Friday, December 28, 2012

$299 software allows decryption of volumes with FireWire attack or the computer's hibernation or memory dump file

Software developer Elcomsoft has released a $299 software package claiming to be able to decrypt BitLocker, PGP, and TrueCrypt volumes. The software is able to obtain encryption keys from the computer's hibernation file or memory dump file and can also perform a FireWire attack if the encrypted volume is mounted.

Here's their description of how the keys are obtained:
Generally, the choice of one of the three attacks depends on the running state of the PC being analyzed. It also depends on whether or not installation of a forensic tool is possible on a PC under investigation.
If the PC being investigated is turned off, the encryption keys can be retrieved from the hibernation file. The encrypted volume must be mounted before the computer went to sleep. If the volume is dismounted before hibernation, the encryption keys may not be derived from the hibernation file.
If the PC is turned on, a memory dump can be taken with any forensic tool if installation of such tool is permitted (e.g. the PC is unlocked and logged-in account has administrative privileges). The encrypted volume must be mounted at the time of memory dump acquisition....
Finally, if the PC being investigated is turned on but installing forensic tools is not possible (e.g. the PC is locked or logged-in account lacks administrative privileges), a remote attack via a FireWire port can be performed in order to obtain a memory dump.... Both the target PC and the computer used for acquisition must have FireWire (IEEE 1394) ports.
Once the original encryption keys are acquired, Elcomsoft Forensic Disk Decryptor stores the keys for future access, and offers an option to either decrypt the entire content of encrypted container or mount the protected disk as another drive letter for real-time access.
This is nothing new but is simply a easy way to hack a well-known flaw. In order to properly protect your encrypted system when you're away from it, you simply cannot use sleep or hibernate mode on your computer.

ElcomSoft, based in Moscow, "helps law enforcement, military, and intelligence agencies in criminal investigations with its wide range of computer forensics products."


Post a Comment