Hibernation, is it really such a boon?
ElcomSoft has built a utility that forages for encryption keys in snapshots of a PC's memory to decrypt PGP and TrueCrypt-protected data. Forensic Disk Decryptor attempts to unlock information stored in disks and volumes encrypted by BitLocker, PGP or TrueCrypt. The tool is designed for criminal investigators, IT security bods …
If anyone has ever read the Truecrypt site and forums they would already know 2 things.
Hibernation and encryption don't work securely together. and,
Disk encryption doesn't protect an open encrypted volume.
Only a system that is designed to clear the encryption key out of memory at hibernation and ask for it again when waking up is secure to go to sleep. Other then that, turn it off. I need to to experiment with SSDs using full disk encryption to see what the performance is like for full shutdowns and startups. Oh, and if you ever use a SSD on for an encrypted disk and want to change your key, move all your data off and do a factory wipe on it.
Precisely. And PGPDisk goes as far as to disable hibernation by default. And clears the key from memory when no longer needed. And has a timeout after which it dismounts the disk (as does TrueCrypt).
Plus, if this tool can sniff the disk encryption key only when the drive is mounted - what is the point? If the drive is still mounted, you can simply copy its contents - the disk encryption software will decrypt it on-the-fly for you. Not to mention that it is much simpler to install a keylogger (even a hardware one) than to sniff the computer's memory.
This whole thing sounds like a lot of self-serving hype from the part of ElcomSoft.
"Plus, if this tool can sniff the disk encryption key only when the drive is mounted - what is the point? If the drive is still mounted, you can simply copy its contents - the disk encryption software will decrypt it on-the-fly for you."
Exactly. The point is that you're tainting the evidence. I presume the way this is meant to be used is that you read the key from memory and save it somewhere such as a USB stick, then you power off the computer, make a forensic copy of the discs, and decrypt the copy with the key you have availed yourself of.
Of course, you need prior intelligence or a keen instinct to know that encryption might be in use, as the standard forensic procedure is to walk up to the computer (take video, pics, notes, etc.) and pull the cord from the back of the machine (not the power outlet), or remove the battery in the case of a laptop or similar portable device. If you only discover that the target uses encryption by the time you have cloned the disks you'll be banging your head against the desk for a bit and eventually resort to some hopefully legalised form of rubber hose cryptanalysis.
The option to do Whole-Disk Encryption in TrueCrypt will encrypt the hibernation file as well. You are required to enter your decryption key upon start-up/resume, where it then decrypts the boot volume (with the hibernation file) and then continues to boot as normal. So even Hibernation with whole-disk encryption is safe for TrueCrypt installs.
First, one never caches passwords.
Second, one ALWAYS unmounts encrypted devices before entering hibernation.
Third, one sets up a high explosive charge on the device in hibernation, as the BOFH and I agreed was a proper security practice.
And DO look up BOFH, if you don't know what that is before you spill idiocy in the false form of grief over the last bit of humour.
I was investigating a discrepancy between [used+free space] and [total space] of roughly 8GB (his RAM size) as displayed by Explorer on my mate's Win7 computer the other day... first Google result suggested a hibernation file could be responsible. It was. He has never used hibernation, so is this file just reserve the space for OS feature, or does it actually contain RAM contents?
No biggie, just curious.
[Edit: Ryan's comment below would suggest that it contains RAM contents]
What happens is that, when hibernation is enabled, a file called HIBERFIL.SYS is allocated in the boot root directory. It's as big as your RAM allocation and is created to ensure the necessary space for hibernation is ready at hand. Once you hibernate once, the file will contain the RAM contents at the point of that hibernation. I would think HIBERFIL.SYS at any given point will thus contain the RAM contents of the last hibernation.
> you'd have to have made someone enter the password in the first place?
Which is exactly what the article says. You have your nice secure laptop using an encrypted disk. When you boot it, it asks for the key to access files on the disk. When you enter that key it saves it somewhere handy in RAM so you don't need to enter it again and again.
One way around that would be to not store the key, but as the article says, you'd then get a popup asking for it every time you open a file or folder, or write to a file.
I'd have thought an obvious fix for the hibernate/sleep situation would be for the encryption software to catch whatever "hibernate beginning" signal gets sent, and rapidly zap the key. You'd need to enter it again after wakeup, but that's no major hardship.
Let's say you've only ever used Hibernate once, by accident, two years ago, and you happened to have a TrueCrypt volume mounted at the time. Now, two years later, an investigator can look at that once-used hibernation file, extract your TrueCrypt password - assuming you haven't changed it since - and have unfettered access to the current disk contents in that volume.
It only takes one slip in the complete life history of an encrypted item to invalidate any protection against a determined foe. That's why crypto is worse than useless in less-than-expert hands - it's actually harmful, as it gives a completely false sense of security unless utterly faultless data hygiene is observed.
If you're using whole disk encryption, then oddly enough, the whole disk is encrypted.
Of course, if you were planning to had over the password for the whole disk, and you had encrypted containers with the really secret stuff on them, then you're at risk.
Hibernate's a pain in the backside nowadays. With a few gigs of RAM hibernating takes ages and it's quicker to boot from scratch.
Are you using "hibernate" or "sleep"?
Laptops have a sleep mode where the computer goes into a low power mode and keeps memory in RAM.
"Hibernation" is possible on any PC: Windows writes the full system state to disc then powers down.
If your computer takes a few seconds, it's just taking a nap, not bedding down for the winter, so it keeps the power connected to RAM while cutting the processor and hard-drive.
'My 64-bit Win7 lappy hibernates in a few seconds and it has 8 gig of ram...."
Really? On a laptop? Well my desktop with the hibernate file located to it's own physical drive away from the O/S drive has 16GB and it still takes in excess of 90 seconds to fully hibernate the system and a full power down. You sure you're not getting confused with sleep ( ultra low power mode but RAM still powered )?
I have a Corei5 Win7 Laptop with 6GB of Memory and a Samsung 256GB SSD - encrypted with whole disk encryption which does slow it down - at a guess maybe 20% performance degradation.
I ran a quick test. It takes 21 seconds to hibernate. (Yes definitely hibernate not sleep)
It resumes from hibernate in 30 seconds to the desktop with all my programs running.
That's roughly the same time the same machine takes to boot with none of my programs running.
Definitely worth it in my opinion. I always use it. Have used it with various machines for about 10 years. Never had a problem with it. It's just nice to start off where you left off, and also means the machine isn't sucking juice when you don't need it.
Maybe once every couple of months I give it a reboot simply because the up time starts to become quite ramp up significantly quickly .... probably isn't necessary but kind of a habit.
Which is why you should use full disk encryption or set your truecrypt drives to unmount themselves after some time of inactivity. When you unmount a drive Truecrypt actively erases they key from memory. Truecrypt also tries to make sure master keys don't hit the page file.
Would that really work? - it is windows that deals with "resurrection" from hibernate, and I don't think it has the option within this low-level code to put up a screen and ask you for the password? Maybe it does.
Clearly the answer is to type the key in every time you return to the computer.
I find yellow sticky-notes are useful aides to remembering these sorts of tediously long numbers.
Windows does deal with resuming from hibernate. It doesn't deal with the Truecrypt password though. There's a boot loader in the MBR which Truecrypt uses to prompt for the password. If the password is correct, it hands over to the boot loader on the partition (ntldr or whatever....)
If you're really interested in doing 'dodgy stuff', you put a small networked drive under the floorboards with power and powerline data fed by cables to the underfloor mains wiring; and you encrypt it. Then, when you get your door kicked in, they take your computer and thumb drives and NAS box in the corner and DVDs and spend ages analysing them. In the meantime, you lift the floorboards and deal with the small network drive.
Note: I am not a criminal, I'm a reasonably intelligent techie who can think about problems and propose 'solutions'.
"Note: I am not a criminal, I'm a reasonably intelligent techie who can think about problems and propose 'solutions'."
If I was a copper looking for IT kit in some premises I would find one powerline data plug and wonder where the other one was. Then I'd tear your house apart looking for it so not only would I get the drive I'd trash your house.
one powerline data plug
As said, why would they only find one? But then, why powerline? It's almost a given you already have wireless. A small storage widget connecting to your WLAN router, with remote power off so that it won't in any way announce itself when it really shouldn't. If it doesn't have rotating disks it'll have very modest power requirements, and temperature will be of little concern either, so you could stick it in just about anything that you can get a low-voltage DC power feed to, like a garden gnome with a LED-lit lantern in its hand.
"..... In the meantime, you lift the floorboards and deal with the small network drive....." Yeah, nice idea, if only crims hadn't been hiding stuff under floorboards for centuries there is no way the coppers would think to look there! They might also get a bit suspicious when your laptop has a network drive listed which isn't amongst any collected gear.
It doesn't have to be under the floorboards; it could be incorporated into that nice electric fireplace with decorative surround. Also, you'll have other equipment with powerline data connections, as I do, such as printer, desktop computer, NAS drive.
" ...when your laptop has a network drive listed which isn't amongst any collected gear."
That is very easy to take care of. I'll leave you to figure it out for yourself.
All very inventive, but all assuming the coppers haven't a clue, and yet the prisons are full of people that thought just that (including a fait chunk of Anonyputz "not-leaders"). Believe me, anything you can think of the coppers have probably already seen in practice.
You just embed a microSD card in a floorboard, wired to some dummy nails. To access it, you place the bare ends of USB cable (stripped to the inner cables) on the heads of the nails and weigh them down.
You don't have to be a criminal to think this way- I can't think of anything more mainstream and middle-class than musing on the details of 'perfect crimes', a la Sherlock Holmes, the creations of Agatha Christie or ITV's entire drama output.
What was that decades-old story about a code hidden in Braille in the frieze encircling a room?
If you were really daft, you could just encrypt innocuous data, and tell Plod that under the data protection act you are required keep the details of third parties (your clients, for example) secure- just so you can make a snide remark about how they've been fined for failing to do the same, before giving them the key. I say daft, because police don't respond well to sarcasm.
No matter, enjoying the news story at the moment about the Personal Protection Officer making up 'evidence' against the (then) Tory chief whip.
Maybe the discussion here should be of ways of proving what was on your hard-disk at the time the police took it- so that nothing nasty is added after it leaves your house.
Personally, If i lived in a large block of apartments or just a densely populated area, I'd hook up a raspberry pi somewhere in the building connected to a bluetooth adapter (or maybe in a nearby building). When the Five-0/mafia/horseman of the apocalypse arrive, execute a remote shell script that disables the bluetooth on the device and shuts the pi down. No way to track it down then? (without serious effort) Plus, the pi is stupidly small so is easier to secrete than a NAS but still has the functionality of a small PC.
Of course, the data would still be on the card, but i'd count on the fact that nobody would find it.
Source: I was an awesome hide and seek player.
I can't think what dodgy stuff you would really need to hide though? :P I don't even keep sensitive information on my main PC.
Looking around my computer corner, I can see putting a NAS box with wireless in the attic over the computer. It would be a project to carve out a hiding place in the concrete foundation. There is power in the attic and I would have a clear shot so the wireless could operate at max speed. If it were buried in the insulation, the coppers would have to be pretty diligent to find it (or know it was there). Going a bit further, my heater is up in the attic and an electrical box could be fitted to the side with a sticker that claims it's a "Zone Control" or some such for a nice bit of camouflage. I could run some wires to it, one of which would be an ethernet connection to my computer and it would look legitimate. The connector coming into my computer area would have to look like a standard installation and not some hacked in wiring that would raise flags.
I don't know if the "Man" spends much time looking at how a computer in a home is wired up or not. It would seem that they will just collect the computer gear into boxes and cart it off to their "expert" or some third party they hire to have a look at what's on the drives. All this technology stuff is baffling to them. If they don't find anything, they might just guess that offending material is on "The Cloud". If you want some cover, get a storage account with Google and encrypt a load of electricity bills to put on it.
First line of defense in this case would be to have a power switch handy. I am not too worried about getting raided as I'm not doing things that would interest the police (NSA, HLS, FBI, CIA, Interpol, NCTC, NOAA, SSA or the mall security) but I do happen to have my computer plugged into a power strip with a switch close to hand.
If you had any sense, you wouldn't keep the backup on your premises, encrypted or not. Standard Plod behaviour these days for all crimes from traffic tickets up is to seize everything electronic in the house, including your cell phone, and hold onto it for weeks. I'm sure in most cases they never even turn it on, they just want to cause you the maximum inconvenience. Whatever, a backup drive is no use to you if you don't have a computer to run it on. You need a full running backup computer off site in a place they don't know about.
@Stevie 0 15:36
Plod: "Oh nothng much sir, we're just collecting for the Police charity fund and would like a donation. I say sir, what's that pile of smashed equipment on your living room floor? Please be careful you don't cut yourself. Have a good day sir!"
Balls! Balls! Balls! My data! Arrrrrgh!
and hold for 10 seconds or less for instant power off!
Unless your sitting by your front door, you've got good 30 seconds before plod get you.
But then again you can still go to jail for not handing over your pass-phrase. Hidden encrypted volume inside the encrypted drive :)
alt-sysrq-b has the same effect as long as ram testing is enabled in bios.
alt-sysrq-o may or may not be fast enough
I've mused a cople of times about having something running which verifies nearby wifi points and/or bluetooth devices before giving access to a crypted drive.
I'm guessing you are a troll, this has nothing about being "open source" this is about an inherent weakness in these systems that is increadibly hard to get round. Without using something like a smartcard (but you still have the big issue of the smart card being a physical object to unlock your encryption)
The issue has been known about for years, there has been memory scrapers around for years that do the exact thing this product does..
"Isn't that rather like saying that once I have the key to the front door, I can pick the lock?"
No, it's more like once I have you open the door for me with your key, then you let me take the key, go down Timpsons and come back with a copy and I can open your door as many times as I like!
As far as I can see, the only benefit of the software is from legal point of view. Using the software requires the volume to be mounted, which means that data on the volume could be accessed/copied away, no special software required. My guess is, that in some countries (or most, IANAL) law states, that data copied from encrypted volume can't be used as a evidence, but original data can. In those cases the software would allow using of the data.
As far as I can see, no cracking of encryption actually takes place.
There's nothing NEW here to warrant the SCARE headline. If you weren't using full disk encryption before, you were already screwed because of small clues and the page file. People also knew a mounted encrypted system wasn't safe either. If you're a dissident with something to hide, you better hook up a motion detector to power down the system if you're away ;)
IIRC the system RAM is a device in Linux (/dev/mem). With the right access, I think it's possible to duplicate it to a file to obtain a RAM image. Bob's your uncle from there. There's also /dev/kmem which images the kernel RAM, but I'm pretty sure TrueCrypt uses FUSE, meaning it's in userspace, so it would reside in system RAM.
MacOS took /dev/mem out for security reasons. There seem to be ways around it if you really need it, though.
Half the time the plod are not even clever enough to know what to take and what not to take never mind know about what to do to avoid loosing encryption keys stored in memory. I know a girl whos house was raided by the police because her ex boyfriend had been doing identify fraud from there. I went around to help her clean up and the police had taken her the computer, mobile phone, usb drive, some DVD/RW and CDRs, bank statements as you would expect. But i noticed they had left a load of other stuff that i would have thought they should have taken, such as the hard drive PVR box under the TV which is essential a NAS box so you could store data on if you wished, there were lots of DVD that looked like originals because they were in cases with colour inlay cards but infact were bought from some Asian bloke down the pub so could have contained anything but they didn't even check them.
'ere .. scuze me PFY, come into my office fer a moment.
Why look -- its the dear lady from HR. You appear to need a new job, good day sir.
The only case where I can think of a legitimate use for the tool is in cases where corporate data may be in encrypted containers under an individual's control, and said individual is marched out the door. The systems involved may well be left up and running as the individual is marched out, but considering the possible issues with the dismissal, one would likely be far happier relying on the results from this tool than on either records left behind by the individual (i.e some shared password vault entry) or the individual's statement on the way out the door. (And, yes, I've sadly seen issues of this nature happen. And had to mop up from that, and would have had greatly appreciated this tool had we been dealing with encrypted containers .... think SSL certificates and apache)
Certainly, the case of "plod investigates" is a legitimate use but as we can see from discussions here, its very likely that they'll only get so far on that front with someone that might have a clue about security. The tool clearly has its limits. Sadly, idiots abound, and this tool takes advantage of that fact.
...encryption is just there to stop the guy who nicked/found your laptop on the train, taking a look at what's there before he wipes it and sticks something else on it or hands it in to the relevant parties.
If you have data that requires a greater level than that then speak to someone else or change your data policies on remote equipment.
This is the same as you cloning a live system's RAM with tools (such as the SANS Sift Kit) than digging through it with a HEX editor to find the passphrase, except you can spend 300$ and only do this on Windows, with a few points and clicks...
The caveat here is that it doesn't need to be live, you just needed to hibernate at some point with your Encrypted Mount Point, mounted.
Can't we already do this with opensource tools? (IE Your Linux Distribution of choice)
Although, it’s limited* and fiddly to use. We’re really waiting on CPU manufacturers to provide explicit on-die solutions.
For all the talk of on-site digital triage and making memory dumps, of the accounts I’ve read, the police power everything down as soon as possible. The current thinking is to preserve any disk-based evidence and prevent remote access, with encryption rarely being encountered. If the police have surveilled you enough to know they should leave your computer switched on, they probably already have enough information that they don’t need Forensic Disk Decryptor.
*There’s a version for x86 without AES-NI, but it has a speed penalty and is limited to AES128.
If I may suggest a more sensible approach to this problem. Save all your sensitive data using old computer equipment to "vintage" media including an IBM RAMAC, 5¼" floppies (hard-sectored preferably), Syquest drives, Sony MD-DATA, Philips audio cassette, VHS video cassette, punched paper tape and the like.
Most of today's up-and-coming fresh-faced young forensic investigators don't even recognise half of these as computer media, let alone have any knowledge about how to read them, even if they have the fully operational machine right in front of them with a copy of any passwords that may have been used.
True it takes me 3 hours to access a pic from a set of microcassettes on my Epson HX-20 p0rn collection (also vintage of course). Can be frustrating at times. But whatever.
You can defeat this and any future vulns by having an encrypted operating system inside a encrypted partition, then within that create an encrypted partition, and then within that create what Trucrypt call a hidden encrypted partition. Use 4 different passphrases.
But if the russian mafia or the cia special interrogation unit want you to give up your passphrases with a hot iron and some pliers, or a wet towel, then even if you are andy mcnabb you will eventually be handing them over.
So when the truecrypt drive is mounted you can get the password - and do what? Mount the drive???
It's dismounted when you power off, if you suspend & restore it's re-mounted.
There could be an issue that the m/c suspends itself one with it mounted & that file then contains the key but in theory if that data is there you can restore and voila the volume is mounted again.
Next thing you'll tell me is my car might get nicked because the steering lock is disabled when I'm driving.
Remote server in a outbuilding running a very hardened linux, full disk encryption, encrypted throw away key swap, no suspend and a daemon that detects a usb lead being unplugged for a device concreted into the floor that shuts the server down immediately.
Tell them to bring a jackhammer, some of those hot wire splicey thingies and lots of expertise with custom boot images. Then and only then can they have my full collection of 80's chiptunes, ascii porn and amiga demos :)
"Simon Steggles, director of forensics at data recovery biz Disklabs, said ElcomSoft's utility merely automates a process for retrieving decryption keys that is already used by computer forensics teams, if not the wider IT community.
"In forensics, we have known about this for years. It only works when the computer is switched on. Once it is powered down, the RAM memory is gone and you lose that key," Steggles explained.
"Coincidentally, I looked at the Truecrypt website yesterday and noted that it said on the site that it does on-the-fly encrypting and decrypting, which means that the key must be in the RAM.""
Err, why the comment from someone who's so unfamiliar with Truecrypt that he had to look at the website to find out it does on the-fly encrypting? And refers to random access memory as random access memory memory!
"Director of forensics" huh?
Biting the hand that feeds IT © 1998–2019