Hibernation, is it really such a boon?
ElcomSoft has built a utility that forages for encryption keys in snapshots of a PC's memory to decrypt PGP and TrueCrypt-protected data. Forensic Disk Decryptor attempts to unlock information stored in disks and volumes encrypted by BitLocker, PGP or TrueCrypt. The tool is designed for criminal investigators, IT security bods …
Hibernation, is it really such a boon?
If anyone has ever read the Truecrypt site and forums they would already know 2 things.
Hibernation and encryption don't work securely together. and,
Disk encryption doesn't protect an open encrypted volume.
Only a system that is designed to clear the encryption key out of memory at hibernation and ask for it again when waking up is secure to go to sleep. Other then that, turn it off. I need to to experiment with SSDs using full disk encryption to see what the performance is like for full shutdowns and startups. Oh, and if you ever use a SSD on for an encrypted disk and want to change your key, move all your data off and do a factory wipe on it.
Precisely. And PGPDisk goes as far as to disable hibernation by default. And clears the key from memory when no longer needed. And has a timeout after which it dismounts the disk (as does TrueCrypt).
Plus, if this tool can sniff the disk encryption key only when the drive is mounted - what is the point? If the drive is still mounted, you can simply copy its contents - the disk encryption software will decrypt it on-the-fly for you. Not to mention that it is much simpler to install a keylogger (even a hardware one) than to sniff the computer's memory.
This whole thing sounds like a lot of self-serving hype from the part of ElcomSoft.
I've seen encrypted swap with hibernation work on Ubuntu.
One has to wonder if fragmenting the key in memory a different way every time, and perhaps changing how periodically, would thwart this scheme...
"Plus, if this tool can sniff the disk encryption key only when the drive is mounted - what is the point? If the drive is still mounted, you can simply copy its contents - the disk encryption software will decrypt it on-the-fly for you."
Exactly. The point is that you're tainting the evidence. I presume the way this is meant to be used is that you read the key from memory and save it somewhere such as a USB stick, then you power off the computer, make a forensic copy of the discs, and decrypt the copy with the key you have availed yourself of.
Of course, you need prior intelligence or a keen instinct to know that encryption might be in use, as the standard forensic procedure is to walk up to the computer (take video, pics, notes, etc.) and pull the cord from the back of the machine (not the power outlet), or remove the battery in the case of a laptop or similar portable device. If you only discover that the target uses encryption by the time you have cloned the disks you'll be banging your head against the desk for a bit and eventually resort to some hopefully legalised form of rubber hose cryptanalysis.
The option to do Whole-Disk Encryption in TrueCrypt will encrypt the hibernation file as well. You are required to enter your decryption key upon start-up/resume, where it then decrypts the boot volume (with the hibernation file) and then continues to boot as normal. So even Hibernation with whole-disk encryption is safe for TrueCrypt installs.
First, one never caches passwords.
Second, one ALWAYS unmounts encrypted devices before entering hibernation.
Third, one sets up a high explosive charge on the device in hibernation, as the BOFH and I agreed was a proper security practice.
And DO look up BOFH, if you don't know what that is before you spill idiocy in the false form of grief over the last bit of humour.
That sounds precisely the issue.
Self serving nonsense from a vendor trying to sell a product by precisely ignoring every precaution and probably disabling security features to induce the intended behaviour.
Certainly it is hype. As always, no computer system can be protected from a skilled attacker when he is given physical access to a runing machine. Shall we also call the theft of a laptop a denial of service attack?.
Only thing a smart person has to do is make it to the computer and pull the power cord, and most ppl now days don't use hibernate so that route is kinda useless.
What do you base that on?
Anecdotally, I'd say a hell of a lot of people still use hibernate, certainly enough to make this a big deal.
I use Hibernate all the time on my Windows laptop and have done for many years. It gives a quick and simple 'back to life' experience, compared to a full Start.
On a laptop? With some juice still in the battery?
The funny part is when the police cut the power prior to entering to confuse and disorinate anyone inside.
I was investigating a discrepancy between [used+free space] and [total space] of roughly 8GB (his RAM size) as displayed by Explorer on my mate's Win7 computer the other day... first Google result suggested a hibernation file could be responsible. It was. He has never used hibernation, so is this file just reserve the space for OS feature, or does it actually contain RAM contents?
No biggie, just curious.
[Edit: Ryan's comment below would suggest that it contains RAM contents]
I believe that once you activate the possibility of hibernation, a file is automatically created to reserve that space. It would be a bit of a bugger if you were in a rush to leave and hit "hibernate", only to have Windows start up the "disk cleanup wizard" for you....
What happens is that, when hibernation is enabled, a file called HIBERFIL.SYS is allocated in the boot root directory. It's as big as your RAM allocation and is created to ensure the necessary space for hibernation is ready at hand. Once you hibernate once, the file will contain the RAM contents at the point of that hibernation. I would think HIBERFIL.SYS at any given point will thus contain the RAM contents of the last hibernation.
On a side note: it's £299, not $299. £1 = $1.62 U.S., so that would make it $484.
It would be a real bugger if you didn't have hibernation activated and then Windows activated and required a reboot. I could just see Clippy asking if you need help with a reboot for activating hibernation.
Hmm, when I check its 299 Euros in France, currently the spot rate is around 1.23 so at around 1.21 on my CC it would cost £247.11
I wonder if those clever chaps at Elcomsoft cant do currency conversions on the fly?
How is this of any use to anyone? I'm probably being brain dead but being as it gets the key from memory so you'd have to have made someone enter the password in the first place?
Hibernate is a non-issue as you just don't use it.
The idea is that the target is already using their computer when plod charge into the house and hope they can get to the computer before the user gets to the power switch.
Anyone needing to protect their data that badly...
1. Doesn't host it locally
2. has self destruct mechanisms for wiping the data in an emergency. (Yes, i believe one hosting company attempted to design a system which used thermite for this purpose).
> you'd have to have made someone enter the password in the first place?
Which is exactly what the article says. You have your nice secure laptop using an encrypted disk. When you boot it, it asks for the key to access files on the disk. When you enter that key it saves it somewhere handy in RAM so you don't need to enter it again and again.
One way around that would be to not store the key, but as the article says, you'd then get a popup asking for it every time you open a file or folder, or write to a file.
I'd have thought an obvious fix for the hibernate/sleep situation would be for the encryption software to catch whatever "hibernate beginning" signal gets sent, and rapidly zap the key. You'd need to enter it again after wakeup, but that's no major hardship.
Let's say you've only ever used Hibernate once, by accident, two years ago, and you happened to have a TrueCrypt volume mounted at the time. Now, two years later, an investigator can look at that once-used hibernation file, extract your TrueCrypt password - assuming you haven't changed it since - and have unfettered access to the current disk contents in that volume.
It only takes one slip in the complete life history of an encrypted item to invalidate any protection against a determined foe. That's why crypto is worse than useless in less-than-expert hands - it's actually harmful, as it gives a completely false sense of security unless utterly faultless data hygiene is observed.
This would only work for volume based encryption surely. If you use system encryption then hiberfile would be unreadable
The problem is this has already been known for a long time and the headline amounts to nothing more than scare tactics. Truecrypt itself, when properly used, has NOT been cracked. It's utter BS.
And thermite is incredibly easy to make, none of the ingredients are on any control lists either. Once it starts burning, it isn't going out easily either...
Only goes to show, encryption delays access to information. It can never stop access due to its very nature.
But when the delay is long, perhaps encryption does have its place...and I believe it still takes many years (hundreds ) to brute force most decent encryption.
If using Truecrypts whole disk encryption then the hibernate file will be on the encrypted partition - so inaccessible until a password is entered.
If you're using whole disk encryption, then oddly enough, the whole disk is encrypted.
Of course, if you were planning to had over the password for the whole disk, and you had encrypted containers with the really secret stuff on them, then you're at risk.
Hibernate's a pain in the backside nowadays. With a few gigs of RAM hibernating takes ages and it's quicker to boot from scratch.
My 64-bit Win7 lappy hibernates in a few seconds and it has 8 gig of ram as of Tuesday night. As far as I can tell there is no appreciable change in hibernate time from Tuesday morning, when it had three gig.
Are you using "hibernate" or "sleep"?
Laptops have a sleep mode where the computer goes into a low power mode and keeps memory in RAM.
"Hibernation" is possible on any PC: Windows writes the full system state to disc then powers down.
If your computer takes a few seconds, it's just taking a nap, not bedding down for the winter, so it keeps the power connected to RAM while cutting the processor and hard-drive.
Exactly. If you can hibernate 8 gigs or RAM in a few seconds you must have a super-fast hard drive. My 5200 rpm drive took minutes to hibernate 4 gigs.
'My 64-bit Win7 lappy hibernates in a few seconds and it has 8 gig of ram...."
Really? On a laptop? Well my desktop with the hibernate file located to it's own physical drive away from the O/S drive has 16GB and it still takes in excess of 90 seconds to fully hibernate the system and a full power down. You sure you're not getting confused with sleep ( ultra low power mode but RAM still powered )?
I have a Corei5 Win7 Laptop with 6GB of Memory and a Samsung 256GB SSD - encrypted with whole disk encryption which does slow it down - at a guess maybe 20% performance degradation.
I ran a quick test. It takes 21 seconds to hibernate. (Yes definitely hibernate not sleep)
It resumes from hibernate in 30 seconds to the desktop with all my programs running.
That's roughly the same time the same machine takes to boot with none of my programs running.
Definitely worth it in my opinion. I always use it. Have used it with various machines for about 10 years. Never had a problem with it. It's just nice to start off where you left off, and also means the machine isn't sucking juice when you don't need it.
Maybe once every couple of months I give it a reboot simply because the up time starts to become quite ramp up significantly quickly .... probably isn't necessary but kind of a habit.
TrueCrypt umounts when powersaving puts the computer to sleep, so I'll be surprised if it doesn't detect hibernate as well - has anyone checked?
And find it in pagefile.sys (or an expired hiberfil.sys), even if they disable Hibernation and pull the cord out when alerted.
Which is why you should use full disk encryption or set your truecrypt drives to unmount themselves after some time of inactivity. When you unmount a drive Truecrypt actively erases they key from memory. Truecrypt also tries to make sure master keys don't hit the page file.
Or disable swap if you have assloads of RAM?
Previous comments have suggested that some of these products disable hibernation and others actively wipe keys prior to hibernating, so I doubt they will make the mistake of storing keys in pageable memory.
If you're encrypting all of the system partition the hibernation and page file will also be encrypted, so bollocks to getting the password from there!
Not sure how that works on non-Windows systems?
Would that really work? - it is windows that deals with "resurrection" from hibernate, and I don't think it has the option within this low-level code to put up a screen and ask you for the password? Maybe it does.
Clearly the answer is to type the key in every time you return to the computer.
I find yellow sticky-notes are useful aides to remembering these sorts of tediously long numbers.
Windows does deal with resuming from hibernate. It doesn't deal with the Truecrypt password though. There's a boot loader in the MBR which Truecrypt uses to prompt for the password. If the password is correct, it hands over to the boot loader on the partition (ntldr or whatever....)
>I find yellow sticky-notes are useful aides to remembering these sorts of tediously long numbers.
...whoever down-voted Bonkers for that has no sense of humour. G'dam, we should have requested a "Joke: missed" icon during the last commentard consultation.
Maybe a picture showing a plane flying over someone head.....
Not if the pagefile isn't on the System partition.
must get around to installing MASSIVE electro-magnets on either side of the front door.
although, yes, does mean my granny with the pacemaker won't be able to come visit anymore....
sudo killall -9 Autopilot