23 December 2012
Comments on Elcomsoft Forensic Disk Decryptor
24 December 2012. A2 sends:
It should work if you have acccess to the computer with the fresh RAM containing
the master keys. Check this paper, and also some source code that they made
Date: Sat, 22 Dec 2012 19:38:54 -0800
Subject: CRYPTOME: Elcomsoft Forensic Disk Decryptor
This tool is aimed at Microsoft Windows OS based computers that are seized
in an "on" state. It can not be used on a found USB thumb drive with encrypted
PGP files on it, for example:
Elcomsoft Forensic Disk Decryptor needs the original encryption keys in order
to access protected information stored in crypto containers. The encryption
keys can be derived from hibernation files or memory dump files acquired
while the encrypted volume was mounted. There are three ways available to
acquire the original encryption keys:
By analyzing the hibernation file (if the PC being analyzed is turned off);
By analyzing a memory dump file *
By performing a FireWire attack ** (PC being analyzed must be running with
encrypted volumes mounted).
* A memory dump of a running PC can be acquired with one of the readily available
forensic tools such as MoonSols Windows Memory Toolkit
** A free tool launched on investigators PC is required to perform
the FireWire attack (e.g. Inception)
The 'Inception' firewire memory dump tool required PCIe hardware interface:
A FireWire/Thunderbolt/ExpressCard/PC Card interface at both machines. If
you dont have a native FireWire port, you can buy an adapter to hotplug
one. The tool works over anything that expands the PCIe bus.
Lifeguard advises using GPG (not Symantec PGP) and Linux for best security.
Subject: Re: Elcomsoft $300 decryption tool.
From: Ian Batten <igb[at]batten.eu.org>
Date: Sun, 23 Dec 2012 11:01:49 +0000
To: UK Cryptography Policy Discussion Group
On 21 Dec 2012, at 18:02, Ben Laurie <ben[at]links.org> wrote:
On Fri, Dec 21, 2012 at 9:48 AM, Brian L Johnson
"This $299 tool is reportedly capable of decrypting BitLocker, PGP,
TrueCrypt disks in real-time"
Somewhat misleadingly labeled product - it is actually a key stealing tool.
And one which makes you ponder if they're still worrying about having to
rewind VHS tapes before returning them to the video rental store. People
who want to scare the money from the pockets of the gullible with talk of
key-stealing attacks immediately invoke the fact that Firewire ports can
do DMA all over memory. Firewire ports. On Windows. In 2012. What proportion
of machines does that cover? And as for practical purposes no-one is using
it, how hard would it be to either disable in the BIOS or fill with Araldite?
[[ Apple, quietly, have addressed this issue with the "destroyfvkeyonstandby"
option to pmset --- combined with standby and hibernatemode 3 or 25, you
use standbydelay to say "on closing the lid, go to sleep, but after standbydelay
seconds turn off the RAM and destroy the Filevault keys". ]]