Aralez provides built-in encryption and security mechanisms to protect the sensitive data it collects during triage. By leveraging AES-GCM encryption and flexible configuration options, users can ensure that collected files are securely and safely stored and transferred. This page explains how to configure encryption and manage security settings in the YAML configuration file.
Important: In digital forensics and incident response workflows, it is critical to handle potentially malicious files securely to prevent unintentional execution or propagation. Aralez includes a feature to encrypt collected malware samples with the password
"infected". This ensures that the encrypted files cannot be accidentally executed or analyzed directly on a workstation without first being intentionally decrypted.
Overview of Encryption #
Aralez supports AES-GCM encryption, a secure and efficient encryption standard, to safeguard collected files. When encryption is enabled, files are encrypted and saved with an .enc extension. The encryption key (password) is defined in the configuration file using the encrypt field.
Configuring Encryption #
encrypt Field #
- Type: String
- Required: No
- Description: Defines the password used for encrypting files. If the
encryptfield is omitted, files will remain unencrypted. - Usage: Add the
encryptfield to specific entries in the configuration to enable encryption for files collected under that entry.
Example:
tasks:
artifacts:
type: "collect"
priority: 1
entries:
suspicious_files:
- root_path: "\\Users\\*\\AppData\\Local"
objects: ["*.exe", "*.dll", "*.scr"]
max_size: 5242880
encrypt: "securepassword123" # Files collected will be encryptedIn this example:
- Files matching the specified criteria are encrypted using the password
securepassword123. - The encrypted files are saved with an
.encextension.
Decrypting AES-GCM Encrypted Files #
When files are encrypted using AES-GCM encryption by Aralez, they are saved with a .enc extension. To decrypt these files, you need the password specified in the encrypt field of the configuration. This guide provides step-by-step instructions to decrypt the files on both Windows and Linux using commonly available tools.
Decrypting on Windows and Ubuntu #
Install OpenSSL #
On Windows:
- Download and install OpenSSL for Windows from a trusted source (e.g., ICS).
On Ubuntu:
- Open a terminal and install OpenSSL if it is not already installed:
sudo apt update
sudo apt install opensslPrepare the Encrypted File: #
- Locate the
.encfile you want to decrypt (e.g.,example.enc).
Decrypt the File #
- Open a Command Prompt or a terminal and run the following command:
openssl enc -d -aes-256-gcm -in example.enc -out decrypted_file -pass pass:<password> -pbkdf2- Replace
<password>with the encryption password used during file collection.
Example:
openssl enc -d -aes-256-gcm -in example.enc -out decrypted_file.txt -pass pass:securepassword123 -pbkdf2