back to article PGP, TrueCrypt-encrypted files CRACKED by £300 tool

ElcomSoft has built a utility that forages for encryption keys in snapshots of a PC's memory to decrypt PGP and TrueCrypt-protected data. Forensic Disk Decryptor attempts to unlock information stored in disks and volumes encrypted by BitLocker, PGP or TrueCrypt. The tool is designed for criminal investigators, IT security bods …

COMMENTS

This topic is closed for new posts.

Page:

  1. Mine's a pint
    Pint

    Hibernation?

    Hibernation, is it really such a boon?

    1. pixl97

      Re: Hibernation?

      If anyone has ever read the Truecrypt site and forums they would already know 2 things.

      Hibernation and encryption don't work securely together. and,

      Disk encryption doesn't protect an open encrypted volume.

      Only a system that is designed to clear the encryption key out of memory at hibernation and ask for it again when waking up is secure to go to sleep. Other then that, turn it off. I need to to experiment with SSDs using full disk encryption to see what the performance is like for full shutdowns and startups. Oh, and if you ever use a SSD on for an encrypted disk and want to change your key, move all your data off and do a factory wipe on it.

      1. Dr. Vesselin Bontchev
        Boffin

        Re: Hibernation?

        Precisely. And PGPDisk goes as far as to disable hibernation by default. And clears the key from memory when no longer needed. And has a timeout after which it dismounts the disk (as does TrueCrypt).

        Plus, if this tool can sniff the disk encryption key only when the drive is mounted - what is the point? If the drive is still mounted, you can simply copy its contents - the disk encryption software will decrypt it on-the-fly for you. Not to mention that it is much simpler to install a keylogger (even a hardware one) than to sniff the computer's memory.

        This whole thing sounds like a lot of self-serving hype from the part of ElcomSoft.

        1. Anonymous Coward
          Anonymous Coward

          Re: Hibernation?

          "Plus, if this tool can sniff the disk encryption key only when the drive is mounted - what is the point? If the drive is still mounted, you can simply copy its contents - the disk encryption software will decrypt it on-the-fly for you."

          Exactly. The point is that you're tainting the evidence. I presume the way this is meant to be used is that you read the key from memory and save it somewhere such as a USB stick, then you power off the computer, make a forensic copy of the discs, and decrypt the copy with the key you have availed yourself of.

          Of course, you need prior intelligence or a keen instinct to know that encryption might be in use, as the standard forensic procedure is to walk up to the computer (take video, pics, notes, etc.) and pull the cord from the back of the machine (not the power outlet), or remove the battery in the case of a laptop or similar portable device. If you only discover that the target uses encryption by the time you have cloned the disks you'll be banging your head against the desk for a bit and eventually resort to some hopefully legalised form of rubber hose cryptanalysis.

          1. Ammaross Danan
            Boffin

            Re: Hibernation?

            The option to do Whole-Disk Encryption in TrueCrypt will encrypt the hibernation file as well. You are required to enter your decryption key upon start-up/resume, where it then decrypts the boot volume (with the hibernation file) and then continues to boot as normal. So even Hibernation with whole-disk encryption is safe for TrueCrypt installs.

        2. Wzrd1

          Re: Hibernation?

          That sounds precisely the issue.

          Self serving nonsense from a vendor trying to sell a product by precisely ignoring every precaution and probably disabling security features to induce the intended behaviour.

        3. Jaybus

          Re: Hibernation?

          Certainly it is hype. As always, no computer system can be protected from a skilled attacker when he is given physical access to a runing machine. Shall we also call the theft of a laptop a denial of service attack?.

      2. Anonymous Coward
        Anonymous Coward

        Re: Hibernation?

        I've seen encrypted swap with hibernation work on Ubuntu.

      3. Wzrd1

        Re: Hibernation?

        Absolute silliness.

        First, one never caches passwords.

        Second, one ALWAYS unmounts encrypted devices before entering hibernation.

        Third, one sets up a high explosive charge on the device in hibernation, as the BOFH and I agreed was a proper security practice.

        And DO look up BOFH, if you don't know what that is before you spill idiocy in the false form of grief over the last bit of humour.

    2. The Man Who Fell To Earth Silver badge
      Boffin

      Re: Hibernation?

      One has to wonder if fragmenting the key in memory a different way every time, and perhaps changing how periodically, would thwart this scheme...

  2. cyke1

    300+$ for such a limited tool?

    Only thing a smart person has to do is make it to the computer and pull the power cord, and most ppl now days don't use hibernate so that route is kinda useless.

    1. FartingHippo
      Stop

      most ppl now days don't use hibernate

      What do you base that on?

      Anecdotally, I'd say a hell of a lot of people still use hibernate, certainly enough to make this a big deal.

    2. frank ly Silver badge

      Re: 300+$ for such a limited tool?

      I use Hibernate all the time on my Windows laptop and have done for many years. It gives a quick and simple 'back to life' experience, compared to a full Start.

    3. Captain Hogwash

      Re: pull the power cord

      On a laptop? With some juice still in the battery?

      1. Dave 126 Silver badge

        Re: pull the power cord

        I was investigating a discrepancy between [used+free space] and [total space] of roughly 8GB (his RAM size) as displayed by Explorer on my mate's Win7 computer the other day... first Google result suggested a hibernation file could be responsible. It was. He has never used hibernation, so is this file just reserve the space for OS feature, or does it actually contain RAM contents?

        No biggie, just curious.

        [Edit: Ryan's comment below would suggest that it contains RAM contents]

        1. The Indomitable Gall

          Hibernation files

          I believe that once you activate the possibility of hibernation, a file is automatically created to reserve that space. It would be a bit of a bugger if you were in a rush to leave and hit "hibernate", only to have Windows start up the "disk cleanup wizard" for you....

          1. Anonymous Coward
            Anonymous Coward

            Re: Hibernation files

            It would be a real bugger if you didn't have hibernation activated and then Windows activated and required a reboot. I could just see Clippy asking if you need help with a reboot for activating hibernation.

        2. Charles 9 Silver badge

          Re: pull the power cord

          What happens is that, when hibernation is enabled, a file called HIBERFIL.SYS is allocated in the boot root directory. It's as big as your RAM allocation and is created to ensure the necessary space for hibernation is ready at hand. Once you hibernate once, the file will contain the RAM contents at the point of that hibernation. I would think HIBERFIL.SYS at any given point will thus contain the RAM contents of the last hibernation.

    4. DJ Smiley
      Devil

      Re: 300+$ for such a limited tool?

      The funny part is when the police cut the power prior to entering to confuse and disorinate anyone inside.

      1. Joe User
        Headmaster

        Re: 300+$ for such a limited tool?

        On a side note: it's £299, not $299. £1 = $1.62 U.S., so that would make it $484.

        1. N2 Silver badge

          Re: 300+$ for such a limited tool?

          Hmm, when I check its 299 Euros in France, currently the spot rate is around 1.23 so at around 1.21 on my CC it would cost £247.11

          I wonder if those clever chaps at Elcomsoft cant do currency conversions on the fly?

  3. probedb

    Useful at all?

    How is this of any use to anyone? I'm probably being brain dead but being as it gets the key from memory so you'd have to have made someone enter the password in the first place?

    Hibernate is a non-issue as you just don't use it.

    1. Christoph Silver badge

      Re: Useful at all?

      The idea is that the target is already using their computer when plod charge into the house and hope they can get to the computer before the user gets to the power switch.

      1. DJ Smiley
        Facepalm

        Re: Useful at all?

        Anyone needing to protect their data that badly...

        1. Doesn't host it locally

        2. has self destruct mechanisms for wiping the data in an emergency. (Yes, i believe one hosting company attempted to design a system which used thermite for this purpose).

        1. Cipher
          Linux

          Re: Useful at all?

          And thermite is incredibly easy to make, none of the ingredients are on any control lists either. Once it starts burning, it isn't going out easily either...

      2. Anonymous Coward
        Anonymous Coward

        Re: Useful at all?

        The problem is this has already been known for a long time and the headline amounts to nothing more than scare tactics. Truecrypt itself, when properly used, has NOT been cracked. It's utter BS.

    2. Phil O'Sophical Silver badge

      Re: Useful at all?

      > you'd have to have made someone enter the password in the first place?

      Which is exactly what the article says. You have your nice secure laptop using an encrypted disk. When you boot it, it asks for the key to access files on the disk. When you enter that key it saves it somewhere handy in RAM so you don't need to enter it again and again.

      One way around that would be to not store the key, but as the article says, you'd then get a popup asking for it every time you open a file or folder, or write to a file.

      I'd have thought an obvious fix for the hibernate/sleep situation would be for the encryption software to catch whatever "hibernate beginning" signal gets sent, and rapidly zap the key. You'd need to enter it again after wakeup, but that's no major hardship.

    3. Jon Green
      Facepalm

      Re: "Hibernate is a non-issue as you just don't use it."

      Let's say you've only ever used Hibernate once, by accident, two years ago, and you happened to have a TrueCrypt volume mounted at the time. Now, two years later, an investigator can look at that once-used hibernation file, extract your TrueCrypt password - assuming you haven't changed it since - and have unfettered access to the current disk contents in that volume.

      It only takes one slip in the complete life history of an encrypted item to invalidate any protection against a determined foe. That's why crypto is worse than useless in less-than-expert hands - it's actually harmful, as it gives a completely false sense of security unless utterly faultless data hygiene is observed.

      1. Adam 1 Silver badge

        Re: "Hibernate is a non-issue as you just don't use it."

        This would only work for volume based encryption surely. If you use system encryption then hiberfile would be unreadable

  4. NoneSuch
    Go

    Only goes to show, encryption delays access to information. It can never stop access due to its very nature.

    1. James Hughes 1

      Indeed

      But when the delay is long, perhaps encryption does have its place...and I believe it still takes many years (hundreds ) to brute force most decent encryption.

  5. Anonymous Coward
    Anonymous Coward

    If using Truecrypts whole disk encryption then the hibernate file will be on the encrypted partition - so inaccessible until a password is entered.

    1. pPPPP

      This ^

      If you're using whole disk encryption, then oddly enough, the whole disk is encrypted.

      Of course, if you were planning to had over the password for the whole disk, and you had encrypted containers with the really secret stuff on them, then you're at risk.

      Hibernate's a pain in the backside nowadays. With a few gigs of RAM hibernating takes ages and it's quicker to boot from scratch.

      1. Stevie Silver badge

        Not True.

        My 64-bit Win7 lappy hibernates in a few seconds and it has 8 gig of ram as of Tuesday night. As far as I can tell there is no appreciable change in hibernate time from Tuesday morning, when it had three gig.

        1. The Indomitable Gall

          Re: Not True.

          Are you using "hibernate" or "sleep"?

          Laptops have a sleep mode where the computer goes into a low power mode and keeps memory in RAM.

          "Hibernation" is possible on any PC: Windows writes the full system state to disc then powers down.

          If your computer takes a few seconds, it's just taking a nap, not bedding down for the winter, so it keeps the power connected to RAM while cutting the processor and hard-drive.

          1. pPPPP

            Re: Not True.

            Exactly. If you can hibernate 8 gigs or RAM in a few seconds you must have a super-fast hard drive. My 5200 rpm drive took minutes to hibernate 4 gigs.

        2. Anonymous Coward
          Anonymous Coward

          Re: Not True.

          'My 64-bit Win7 lappy hibernates in a few seconds and it has 8 gig of ram...."

          Really? On a laptop? Well my desktop with the hibernate file located to it's own physical drive away from the O/S drive has 16GB and it still takes in excess of 90 seconds to fully hibernate the system and a full power down. You sure you're not getting confused with sleep ( ultra low power mode but RAM still powered )?

          1. Anonymous Coward
            Anonymous Coward

            Re: Not True.

            I have a Corei5 Win7 Laptop with 6GB of Memory and a Samsung 256GB SSD - encrypted with whole disk encryption which does slow it down - at a guess maybe 20% performance degradation.

            I ran a quick test. It takes 21 seconds to hibernate. (Yes definitely hibernate not sleep)

            It resumes from hibernate in 30 seconds to the desktop with all my programs running.

            That's roughly the same time the same machine takes to boot with none of my programs running.

            Definitely worth it in my opinion. I always use it. Have used it with various machines for about 10 years. Never had a problem with it. It's just nice to start off where you left off, and also means the machine isn't sucking juice when you don't need it.

            Maybe once every couple of months I give it a reboot simply because the up time starts to become quite ramp up significantly quickly .... probably isn't necessary but kind of a habit.

          2. Anonymous Coward
            Anonymous Coward

            Re: Not True.

            TrueCrypt umounts when powersaving puts the computer to sleep, so I'll be surprised if it doesn't detect hibernate as well - has anyone checked?

  6. Ryan 7
    Boffin

    You might get lucky,

    And find it in pagefile.sys (or an expired hiberfil.sys), even if they disable Hibernation and pull the cord out when alerted.

    1. pixl97

      Re: You might get lucky,

      Which is why you should use full disk encryption or set your truecrypt drives to unmount themselves after some time of inactivity. When you unmount a drive Truecrypt actively erases they key from memory. Truecrypt also tries to make sure master keys don't hit the page file.

      http://www.truecrypt.org/docs/unencrypted-data-in-ram

      1. Anonymous Coward
        Anonymous Coward

        Re: You might get lucky,

        Or disable swap if you have assloads of RAM?

    2. Ken Hagan Gold badge

      Re: You might get lucky,

      Previous comments have suggested that some of these products disable hibernation and others actively wipe keys prior to hibernating, so I doubt they will make the mistake of storing keys in pageable memory.

  7. Anonymous Coward
    Anonymous Coward

    As Mr ChriZ said

    If you're encrypting all of the system partition the hibernation and page file will also be encrypted, so bollocks to getting the password from there!

    Not sure how that works on non-Windows systems?

    1. bonkers
      Happy

      Re: As Mr ChriZ said

      Would that really work? - it is windows that deals with "resurrection" from hibernate, and I don't think it has the option within this low-level code to put up a screen and ask you for the password? Maybe it does.

      Clearly the answer is to type the key in every time you return to the computer.

      I find yellow sticky-notes are useful aides to remembering these sorts of tediously long numbers.

      1. pPPPP

        Re: As Mr ChriZ said

        Windows does deal with resuming from hibernate. It doesn't deal with the Truecrypt password though. There's a boot loader in the MBR which Truecrypt uses to prompt for the password. If the password is correct, it hands over to the boot loader on the partition (ntldr or whatever....)

      2. Dave 126 Silver badge

        Re: As Mr ChriZ said

        >I find yellow sticky-notes are useful aides to remembering these sorts of tediously long numbers.

        ...whoever down-voted Bonkers for that has no sense of humour. G'dam, we should have requested a "Joke: missed" icon during the last commentard consultation.

        1. theblackhand

          Re: As Mr ChriZ said

          Maybe a picture showing a plane flying over someone head.....

    2. doveman
      FAIL

      Re: As Mr ChriZ said

      Not if the pagefile isn't on the System partition.

  8. jai

    that reminds me...

    must get around to installing MASSIVE electro-magnets on either side of the front door.

    although, yes, does mean my granny with the pacemaker won't be able to come visit anymore....

Page:

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019