Comments on: ElcomSoft Decrypts BitLocker, PGP and TrueCrypt Containers

By: timbier

timbier — Thu, 25 Apr 2013 10:28:24 +0000

The guidelines you provided indoors are unbearably positive. It absolutely was such an amazing impromptu to discern that waiting with respect to me directly i woke bubbly this unbelievably day.
http://skidrow-crack.net/archives/334

By: Paul

Paul — Mon, 04 Mar 2013 17:23:24 +0000

This really is quite some claim, and I cant believe this company has the cheek to imply that it can offer something new. The techniques here have been known and used by the forensics community for years. While it is no doubt useful in terms of saving time by automating the process, to imply (as the title on this page clearly does) that it decrypts Truecrypt is entirely inaccurate and they know this. It is simply able to locate the key in memory if the system isn’t powered down. The documentation for Truecrypt clearly states that you should turn of any paging or hibernation, and if this is followed the only way to get the key is if the encrypted volume is mounted, through accessing the RAM.

By: Ella

Ella — Thu, 24 Jan 2013 02:36:25 +0000

Interesting article! I scanned through something remarkably similar in a science blog post. Seriously worth checking out my web page - my website

By: furiousangel

furiousangel — Fri, 04 Jan 2013 16:36:29 +0000

All,

the hybernation file on whole disk encryption is not encrypted it rest in memory and people have been able to acess it for some time thorough a firewire hack for some time. this file rest in the main memory. Give me physical access to your computer and even with it off but still pluged in and i will be able to bypass bitlocker. I like the fact that someone automated the process. with the ability to mount the logical portion of the drive, you will have all the access needed.

By: iNsuRRecTiON

iNsuRRecTiON — Sat, 29 Dec 2012 23:52:18 +0000

Hi there,

how can efdd access and read the hibernation file on whole disk encryption software such as truecrypt, if the hibernation file itself is encrypted on the disk?

If the computer is turned off, everything including the hibernation file is encrypted on the hdd.

@Mark, I don’t know whether the encryption/decryption key is stored in the computer main memory or only in the TPM.

If it is only in the TPM it should not be recoverable.

regards,

iNsuRRecTiON

By: Q

Fri, 21 Dec 2012 15:41:39 +0000

In systems like http://www.datadiode.eu and https://wuala.com/freemovequantumexchange storage is physically separated from the encryption/decryption so this attack is not possible on these systems.

By: Mark

Mark — Thu, 20 Dec 2012 16:34:28 +0000

What about a TPM with Bitlocker? I don’t see anything in the documentation of the product about that, and it wasn’t covered in your post.

By: Gabriel Yoran (Steganos)

Gabriel Yoran (Steganos) — Thu, 20 Dec 2012 14:36:16 +0000

Hello, this is Gabriel Yoran from privacy software maker Steganos.

The attack described here is in part possible due to a typical vulnerability of whole disk encryption tools. What appears to be maximum security – everything is encrypted all the time – actually is the opposite: Everything is accessible all the time (at least as long as the disk is decrypted, and obviously even in standby mode).

At Steganos, we do not offer whole disk encryption, but volume encryption, for example in our Steganos Safe or Steganos Privacy Suite products. The technology used there works in a totally different way:

1st: As Vladimir points out, “[i]t’s important that encrypted volumes are mounted at the time a memory dump is obtained or the PC goes to sleep; otherwise, the decryption keys are destroyed and the content of encrypted volumes cannot be decrypted without knowing the original plain-text password.”

Therefore, the user of Steganos Safe or Privacy Suite only opens and closes the encrypted volume (the “Safe”) when they need it. There is no need to keep it open all the time. In whole disk encryption products (the ones being attacked like PGP WDE),

2nd: When the computer goes into standby (or sleep/hibernation) the Safe is automatically closed. Therefore there is no way to access its contents.

It should also be said that, if an attacker does gain access to the user’s computer to run such an attack while an encrypted volume is open, the attacker could simply steal the user’s data, since at this point in time, user data is simply not encrypted.

Learnings: Whole disk encryption can be a risk, since unencrypted data is available to the user – and an attacker – all the time. Software which does not close encrypted volumes before hibernation is a problem, too (Steganos Safe and Steganos Privacy Suite are not affected by this issue).

We will post more information on this issue on our blog at http://blog.steganos.com

Gabriel Yoran
Steganos Software GmbH