watching you watching us . .

Full Disk Encryption – Breaking Hard Disk Encryption

Good article and more importantly a great discussion in the comments! the article is centered around on the topic of Hard Disk Encyption after a less significant announcement of a “new..” ElcomSoft Forensic Disk Decryptor can decrypt BitLocker, PGP, and TrueCrypt.

“If the PC being investigated is turned off, the encryption keys can be retrieved from the hibernation file. The encrypted volume must be mounted before the computer went to sleep. If the volume is dismounted before hibernation, the encryption keys may not be derived from the hibernation file.”

“most (if not all) encryption software hashes your password immediately, yielding a hex based result which is still easily searched by looking for strings.”

“You are not missing anything. Its a non issue for most. Just don’t use sleep.”

“OpenBSD’s malloc fills junk bytes into allocated and freed chunks via the J option. By default OpenBSD encrypts the swap (where hybernation state is kept), and has done so for many years.”

“DMA is just one such way of manipulating the memory beneath the CPU level there is also the Memory Managment Unit and the I/O mechanisms that rule the roost via the interupt mechanisms that run at what you might consider Ring -1. And these are what you might consider the upper layers of this gulf of insecurity. There are other tricks such as the actual CPU microcode or equivalent in all the other state machines.”

“Breaking Hard-Disk Encryption”
Bruce Schneier, 27 December 2012 – last access 24 January 2013 – ( Article )



Comments are closed.