Thursday, 20 December 2012

Popular disk encryption systems cracked

If you want your laptop's data to remain secure, even when stolen, one excellent solution is to encrypt the hard disk's partitions or even the whole disk.

Popular options include Microsoft's BitLocker, Symantec's PGP Whole Disk Encryption and the open source TrueCrypt software.

Elcomsoft has just announced that all of these encryption systems can be cracked by its new product, Elcomsoft Forensic Disk Decryptor.

Elcomsoft Forensic Disk Decryptor
That news sounds frightening for those who use the above products to secure their data.

For those who work in digital forensics, however, the arrival of this tool will be welcome.

Until now data protected by these products was essentially unrecoverable without a suspect's cooperation.

It is important to note that the decrypting software will only be able to access the data under the following conditions:
  1. The target PC is running and...
  2. ...the attacker/investigator is able to obtain a memory dump.
Actually, there is an exception. If the computer was powered off, but had been put into hibernation mode while the encrypted disks/partitions were mounted, the investigator can also recover the necessary encryption keys.

Elcomsoft's blog post reminds us that it is possible to take a memory dump via a Firewire port.

There is a brute-forcing option available via the company's distributed processor cracking system (think SETI@home for password breaking).

If you use these encryption tools the safe option is to either shut down your computer completely, when leaving it unattended, or to unmount encrypted volumes before putting the computer into hibernation mode.