Gpg4win is an email and file encryption package for most versions of Microsoft Windows, which uses GnuPG public-key cryptography for data encryption and digital signatures. At the time of this blog, I was using gpg4win-3.1.5, which comes with Kleopatra (GUI) and the GnuPG binaries. PGP is great for privacy but has often been used by criminals to help keep their communications private. An example of this would be vendors on popular Darknet markets. So I was curious, I wanted to know what forensic artifacts would Gpg4win leave behind? Do they use secure deletion methods? Are my public and private keys recoverable/identifiable?
I installed gpg4win-3.1.5 onto my Windows 7 virtual machine. Now with the software installed, I created my public/private key and then used the public keys from the Monero source code to populate my Kleopatra with public keys.
I then opened %APPDATA%/gnupg which is where Gpg4win stores public/private keys.
There are two files and one folder of interest for a forensic investigator.
- private-keys-v1.d Stores private keys for GnuPG.
- pubring.kbx Stores public keys for GnuPG.
- pubring.kb_ Stores public keys for GnuPG.
Now that I’ve located what files and folders are used for what, I then CTRL + A deleted all the keys in Kleopatra. I then checked %APPDATA%/gnupg to see if any changes have happened.
Looks like the private keys were deleted from the system according to the access time but the pubring.kbx has not even been touched. Pretty interesting, I put pubring.kbx through strings to see if any public key information would appear and yes!
C:\Users\Mal\Desktop>strings.exe C:\Users\Mal\AppData\Roaming\gnupg\pubring.kbx > output.txt Riccardo Spagni <[email protected]> DonTest <[email protected]> ...
That was just a snippet of the output but the information about the public keys are still there! An attacker could see who you where in contact with or law enforcement could use this as evidence, pretty bad!
I then wanted to check to see if private keys are recoverable once deleted. I opened up WinHex and navigated to the %APPDATA%/gnupg/private-keys-v1.d folder and good news, no keys where there! It looks like GnuPG are using secure deletion methods regarding private keys.
Gpg4win are using secure deletion methods for there private keys but nothing for the public key chain. This is bad for privacy because an attacker can see who you’ve been in contact with and see what public key correlates with you identity, so if you want to securely delete your public key information from your Gpg4win installation make sure to 00 over pubring.kbx pubring.kb_ to make sure no information is recoverable. Thanks for reading my first post. 😊