Feeds

PGP, TrueCrypt-encrypted files CRACKED by £300 tool

Plod at the door? Better yank out that power cable

Remote control for virtualized desktops

ElcomSoft has built a utility that forages for encryption keys in snapshots of a PC's memory to decrypt PGP and TrueCrypt-protected data.

Forensic Disk Decryptor attempts to unlock information stored in disks and volumes encrypted by BitLocker, PGP or TrueCrypt. The tool is designed for criminal investigators, IT security bods and forensic specialists. PGP and TrueCrypt set the industry standard for whole-disk or partition encryption.

Normally, the unencrypted content of these data containers is impossible to retrieve without knowing the original passphrase used to encrypt the volume. Vladimir Katalov, chief exec of ElcomSoft, said encryption technology, in the right conditions, can be circumvented thanks to human laziness:

The main and only weakness of crypto containers is human factor. Weak passwords aside, encrypted volumes must be mounted for the user to have on-the-fly access to encrypted data.

No one likes typing their long, complex passwords every time they need to read or write a file. As a result, keys used to encrypt and decrypt data that’s being written or read from protected volumes are kept readily accessible in the computer’s operating memory.

Obviously, what’s kept readily accessible can be retrieved near instantly by a third-party tool.

ElcomSoft's gear can extract these decryption keys from a copy of the computer's memory, typically captured using a forensic tool or acquired over Firewire. Once it has the key, the protected data can be unlocked.

If the computer is powered off, the analyser can retrieve the keys from a hibernation file on the disk, in which the operating system saves the state of the machine including its main memory, if present and accessible.

“Algorithms allow us to analyse dumps of computers’ volatile memory, locating areas that contain the decryption keys. Sometimes the keys are discovered by analyzing byte sequences, and sometimes by examining crypto containers’ internal structures," Katalov explains.

Encrypted drives must be mounted at the time a memory dump is taken or else the process will fail to work. For this and other reasons, considerable skill and some luck is needed to use the tool properly. Simply tearing the power cable out, thus allowing the RAM to obliterate its contents, if the cops come knocking, or encrypting the hibernation file, can defeat the software.

"Our customers asked us for a tool like this for a long, long time," said Katalov. "We’re finally releasing a product that’s able to access encrypted volumes produced by all three popular crypto containers."

Simon Steggles, director of forensics at data recovery biz Disklabs, said ElcomSoft's utility merely automates a process for retrieving decryption keys that is already used by computer forensics teams, if not the wider IT community.

"In forensics, we have known about this for years. It only works when the computer is switched on. Once it is powered down, the RAM memory is gone and you lose that key," Steggles explained.

"Coincidentally, I looked at the Truecrypt website yesterday and noted that it said on the site that it does on-the-fly encrypting and decrypting, which means that the key must be in the RAM."

The Forensic Disk Decryptor costs £299. ®

Internet Security Threat Report 2014

More from The Register

next story
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
5 critical considerations for enterprise cloud backup
Key considerations when evaluating cloud backup solutions to ensure adequate protection security and availability of enterprise data.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.