited: Nov 6, 2012
  5. imagoon

    imagoon Diamond Member

    Feb 19, 2003
    Likes Received:
    There was some discussion about this on truecrypt's website at one point. The only way to know "for sure" was to decrypt it with the key however you could infer encrypted data if you had some idea of what was in the "file." IE an encrypted truecrypt file typically emulated a disk so there was certain 512byte patterns and 4k patterns (NTFS in this case) that could deduce there was higher odds that the file contained encrypted data. They also mentioned under no case should you backup the encrypted file as is since if an attacker had access to both files, the deltas would give away that it was an encrypted file. They basically said "encrypt your encrypted backups."

    They also mentioned what Wizlem mentioned about distributions. Encrypted vs Random data should look the same. It is harder fro the Encrypted data to be truly flat though.

    This was really above me though since my crypto level is pretty low.
  6. unokitty

    unokitty Diamond Member

    Jan 5, 2012
    Likes Received:

    My experience is that a compressed file looks a lot like an encrypted file. Though, the goal of an encrypted file is to have a perfectly random character distribution.

    The only entropy checker that I've used is the one that comes in Cryptool. Don't know enough about your situation to know whether or not it would work for you. But you may want to check it out.

    Best of luck,