PGP, TrueCrypt-encrypted files CRACKED by £300 tool
ElcomSoft has built a utility that forages for encryption keys in snapshots of a PC's memory to decrypt PGP and TrueCrypt-protected data. Forensic Disk Decryptor attempts to unlock information stored in disks and volumes encrypted by BitLocker, PGP or TrueCrypt. The tool is designed for criminal investigators, IT security bods …
This topic is closed for new posts.
Re: that reminds me...
What about a suitcase EMP device under the stairs instead?
Re: that reminds me...
How about the reset button?
Just make sure your BIOS is set to do a memory test as it boots and its all gone...
Re: that reminds me...
If you're really interested in doing 'dodgy stuff', you put a small networked drive under the floorboards with power and powerline data fed by cables to the underfloor mains wiring; and you encrypt it. Then, when you get your door kicked in, they take your computer and thumb drives and NAS box in the corner and DVDs and spend ages analysing them. In the meantime, you lift the floorboards and deal with the small network drive.
Note: I am not a criminal, I'm a reasonably intelligent techie who can think about problems and propose 'solutions'.
Re: that reminds me...
"Note: I am not a criminal, I'm a reasonably intelligent techie who can think about problems and propose 'solutions'."
If I was a copper looking for IT kit in some premises I would find one powerline data plug and wonder where the other one was. Then I'd tear your house apart looking for it so not only would I get the drive I'd trash your house.
Re: that reminds me...
"..... In the meantime, you lift the floorboards and deal with the small network drive....." Yeah, nice idea, if only crims hadn't been hiding stuff under floorboards for centuries there is no way the coppers would think to look there! They might also get a bit suspicious when your laptop has a network drive listed which isn't amongst any collected gear.
Re: that reminds me...
It doesn't have to be under the floorboards; it could be incorporated into that nice electric fireplace with decorative surround. Also, you'll have other equipment with powerline data connections, as I do, such as printer, desktop computer, NAS drive.
" ...when your laptop has a network drive listed which isn't amongst any collected gear."
That is very easy to take care of. I'll leave you to figure it out for yourself.
Re: Re: that reminds me...
All very inventive, but all assuming the coppers haven't a clue, and yet the prisons are full of people that thought just that (including a fait chunk of Anonyputz "not-leaders"). Believe me, anything you can think of the coppers have probably already seen in practice.
Re: that reminds me...
You just embed a microSD card in a floorboard, wired to some dummy nails. To access it, you place the bare ends of USB cable (stripped to the inner cables) on the heads of the nails and weigh them down.
You don't have to be a criminal to think this way- I can't think of anything more mainstream and middle-class than musing on the details of 'perfect crimes', a la Sherlock Holmes, the creations of Agatha Christie or ITV's entire drama output.
What was that decades-old story about a code hidden in Braille in the frieze encircling a room?
Re: that reminds me...
"must get around to installing MASSIVE electro-magnets on either side of the front door."
Lump hammer would be cheaper.
"Lawks, it's the Peelers!"
WHAM WHAM WHAM
"Good morning officer, how may I be of assistance to you?"
Re: that reminds me...
If you were really daft, you could just encrypt innocuous data, and tell Plod that under the data protection act you are required keep the details of third parties (your clients, for example) secure- just so you can make a snide remark about how they've been fined for failing to do the same, before giving them the key. I say daft, because police don't respond well to sarcasm.
No matter, enjoying the news story at the moment about the Personal Protection Officer making up 'evidence' against the (then) Tory chief whip.
Maybe the discussion here should be of ways of proving what was on your hard-disk at the time the police took it- so that nothing nasty is added after it leaves your house.
Re: that reminds me...
"Lawks, it's the Peelers!"
WHAM WHAM WHAM
"Good morning officer, how may I be of assistance to you?"
"We''ve had a complaint that someone's been a very bad boy. Someone who's birthday it is today..."
Tadada da daaaa
Re: that reminds me...
@Stevie 0 15:36
Plod: "Oh nothng much sir, we're just collecting for the Police charity fund and would like a donation. I say sir, what's that pile of smashed equipment on your living room floor? Please be careful you don't cut yourself. Have a good day sir!"
Balls! Balls! Balls! My data! Arrrrrgh!
If your going that overkill....
Personally, If i lived in a large block of apartments or just a densely populated area, I'd hook up a raspberry pi somewhere in the building connected to a bluetooth adapter (or maybe in a nearby building). When the Five-0/mafia/horseman of the apocalypse arrive, execute a remote shell script that disables the bluetooth on the device and shuts the pi down. No way to track it down then? (without serious effort) Plus, the pi is stupidly small so is easier to secrete than a NAS but still has the functionality of a small PC.
Of course, the data would still be on the card, but i'd count on the fact that nobody would find it.
Source: I was an awesome hide and seek player.
I can't think what dodgy stuff you would really need to hide though? :P I don't even keep sensitive information on my main PC.
Re: that reminds me...
Looking around my computer corner, I can see putting a NAS box with wireless in the attic over the computer. It would be a project to carve out a hiding place in the concrete foundation. There is power in the attic and I would have a clear shot so the wireless could operate at max speed. If it were buried in the insulation, the coppers would have to be pretty diligent to find it (or know it was there). Going a bit further, my heater is up in the attic and an electrical box could be fitted to the side with a sticker that claims it's a "Zone Control" or some such for a nice bit of camouflage. I could run some wires to it, one of which would be an ethernet connection to my computer and it would look legitimate. The connector coming into my computer area would have to look like a standard installation and not some hacked in wiring that would raise flags.
I don't know if the "Man" spends much time looking at how a computer in a home is wired up or not. It would seem that they will just collect the computer gear into boxes and cart it off to their "expert" or some third party they hire to have a look at what's on the drives. All this technology stuff is baffling to them. If they don't find anything, they might just guess that offending material is on "The Cloud". If you want some cover, get a storage account with Google and encrypt a load of electricity bills to put on it.
First line of defense in this case would be to have a power switch handy. I am not too worried about getting raided as I'm not doing things that would interest the police (NSA, HLS, FBI, CIA, Interpol, NCTC, NOAA, SSA or the mall security) but I do happen to have my computer plugged into a power strip with a switch close to hand.
Re: that reminds me...
If you had any sense, you wouldn't keep the backup on your premises, encrypted or not. Standard Plod behaviour these days for all crimes from traffic tickets up is to seize everything electronic in the house, including your cell phone, and hold onto it for weeks. I'm sure in most cases they never even turn it on, they just want to cause you the maximum inconvenience. Whatever, a backup drive is no use to you if you don't have a computer to run it on. You need a full running backup computer off site in a place they don't know about.
Re: that reminds me...
one powerline data plug
As said, why would they only find one? But then, why powerline? It's almost a given you already have wireless. A small storage widget connecting to your WLAN router, with remote power off so that it won't in any way announce itself when it really shouldn't. If it doesn't have rotating disks it'll have very modest power requirements, and temperature will be of little concern either, so you could stick it in just about anything that you can get a low-voltage DC power feed to, like a garden gnome with a LED-lit lantern in its hand.
Press power button ...
and hold for 10 seconds or less for instant power off!
Unless your sitting by your front door, you've got good 30 seconds before plod get you.
But then again you can still go to jail for not handing over your pass-phrase. Hidden encrypted volume inside the encrypted drive :)
Re: Press power button ...
alt-sysrq-b has the same effect as long as ram testing is enabled in bios.
alt-sysrq-o may or may not be fast enough
I've mused a cople of times about having something running which verifies nearby wifi points and/or bluetooth devices before giving access to a crypted drive.
Here we again see the problem of opensource, it make it easy to break into. When will he learn?
Presumably you "opensource" your passwords then, you idiot.
It is the PGP opensources that here we see broken. And the many others, it is not my own password as I keep mine hidden away from the computers.
"Here we again see the problem of opensource, it make it easy to break into. When will he learn?"
I can't decide whether you are joking or not. I really hope you are...
I'm guessing you are a troll, this has nothing about being "open source" this is about an inherent weakness in these systems that is increadibly hard to get round. Without using something like a smartcard (but you still have the big issue of the smart card being a physical object to unlock your encryption)
The issue has been known about for years, there has been memory scrapers around for years that do the exact thing this product does..
So, this tool is not for cracking but for sniffing
Period.
Re: So, this tool is not for cracking but for sniffing
But once successfully sniffed, you can crack on.
C.
Re: So, this tool is not for cracking but for sniffing
Isn't that rather like saying that once I have the key to the front door, I can pick the lock?
Re: So, this tool is not for cracking but for sniffing
I would not recommend sniffing my crack.
Re: So, this tool is not for cracking but for sniffing
Do you really want to sniff cracks though?
Yeah, yeah, I'm going.
Re: So, this tool is not for cracking but for sniffing
"Isn't that rather like saying that once I have the key to the front door, I can pick the lock?"
No, it's more like once I have you open the door for me with your key, then you let me take the key, go down Timpsons and come back with a copy and I can open your door as many times as I like!
Re: So, this tool is not for cracking but for sniffing
>sniffing my crack.
Winning.
</sheen>
As far as I can see, the only benefit of the software is from legal point of view. Using the software requires the volume to be mounted, which means that data on the volume could be accessed/copied away, no special software required. My guess is, that in some countries (or most, IANAL) law states, that data copied from encrypted volume can't be used as a evidence, but original data can. In those cases the software would allow using of the data.
As far as I can see, no cracking of encryption actually takes place.
"As far as I can see"
Yes, in a nutshell that's basically it.
This was already known....
There's nothing NEW here to warrant the SCARE headline. If you weren't using full disk encryption before, you were already screwed because of small clues and the page file. People also knew a mounted encrypted system wasn't safe either. If you're a dissident with something to hide, you better hook up a motion detector to power down the system if you're away ;)
My Toshiba powers off autoimatically ...
when the power cord is pulled - I never bothered changing the batteries - the power outlets in the office are powered by expensive in the basement UPS + a hairy great generator.
Re: My Toshiba powers off autoimatically ...
"a hairy great generator"
I always like my "great" generators to be very hairy!
decrypting a disk that is mounted
Isn't that what the encryption software would be doing anyway?
only windows?
seems that it only runs on windows. any software that does that for mac, linux?
Re: only windows?
IIRC the system RAM is a device in Linux (/dev/mem). With the right access, I think it's possible to duplicate it to a file to obtain a RAM image. Bob's your uncle from there. There's also /dev/kmem which images the kernel RAM, but I'm pretty sure TrueCrypt uses FUSE, meaning it's in userspace, so it would reside in system RAM.
MacOS took /dev/mem out for security reasons. There seem to be ways around it if you really need it, though.
Half the time the plod are not even clever enough to know what to take and what not to take never mind know about what to do to avoid loosing encryption keys stored in memory. I know a girl whos house was raided by the police because her ex boyfriend had been doing identify fraud from there. I went around to help her clean up and the police had taken her the computer, mobile phone, usb drive, some DVD/RW and CDRs, bank statements as you would expect. But i noticed they had left a load of other stuff that i would have thought they should have taken, such as the hard drive PVR box under the TV which is essential a NAS box so you could store data on if you wished, there were lots of DVD that looked like originals because they were in cases with colour inlay cards but infact were bought from some Asian bloke down the pub so could have contained anything but they didn't even check them.
valid use:
'ere .. scuze me PFY, come into my office fer a moment.
Why look -- its the dear lady from HR. You appear to need a new job, good day sir.
The only case where I can think of a legitimate use for the tool is in cases where corporate data may be in encrypted containers under an individual's control, and said individual is marched out the door. The systems involved may well be left up and running as the individual is marched out, but considering the possible issues with the dismissal, one would likely be far happier relying on the results from this tool than on either records left behind by the individual (i.e some shared password vault entry) or the individual's statement on the way out the door. (And, yes, I've sadly seen issues of this nature happen. And had to mop up from that, and would have had greatly appreciated this tool had we been dealing with encrypted containers .... think SSL certificates and apache)
Certainly, the case of "plod investigates" is a legitimate use but as we can see from discussions here, its very likely that they'll only get so far on that front with someone that might have a clue about security. The tool clearly has its limits. Sadly, idiots abound, and this tool takes advantage of that fact.
Even without full disk encryption I feel safe using Tru Crypt. I guess it depends on what you're trying to hide.
If its just a few piccies of Linda Lusardi with her jugs out I doubt anyone is going to be buying software for 300 bucks to have a free peek.
I always say.....
...encryption is just there to stop the guy who nicked/found your laptop on the train, taking a look at what's there before he wipes it and sticks something else on it or hands it in to the relevant parties.
If you have data that requires a greater level than that then speak to someone else or change your data policies on remote equipment.
Re: I always say.....
I was halfway posting very much the same comment, but saw yours.
I had also considered giving you laptop to relatives, and forgetting to wipe the disk, and having everyone in the family having a laugh at your "media files"...
Needs Firewire
So another way to protect yourself would be a piece of SW which automatically detected when something was plugged into the FW (or other interface dumb enough to allow direct memory access) and wiped the key from memory.
So basically...
This is the same as you cloning a live system's RAM with tools (such as the SANS Sift Kit) than digging through it with a HEX editor to find the passphrase, except you can spend 300$ and only do this on Windows, with a few points and clicks...
The caveat here is that it doesn't need to be live, you just needed to hibernate at some point with your Encrypted Mount Point, mounted.
Can't we already do this with opensource tools? (IE Your Linux Distribution of choice)
Solution: TRESOR
http://www1.cs.fau.de/tresor
Although, it’s limited* and fiddly to use. We’re really waiting on CPU manufacturers to provide explicit on-die solutions.
For all the talk of on-site digital triage and making memory dumps, of the accounts I’ve read, the police power everything down as soon as possible. The current thinking is to preserve any disk-based evidence and prevent remote access, with encryption rarely being encountered. If the police have surveilled you enough to know they should leave your computer switched on, they probably already have enough information that they don’t need Forensic Disk Decryptor.
*There’s a version for x86 without AES-NI, but it has a speed penalty and is limited to AES128.
http://www1.cs.fau.de/filepool/projects/tresor/tresor-patch-3.6.2_i686
FileVault 2 defeat ElcomSoft Tool!
pmset -a destroyfvkeyonstandby 1 hibernatemode 25
'Nuff said. Can't get a crypto key that never, ever leaves RAM, and if the MBP is in sleep mode, the RAM's powered off as well. Looks like this was a damn fine setting after all!
Interesting
You do realise that powered off BT/wifi devices can be detected by resonant sweep right?
Essentially they absorb power in the ceramic antenna, so a nearby transceiver will be able to sense a drop in transfer efficiency which allows the hidden device to be located by triangulation.
Re: Interesting
you just put a big box of old wifi kit on top of the hiding place.
The main and only weakness of crypto containers is human factor.
IF
The main and only weakness of crypto containers is human factor.
THEN
The main and only weakness of crypto containers is gun control.
ELSE
END
This topic is closed for new posts.
