Last week ElcomSoft released a new $300 tool called Forensic Disk Decryptor (EFDD). The traditional attack vectors for bypassing full disk or volume encryption were and still are accessing keys stored in memory and/or in hibernate/sleep files. And this new software does nothing more than make that process point-and-click. Additionally, EFDD eases the use of those keys to view the encrypted contents.
There really isn’t anything new here besides automating key recovery from a few years ago. Now instead of actually knowing what the heck is going on, anyone with some basic training (even myself perhaps) can suck keys out of memory or hibernation/sleep files and use them to decrypt disks or volumes with the best of them.
If your organization is looking to protect against these types of attacks, make sure to use full disk or volume encryption products that prevent direct memory access and encrypt hibernate or sleep files. Also just to play it safe … shut down your darn computer every once in a while. It not only ensures protection from these attacks but also keeps your system running more smoothly – especially if you on Windows. 😉
We found a good write-up of this tool over at CC’s Security Journal that you might be interested in. Enjoy!
via CC’s Security Journal
Perform the complete forensic analysis of encrypted disks and volumes protected with desktop and portable versions of BitLocker, PGP and TrueCrypt. Elcomsoft Forensic Disk Decryptor allows decrypting data from encrypted containers or mounting encrypted volumes, providing full forensic access to protected information stored in the three most popular types of crypto containers. Access to encrypted information is provided in real-time.
ElcomSoft offers a forensically sound solution. The tool provides true zero-footprint operation, leaving no traces and making no changes to the contents of encrypted volumes.
Elcomsoft Forensic Disk Decryptor needs the original encryption keys in order to access protected information stored in crypto containers. The encryption keys can be derived from hibernation files or memory dump files acquired while the encrypted volume was mounted. There are three ways available to acquire the original encryption keys:
Know any products that protect against these types of attacks? Let us know in the comments below. Today’s post pic is from Data Security and Compliance. See ya!