4. GPG Signing and Validation
When you install Hunchly it generates a GPG key pair. Your private key stays with your Hunchly installation, and the public key is included when you do a full case export to zip file. Each MHTML capture is signed with your private key and produces a .sig file.
For example after you capture a page, its filename will be in the format: PAGEID.mhtml and the GPG signature file will be PAGEID.mhtml.sig
This signature can then be used to validate whether a produced MHTML file from Hunchly was tampered with or altered in any way. When the signature verification is performed it will fail and you will know that the MHTML content has changed after it was captured and signed by Hunchly.
Validating GPG Signatures
If you have submitted a full Hunchly case zip file there will be a public key named: public.key in the export. You will use this key to validate captured web pages. The steps for each operating system are below, although there are many GPG compliant tools available so use the tool you feel most comfortable with.
1. Windows
- Download and install GPG4Win for Windows. We recommend the installer you can grab from here: https://gpg4win.org/thanks-for-download.html
GPG4Win has a nice GUI that you can use called Kleopatra. First right-click on the public.key file in your Hunchly export and from the More GPGEx menu select Import Keys. If you do not already have a private/public key pair on the system it will ask you to create one:
Simply follow the onscreen prompts, fill out a name and email address, and enter a passphrase to secure the keypair. Note that this keypair is not for use with secure emailing, we are just using it to import our Hunchly public key.
Once you have setup your keypair and imported the Hunchly public.key you can now verify captured pages by right-clicking on the PageID.mhtml.sig file and from the More GPGEx menu select Verify.
If the verification was successful you should see a message as shown below:
If the verification has failed then you will be shown a dialog as shown below, and this indicates you should not trust that the page has not been tampered with:
2. macOS
- Download and install GPG. We recommend the installer you can grab from here: https://sourceforge.net/p/gpgosx/docu/Download/
Using the Terminal app, import the public key from the Hunchly export.
gpg2 --import public.key
Now you can verify any page by doing the following:
gpg2 --verify PageID.mhtml.sig
The resulting output should look like so when validating 1.mhtml as an example:
$ gpg2 --verify pages/1.mhtml.sig
gpg: assuming signed data in 'pages/1.mhtml'
gpg: Signature made Wed 10 Oct 14:04:13 2018 PDT
gpg: using RSA key C21DE145181D0125
gpg: Good signature from "Hunchly Signing Key (2018-10-10 13:42:58) <Fj1CvL2tJWLTlSq1aNiS9YSND2bOCkHhw6AOos5p7VQT8PTJHh9yuFv8bES4WJGn-key@hunch.ly>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2E37 C58A A8F5 B65D 0710 4CA2 C21D E145 181D 0125
If you see "Good Signature" that is indicating that the GPG signature was validated. If we modify even a single character in the MHTML file and try to validate the signature you will see a message like so:
$ gpg2 --verify pages/1.mhtml.sig
gpg: assuming signed data in 'pages/1.mhtml'
gpg: Signature made Wed 10 Oct 14:04:13 2018 PDT
gpg: using RSA key C21DE145181D0125
gpg: BAD signature from "Hunchly Signing Key (2018-10-10 13:42:58) <Fj1CvL2tJWLTlSq1aNiS9YSND2bOCkHhw6AOos5p7VQT8PTJHh9yuFv8bES4WJGn-key@hunch.ly>" [unknown]
- The message "BAD signature" indicates that the data has been modified and you should no longer trust that the page has not been tampered with.
3. Linux
Install GPG 2.0 using the following command:
sudo apt install gnupg2
- From there the steps are identical to the steps in the Mac OSX section above.
Potential Evidence Challenges
There are a few ways that the GPG signing method we use can be attacked. One of the biggest challenges is that the GPG key generation is local to your machine, as the investigator. Ideally the key generation would happen with a trusted third-party and controlled centrally, but due to the fact that Hunchly is deployed in sensitive locations it does not make it feasible for this to occur.
This means that an evil investigator, with minor technical skills, could in fact attack the GPG signing in Hunchly by doing the following:
- Extract the private / public key pair from the Hunchly database.
- Modify the content of the MHTML page they wish to alter.
- Re-sign the page manually using the private / public key pair.
- Submit the page as evidence, and the GPG signing will still validate as if the content was accurate.
As covered in the Hashing section of this guide, there are still ways for you to verify that the content was tampered with if you see abnormalities in the content or question whether the GPG signature is valid.