BitLocker, PGP & TrueCrypt Forensics for Script Kiddies

Last week ElcomSoft released a new $300 tool called Forensic Disk Decryptor (EFDD). The traditional attack vectors for bypassing full disk or volume encryption were and still are accessing keys stored in memory and/or in hibernate/sleep files. And this new software does nothing more than make that process point-and-click. Additionally, EFDD eases the use of those keys to view the encrypted contents.

There really isn’t anything new here besides automating key recovery from a few years ago. Now instead of actually knowing what the heck is going on, anyone with some basic training (even myself perhaps) can suck keys out of memory or hibernation/sleep files and use them to decrypt disks or volumes with the best of them.

If your organization is looking to protect against these types of attacks, make sure to use full disk or volume encryption products that prevent direct memory access and encrypt hibernate or sleep files. Also just to play it safe … shut down your darn computer every once in a while. It not only ensures protection from these attacks but also keeps your system running more smoothly – especially if you on Windows. 😉

We found a good write-up of this tool over at CC’s Security Journal that you might be interested in. Enjoy!

via CC’s Security Journal

Perform the complete forensic analysis of encrypted disks and volumes protected with desktop and portable versions of BitLocker, PGP and TrueCrypt. Elcomsoft Forensic Disk Decryptor allows decrypting data from encrypted containers or mounting encrypted volumes, providing full forensic access to protected information stored in the three most popular types of crypto containers. Access to encrypted information is provided in real-time.

ElcomSoft offers a forensically sound solution. The tool provides true zero-footprint operation, leaving no traces and making no changes to the contents of encrypted volumes.

Elcomsoft Forensic Disk Decryptor needs the original encryption keys in order to access protected information stored in crypto containers. The encryption keys can be derived from hibernation files or memory dump files acquired while the encrypted volume was mounted. There are three ways available to acquire the original encryption keys:

Continued here.

#####

Know any products that protect against these types of attacks? Let us know in the comments below. Today’s post pic is from Data Security and Compliance. See ya!

7 comments for “BitLocker, PGP & TrueCrypt Forensics for Script Kiddies

  1. December 27, 2012 at 11:02 pm

    BitLocker, PGP & TrueCrypt Forensics for Script Kiddies http://t.co/bNFStjC7

  2. December 27, 2012 at 11:09 pm

    BitLocker, PGP & TrueCrypt Forensics for Script Kiddies: Last week ElcomSoft released a new $300 tool called For… http://t.co/IOgUY8wq

  3. December 27, 2012 at 11:57 pm

    Last week ElcomSoft released a new $300 tool called Forensic Disk Decryptor (EFDD). The traditional attack vecto… http://t.co/kw43ztkS

  4. December 28, 2012 at 10:30 am

    BitLocker, PGP & TrueCrypt Forensics for Script Kiddies /read in @feedly http://t.co/RLl6lo1L #in

  5. December 31, 2012 at 2:23 pm

    #BitLocker, #PGP & #TrueCrypt #Forensics for Script Kiddies http://t.co/K1JfBArQ

  6. January 1, 2013 at 11:30 am

    BitLocker, PGP & TrueCrypt Forensics for Script Kiddies: http://t.co/pIftj2X0

  7. January 1, 2013 at 1:08 pm

    BitLocker, PGP & TrueCrypt Forensics for Script Kiddies http://t.co/Kvd2LZHL via @zite

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.