Portions of this post have been part of my presentation at the NIST Techno Forensics show.
Forensic investigators must deal with issues associated with encryption and password protection. Several companies, such as AccessData, market effective tools for dealing with password protection issues. I have witnessed demonstrations where password cracking software is able to extract user passwords (especially in a typical Windows XP environment). However, Whole Disk Encryption (WDE) is a completely new situation.
WDE is present in Windows Vista, and is also present natively in certain new kinds of hard drives. When used within Windows Vista, it is called 'BitLocker'.
Bitlocker is a collection of technologies and tools that allow users to encrypt any hard drive volume plugged into their Vista-powered computer system. It is very powerful encrypting technology, using a state of the art AES encrypting variant with 48 digit passwords.
Microsoft is in the process of having it certified to FIPS140-2, which is an extremely tough US data security / cryptographic standard. NIST maintains a very nice document which shows the current status of the effort, and I have bookmarked it here. I checked it earlier this morning, and it was last updated in late January.
Bitlocker is only available in the Enterprise and Ultimate editions of Vista. It is also in Server 2008, where Microsoft indicates it is an optional component.
Bitlocker invokes at the obvious times: for instance, at startup, or after screen savers, sleep or hibernation modes have been engaged. As a result, it provides formidable obstacles to forensic investigators. If invoked, it will stop forensic acquisition of drive contents dead in its tracks.
The reason that Bitlocker is so powerful (and nasty) is that its underlying technology uses a well established cipher (AES in CBC mode) with a new component called an Elephant diffuser. The diffuser adds some new encryption properties which are desirable in the disk encryption setting but not included in the AES-CBC cipher method. I will explain both the CBC mode and the Elephant diffuser, in turn.
CBC is particularly effective because each block of plaintext will have a different encrypted outcome. This is because each block is dependent on prior blocks. As a result, two identical blocks of plaintext into the encryption will have different outcomes. I found a website with a particularly nice description of this feature, here. The downside to CBC is that corruption in prior blocks will render consequent blocks unreadable.
The Elephant diffuser is a Microsoft trick for improving what is already nearly perfect. Essentially, it operates as an inline encrypter/decrypter that functions ahead of the AES-CBC cipher. Microsoft's argument is that even if it is broken, AES-CBC remains functional for all the encryption. Another way of saying it is that two encrypters are better than one. If you'd like to read Microsoft's argument, you can do so here. Another good independent commentary on this trick can be found here.
That's enough post for today. In my next post, I intend to cover Bitlocker modes of operation and options thereof.
"The Standard Pilot Blog"TM The Chipper and Radiant Blog for Experimental and Ultralight (Part 103) Aircraft (c) 2010 thru (c) 2020 by James Wiebe.
Monday, February 4, 2008
Friday, January 25, 2008
How do forensic investigators seize and analyze a computer without turning it off?
The nightmare scenario for today's modern digital forensic investigator is the seizure of a computer with strong incriminating evidence contained on its hard drive. After seizure, but prior to investigation of the drive, the computer is turned off and removed to another location. The nightmare begins when the forensic investigator realizes that the computer was password protected and encrypted; and the perp won't provide the password (or the perp is nowhere to be found!).
Think it can't happen? It just did. Read this from a recent newspaper account:
"FEDS WANT PASSWORD TO UNLOCK COMPUTER FILES".
WASHINGTON -- The federal government is asking a US District Court in Vermont to order a man to type a password that would unlock files on his computer, despite his claim that doing so would constitute self-incrimination.
The case, believed to be the first of its kind to reach this level, raises a uniquely digital-age question about how to balance privacy and civil liberties against the government's responsibility to protect the public.
The case, which involves suspected possession of child pornography, comes as more Americans turn to encryption to protect the privacy and security of files on their personal computers and thumb drives.
FBI and Justice Department officials, meanwhile, have said that encryption is allowing terrorists and criminals to communicate their plots covertly.
The original article may be found on the Washinton Post's website, in it's entirety, here.
The use of WiebeTech's 'HOTPLUG' device allows forensic criminal investigators (along with our companion product, 'Mouse Jiggler') to stabilize a computer, prevent it from going to sleep, examine it, and if necessary, relocate it to a secure location without ever powering the computer down. This is real technology, it works, and it's available now.
Go ahead and look at the links. You'll see technical information on how to use Hotplug and Mouse Jiggler, along with a couple of nifty Youtube videos that demonstrate Hotplug in action.
Think it can't happen? It just did. Read this from a recent newspaper account:
"FEDS WANT PASSWORD TO UNLOCK COMPUTER FILES".
WASHINGTON -- The federal government is asking a US District Court in Vermont to order a man to type a password that would unlock files on his computer, despite his claim that doing so would constitute self-incrimination.
The case, believed to be the first of its kind to reach this level, raises a uniquely digital-age question about how to balance privacy and civil liberties against the government's responsibility to protect the public.
The case, which involves suspected possession of child pornography, comes as more Americans turn to encryption to protect the privacy and security of files on their personal computers and thumb drives.
FBI and Justice Department officials, meanwhile, have said that encryption is allowing terrorists and criminals to communicate their plots covertly.
The original article may be found on the Washinton Post's website, in it's entirety, here.
The use of WiebeTech's 'HOTPLUG' device allows forensic criminal investigators (along with our companion product, 'Mouse Jiggler') to stabilize a computer, prevent it from going to sleep, examine it, and if necessary, relocate it to a secure location without ever powering the computer down. This is real technology, it works, and it's available now.
Go ahead and look at the links. You'll see technical information on how to use Hotplug and Mouse Jiggler, along with a couple of nifty Youtube videos that demonstrate Hotplug in action.
Tuesday, November 27, 2007
Digital Photography Hard Drive Backup #1
** Details have been changed in order to protect friends and customers! **
A few evenings back, I was twiddling away in my home office when the phone rang. It was an old friend; hadn't heard anything from him in awhile. He had a friend who was a professional photographer.
It turns out the friend of a friend had recently completed some customer sessions (with obviously irreplaceable photos) and was editing them on an external enclosure. When he turned to take his laptop computer to another room, he forgot it was attached to the enclosure. The enclosure slid across the table, and quicker than you can say "uncontained disaster", the hard drive hit the floor.
Thereafter, it made funny clicking sounds. If it was a living creature, you could almost imagine blood flowing out of it as it made moans of death!
A couple of days later, we sent the damaged drive to Drivesavers. They have a thriving little business (actually, it's not so little) helping folks recover from these disasters.
Now the bad news: they had no good news, and there is no happy ending to this story. They pulled it apart and discovered that the drive was irreparably damaged, and the irreplaceable photos were gone forever.
The moral of the story: ALWAYS make a backup of your data.
A few evenings back, I was twiddling away in my home office when the phone rang. It was an old friend; hadn't heard anything from him in awhile. He had a friend who was a professional photographer.
It turns out the friend of a friend had recently completed some customer sessions (with obviously irreplaceable photos) and was editing them on an external enclosure. When he turned to take his laptop computer to another room, he forgot it was attached to the enclosure. The enclosure slid across the table, and quicker than you can say "uncontained disaster", the hard drive hit the floor.
Thereafter, it made funny clicking sounds. If it was a living creature, you could almost imagine blood flowing out of it as it made moans of death!
A couple of days later, we sent the damaged drive to Drivesavers. They have a thriving little business (actually, it's not so little) helping folks recover from these disasters.
Now the bad news: they had no good news, and there is no happy ending to this story. They pulled it apart and discovered that the drive was irreparably damaged, and the irreplaceable photos were gone forever.
The moral of the story: ALWAYS make a backup of your data.
Tuesday, November 13, 2007
6 Things You Thought You Knew About Erasing a Hard Drive.
Justin wrote a fine white paper on the topic of what's on hard drives. If you haven't read the paper, you should.
read more | digg story
read more | digg story
Subscribe to:
Posts (Atom)