Bitcoin Forum
November 13, 2024, 12:03:15 PM *
News: Check out the artwork 1Dq created to commemorate this forum's 15th anniversary
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Forensic Tool Cracks BitLocker, PGP, TrueCrypt Containers  (Read 1910 times)
idev (OP)
Hero Member
*****
Offline Offline

Activity: 860
Merit: 1004


BTC OG and designer of the BitcoinMarket.com logo


View Profile
May 19, 2013, 01:16:01 PM
 #1

Quote
A new software tool, Elcomsoft Forensic Disk Decryptor, promises to decrypt encryption containers created using BitLocker, PGP and TrueCrypt.

The software from ElcomSoft -- a Russian provider of encryption-cracking software and other digital forensic tools -- accomplishes the feat not by cracking the containers themselves, but rather by exploiting the fact that once the containers are accessed, the decryption passwords get stored in computer memory. The software is designed to be used by digital forensic investigators -- for example, when investigating suspected insider theft incidents.

"BitLocker, PGP and TrueCrypt set [an] industry standard in the area of whole-disk and partition encryption," said ElcomSoft CEO Vladimir Katalov in a blog post. "All three tools provide strong, reliable protection, and offer a perfect implementation of strong crypto." As a result, he said that if a user of those tools picks a
long, complex password, cracking the encryption container outright would likely be impossible.

One encryption container Achilles heel, however, happens when the containers get accessed on a computer. "No one likes typing their long, complex passwords every time they need to read or write a file," said Katalov. "As a result, keys used to encrypt and decrypt data that's being written or read from protected volumes are kept readily accessible in the computer's operating memory. Obviously, what's kept readily accessible can be retrieved near instantly by a third-party tool."

What's needed first, however, is a memory dump, which can be grabbed either using forensic tools, or via a Firewire attack, even if a computer is in hibernation or sleep mode. The Elcomsoft tool then attempts to extract the encryption keys from that dump. "The new product includes algorithms allowing us to analyze dumps of computers' volatile memory, locating areas that contain the decryption keys," Katalov said. "Sometimes the keys are discovered by analyzing byte sequences, and sometimes by examining crypto
containers' internal structures. When searching for PGP keys, the user can significantly speed up the process if the exact encryption algorithm is known."

But there's one big caveat when grabbing the needed memory dumps: The targeted encryption containers must be mounted to the computer. "It's important that encrypted volumes are mounted at the time a memory
dump is obtained or the PC goes to sleep; otherwise, the decryption keys are destroyed and the content of encrypted volumes cannot be decrypted without knowing the original plain-text password," said Katalov.

The three encryption containers targeted by the software comprise some of the most-used file encryption tools on the market. Microsoft's BitLocker To Go, for example, allows data on removable devices to be encrypted and is included with some premium versions of Windows 7 and Vista, as well as Windows 8.

TrueCrypt, meanwhile, is well-regarded open source data encryption software that currently runs on Windows 7, Vista and XP, as well as Mac OS X and Linux systems. Finally, PGP -- which stands for Pretty Good Privacy -- is available from Symantec, which acquired PGP in 2010.

Elcomsoft also has added plug-ins for TrueCrypt and BitLocker To Go to its Distributed Password Recovery software, which allows users to subject encryption containers to a variety of brute-force attack techniques, as well as a dictionary, password mask and permutation attacks.
Source: informationweek.co.uk
Quartx
Hero Member
*****
Offline Offline

Activity: 1036
Merit: 504


Becoming legend, but I took merit to the knee :(


View Profile WWW
May 19, 2013, 01:25:48 PM
 #2

Common knowledge that encryption keys can be obtained from memory dumps

pekv2
Hero Member
*****
Offline Offline

Activity: 770
Merit: 502



View Profile
May 19, 2013, 02:00:20 PM
 #3

Common knowledge that encryption keys can be obtained from memory dumps

I've always disabled my memory dump via registry. More so, that a huge MB file does not get written to my SSD.

Code:
Disable Bug Check Memory Dump

[HKLM\SYSTEM\CurrentControlSet\Control\CrashControl]

“CrashDumpEnabled”=dword:00000000
“LogEvent”=dword:00000000″
SendAlert”=dword:00000000

Disable Memory Dumps
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl]
“CrashDumpEnabled”=dword:00000000
“LogEvent”=dword:00000000
“SendAlert”=dword:00000000

http://virtualfeller.com/2010/07/23/windows-7-registry-optimizations-for-virtual-desktops/
Este Nuno
Legendary
*
Offline Offline

Activity: 826
Merit: 1002


amarha


View Profile
May 19, 2013, 05:38:59 PM
 #4

I wonder what the target market for a product like this is? I know it says digital forensics investigators, but I would assume any professional is doing this already.
jaywaka2713
Sr. Member
****
Offline Offline

Activity: 266
Merit: 250


aka 7Strykes


View Profile
May 19, 2013, 08:22:40 PM
 #5

The key you enter only gets stored in the memory if you tell it to cache the data upon opening the TrueCrypt container. AFAIK thats that I thought. Also, if you use keyfiles, doesn't that render this software useless? I have all my wallet files behind an AES SHA-512 TrueCrypt container with a 21 character password with 4 keyfiles, each stored in a completely different place. One on the drive the container is on, one on Dropbox, one on a separate drive, and the last one as a miscellaneous file on my computer. You need all 4 keyfiles to open the drive. The container is also behind an encrypted 7zip archive with a 14 character password backed up to cloud hosting, in case the flashdrive it is on is lost. The keyfile on the flashdrive is also stored with it. Based off that form of security, isn't it theoretically impossible for this software to crack my container?

OnkelPaul
Legendary
*
Offline Offline

Activity: 1039
Merit: 1005



View Profile
May 19, 2013, 08:32:11 PM
 #6

The assumption they are making is that law enforcement (or other folks wanting to get at your data) can secretly install something on your computer (hardware or software) before you access the encrypted data, and retrieve the encryption key (not necessarily the passphrase, but the key used by the encryption algorithm) and store it where they can later use it when they grabbed your encrypted disk.
So unless you constantly watch over your hardware or have reliable tamper-detection, you're not really sure whether your computer is safe.
Even your multiple-factor scheme would break, although it would be safe from a simple keylogger attack.

Onkel Paul

jaywaka2713
Sr. Member
****
Offline Offline

Activity: 266
Merit: 250


aka 7Strykes


View Profile
May 19, 2013, 08:33:09 PM
 #7

The assumption they are making is that law enforcement (or other folks wanting to get at your data) can secretly install something on your computer (hardware or software) before you access the encrypted data, and retrieve the encryption key (not necessarily the passphrase, but the key used by the encryption algorithm) and store it where they can later use it when they grabbed your encrypted disk.
So unless you constantly watch over your hardware or have reliable tamper-detection, you're not really sure whether your computer is safe.
Even your multiple-factor scheme would break, although it would be safe from a simple keylogger attack.

Onkel Paul

So essentially install a keylogger. No need for this memory dump voodoo.

Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!