Monday, February 4, 2008

Whole Disk Encryption, for the forensic investigator

Portions of this post have been part of my presentation at the NIST Techno Forensics show.

Forensic investigators must deal with issues associated with encryption and password protection. Several companies, such as AccessData, market effective tools for dealing with password protection issues. I have witnessed demonstrations where password cracking software is able to extract user passwords (especially in a typical Windows XP environment). However, Whole Disk Encryption (WDE) is a completely new situation.

WDE is present in Windows Vista, and is also present natively in certain new kinds of hard drives. When used within Windows Vista, it is called 'BitLocker'.

Bitlocker is a collection of technologies and tools that allow users to encrypt any hard drive volume plugged into their Vista-powered computer system. It is very powerful encrypting technology, using a state of the art AES encrypting variant with 48 digit passwords.

Microsoft is in the process of having it certified to FIPS140-2, which is an extremely tough US data security / cryptographic standard. NIST maintains a very nice document which shows the current status of the effort, and I have bookmarked it here. I checked it earlier this morning, and it was last updated in late January.

Bitlocker is only available in the Enterprise and Ultimate editions of Vista. It is also in Server 2008, where Microsoft indicates it is an optional component.

Bitlocker invokes at the obvious times: for instance, at startup, or after screen savers, sleep or hibernation modes have been engaged. As a result, it provides formidable obstacles to forensic investigators. If invoked, it will stop forensic acquisition of drive contents dead in its tracks.

The reason that Bitlocker is so powerful (and nasty) is that its underlying technology uses a well established cipher (AES in CBC mode) with a new component called an Elephant diffuser. The diffuser adds some new encryption properties which are desirable in the disk encryption setting but not included in the AES-CBC cipher method. I will explain both the CBC mode and the Elephant diffuser, in turn.

CBC is particularly effective because each block of plaintext will have a different encrypted outcome. This is because each block is dependent on prior blocks. As a result, two identical blocks of plaintext into the encryption will have different outcomes. I found a website with a particularly nice description of this feature, here. The downside to CBC is that corruption in prior blocks will render consequent blocks unreadable.

The Elephant diffuser is a Microsoft trick for improving what is already nearly perfect. Essentially, it operates as an inline encrypter/decrypter that functions ahead of the AES-CBC cipher. Microsoft's argument is that even if it is broken, AES-CBC remains functional for all the encryption. Another way of saying it is that two encrypters are better than one. If you'd like to read Microsoft's argument, you can do so here. Another good independent commentary on this trick can be found here.

That's enough post for today. In my next post, I intend to cover Bitlocker modes of operation and options thereof.

No comments: