Many people have contacted my team and I over the last few days about the recent announcement by ElcomSoft, that they offer a tool to decrypt Bitlocker, PGP and Truecrypt volumes.
This $299 tool is advertised as getting you access to this encrypted data quickly and easily…
Now, this may sound exciting, but as they say, there’s always a catch – you need a memory dump from the machine from when it was authenticated to use this tool – yes, no recovery if you find a cold machine. You have to get access to it while it’s on and the user has logged in, then, after they switch it off, you can recover the data..
Following on from my post “10 Things You Don’t Want To Know About Bitlocker”, “TPM Undressed” and “Firewire Attacks Revisited” it recently came to my attention that Passware, Inc. A feisty California company has released a version of their forensic software which will decrypt Bitlocker and TrueCrypt protected hard disks via the classic Firewire vulnerabilities.
A full write-up can be found on the Passware site, but simply, given a machine that’s running, but has encrypted drives (for example one using Bitlocker in TPM-only mode, or a machine which is suspended, not hibernated). As to how to do it, well they have implemented the exploit in a very neat and usable way:
Following my recent post on FireWire Attacks, I thought I’d follow up on that other classic Full Disk Encryption exploit, The “Cold Boot Attack”.
Back in February 2008 a group of clever Princeton students published their infamous paper “Lest We Remember: Cold Boot Attacks on Encryption Keys“. Though the retention of data in RAM chips has been known since their invention, and certainly since at least 1978, The “Princeton Paper” reminded us that when you turn a computer off, it does not mean all the data from memory is instantly gone, and of course, if something important remained, like an encryption key, then your computer security might be vulnerable. Read more…