Commercial tool nabs BitLocker, Truecrypt passwords

Powered by SC Magazine
 

Uses existing FireWire attack.

A Russian forensics outfit has launched a tool to pluck passwords used in Microsoft BitLocker, Symantec PGP whole disk encryption and TrueCrypt.

Decryption keys were extracted from the software when encrypted volumes were mounted, including when the Windows machines were powered off.

The FireWire attacks the tool used evolved thanks to security research efforts first detailed as far back as 2004 (pdf). 

 

It allowed attackers to dump a machine's memory via Direct Memory Access, a specification of FireWire that taps into system memory.

Russian forensics outfit ElcomSoft built the attacks into its commercial tool, essentially simplifying the process.

Chief executive Vladimir Katalov said in a blog FireWire drivers must be disabled to safeguard against the attacks.

"It’s important that encrypted volumes are mounted at the time a memory dump is obtained or the PC goes to sleep; otherwise the decryption keys are destroyed and the content of encrypted volumes cannot be decrypted without knowing the original plain-text password," Katalov said.

"... keys used to encrypt and decrypt data that’s being written or read from protected volumes are kept readily accessible in the computer’s operating memory [and] can be retrieved near instantly."

"In order to access the content of encrypted containers, we must retrieve the appropriate decryption keys. Elcomsoft Forensic Disk Decryptor can obtain these keys from memory dumps captured with one of the many forensic tools or acquired during a FireWire attack."

He said the "unique feature" of the toll was that it could "mount encrypted disks as a drive letter using any and all forensic tools to quickly access the data".

It used freely-available tools to mount the attacks.

Copyright © SC Magazine, Australia


Commercial tool nabs BitLocker, Truecrypt passwords
 
 
 
Top Stories
Beyond ACORN: Cracking the infosec skills nut
[Blog post] Could the Government's cybercrime focus be a catalyst for change?
 
The iTnews Benchmark Awards
Meet the best of the best.
 
Telstra hands over copper, HFC in new $11bn NBN deal
Value of 2011 deal remains intact.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  39%
 
Your insurance company
  3%
 
A technology company (Google, Facebook et al)
  8%
 
Your telco, ISP or utility
  7%
 
A retailer (Coles, Woolworths et al)
  2%
 
A Federal Government agency (ATO, Centrelink etc)
  20%
 
An Australian law enforcement agency (AFP, ASIO et al)
  14%
 
A State Government agency (Health dept, etc)
  6%
TOTAL VOTES: 1783

Vote
Do you support the abolition of the Office of the Information Commissioner?