So, I have an image with at least 1 file with an entropy os 7.9. I have validated that with sigcheck (Sysinternals). When I load the image, check Encryption Detection at the Ingress Modules, set min entropy to 6 and min file size to 1mb, Autopsy doesn’t find that file. What’s more, even when I add the logical files as source it still does not detect encryption. Not even when I re-run that specific ingress module. Are there any more variables that the module takes into account that I do not know of? I suspect it isn’t a encryption container like Truecrypt or Veracrypt.
Is there any chance you checked the box that says “Consider only files with sizes that are multiples of 512” and your file size is not a multiple of 512?
Nah…I’ve been not so smart. I’m doing a course and I have misread the size of the files that I’m talking about. They’re only 4kb so they can’t be checked by Autopsy. Which brings me to my next question: is it possible to show the entropy of files in the data source listing?
Thanks for answering.
No sorry - the entropy is only recorded if the encryption detection module flags the file.
Thanks. Back to EnCase then I guess