Encrypting Technologies for

the Forensic Investigator

Presented at Techno Security

Presented by James Wiebe, VP R&D CRU-WiebeTech

james@wiebetech.com
www.CRU-DataPort.com
www.wiebetech.com
CRU-WiebeTech
 What are we learning today?
PART 1 – BACKGROUND on Encryption, or what the bad
guys know (and you should know, too!)

• What is it?
• Who uses it?
• Where is it found?
– Bitlocker (Vista)
– Whole Disk Encryption
– Hardware based Encryption
– Software based Encryption
• How does it work?
 What are we learning today?
PART 2 – DEFEATING Encryption

• A clue to defeating encryption

• Surprise seizure
• Key Recovery
• Password Attack via memory
• Keystroke Logging
 Encryption – what is it?
• In cryptography, encryption is the process of
transforming information (referred to as plaintext) using
an algorithm (called cipher) to make it unreadable to
anyone except those possessing special knowledge,
usually referred to as a key. The result of the process is
encrypted information (in cryptography, referred to as
ciphertext). In many contexts, the word encryption also
implicitly refers to the reverse process, decryption (e.g.
“software for encryption” can typically also perform
decryption), to make the encrypted information readable
again (i.e. to make it unencrypted).
-- from Wikipedia
 Encryption – who uses it?
• Encryption has long been used by militaries and
governments to facilitate secret communication.
Encryption is now used in protecting information within
many kinds of civilian systems, such as computers,
storage devices (e.g. USB flash drives),networks (e.g.
the Internet e-commerce), mobile telephones, wireless
microphones, wireless intercom systems, Bluetooth
devices and bank automatic teller machines. Encryption
is also used in digital rights management to prevent
unauthorized use or reproduction of copyrighted material
and in software also to protect against reverse
engineering (see also copy protection).
-- from Wikipedia
 Encryption – where is it found?
Encryption is commonly utilized in the following
four areas:

1. Hardware based encryption, encoded at the system

level, eg BITLOCKER. (Microsoft).
2. Hardware based encryption, encoded within a storage
media device, eg WHOLE DISK ENCRYPTION.
(Seagate; Hitachi).
3. Hardware based encryption, encoded within a storage
enclose, but not at the media level. (CRU-Dataport and
others).
4. Software based encryption, with varying degrees of OS
integration and file support. (PGP and others).
 Bitlocker
• Required at startup, or anytime after
screen savers, sleep or ‘hibernation’
modes have been engaged, BitLocker will
effectively stop the forensic acquisition of
hard drive data. If the investigator has not
taken precautions in advance, and if the
user has appropriately set up and invoked
their encryption, it’s most likely hopeless.
 Bitlocker within Vista

• Forensic investigators must deal with

issues associated with encryption and
password protection. Bitlocker is present
in several types of Windows Vista.
Bitlocker has several variations within
Vista.
 Bitlocker technology
• Vista features BitLocker. BitLocker is a
collection of technologies and tools that
allows users to encrypt any hard drive
volume plugged into their Vista-powered
computer system. Vista utilizes a powerful
AES variant. (Microsoft is in the process of
having BitLocker certified as being FIPS
140-2 compliant, an extremely tough US
data security / cryptographic standard)
 Bitlocker Backdoor?
A: From the Microsoft System Integrity Team BLOG:

Two weeks ago BBC News published an article speculating about a possible “back door” in BitLocker
(http://news.bbc.co.uk/1/hi/uk_politics/4713018.stm). The suggestion is that we are working with governments
to create a back door so that they can always access BitLocker-encrypted data.

Over my dead body.

Well, maybe not literally---I’m not ready to be a martyr quite yet---but certainly not in any product I work on. And I’m not
alone in that sentiment. The official line from high up is that we do not create back doors. And in the unlikely
situation that we are forced to by law we’ll either announce it publicly or withdraw the entire feature. Back doors
are simply not acceptable. Besides, they wouldn’t find anybody on this team willing to implement and test the
back door.

We are of course talking to various governments; we want them to buy Vista and use BitLocker for their own security.
We get the typical questions you always get: ease of use, performance, security, etc. We also get questions
from law enforcement organizations. They foresee that they will want to read BitLocker-encrypted data, and
they want to be prepared. Like any security technology BitLocker has its avenues of attack and law
enforcement should know about them. For example, if they search a house and find a computer, they should
also take all USB thumb drives, as these might contain a BitLocker key. This information is not secret; our users
need to have the same information when they make the security vs. convenience tradeoff of choosing a key-
protection option (TPM only, USB key, TPM + USB key, etc.) We plan on having a KB article with the details
when Vista ships.

- Niels Ferguson (developer & cryptographer)

Published Thursday, March 02, 2006 5:10 PM

 Whole Disk Encryption – from Seagate; Hitachi
• Strong, transparent, hardware-based data protection to prevent unauthorized
access to data on lost or stolen systems

• Key Features and Benefits

– Full disk encryption, all the time—every time
– Convenient and easy to use—minimal configuration is required.
– Investment protection—stolen or out-of-service drives can be repurposed and remain fully
protected.
– Instant encryption performance matches the throughput of the drive interface.
– Supports trusted platform modules (TPM)

• Key Specifications
– AES encryption
– 5400-RPM performance
– 2.5-inch form factor
– SATA 1.5Gb/s with Native Command Queuing
– 8-MB cache

• Momentus® 5400 FDE.2

• Best-in-class security for data at rest
 Seagate’s comments on WDE
Applications
• Laptop PCs
• Tablet PCs
• Ultra-light laptops
• Performance laptops

Seagate Secure™ technology exploits drive’s closed

environment
• Transparent AES 128-bit hardware-based
• encryption
• Pre-boot authentication required
• CryptoErase provides fast, thorough erasing
• Hashed passwords maintained on the drive
• Emergency password recovery file kept on a separate device
 Encrypting Storage Enclosures

• In this case, an encryption engine is

placed between the host computer and the
hard drive, most likely in the bridge device
which resides inside the storage
enclosure. This enclosure may be
external (looks exactly like a desktop
drive) or internal (looks like a removable
tray system).
 Software based Encryption
• I Googled “Software based encryption”,
and I received 26,100 hits.

• Where to start? Nearly Impossible to

say! PGP, Symantec, McAfee,
thousands more.
 Encryption Software, Cont’d, from the WWW:
• “CipherWizard provides a fast, easy, affordable way to encrypt your
data”
• “Manage USB devices & encrypt sensitive files on USB drives”
• “The most secure and cost effective disk encryption solution
available.”
• “Unbeatable Data Encryption Software Buy DriveCrypt Online Now!”
• “Flexible, Robust Award Winning Software Encryption. Free SDK!”
• “Automatic Data Encryption With No User Involvement. See Free
Demo!”
• “Protect Your Reputation With The Industry's Most Complete
Solution.”
 Encryption – How does it work?
• A common misunderstanding of encryption is that
the presentation of the encrypting key provides
‘permission’ for the encrypting hardware to pass
data from the storage media to the user. In other
words, encryption acts as a key based gatekeeper
to data. This is a broken and useless analogy! The
usefulness of encryption is that the user’s key is, in
fact a vital part of the encrypting and decrypting
algorithm. In the absence of the key, the algorithm
is mathematically incapable of operating, and will
only product chaotic binary noise.
 Encryption – How does it work?
• Wrong Explanation:

• Plain Text is ‘hiding’ behind a pass key. In fact,

there is no plain text anywhere in the encrypted file.
 Encryption – How does it work, cont’d.
• Better Explanation:

• Plain Text in: JamesWiebe

• Key is: +1
• Encrypted out: KbnftXjfcf

• EXCEPT!!! The key affects every bit, and there are

128 of them (or 256, or 1K…) and the math is
somewhat complicated
 Encryption – How does it work, cont’d.
• This helps us understand how we can ‘attack’ an
encrypted file – keep trying keys until plain text pops
up.

• Ah, but what about the dreaded massively distributed cracking brute force method for
attacking something like 128 bit RC5 encryption? There are massive zombie farms
of infected computers throughout the world and some may have gotten as big as 1
million infected computers. What if that entire army was unleashed upon the
commonly used 128 bit RC5 encryption? Surprisingly, the answer is not much. For
the sake of argument, let’s say we unleash 4.3 billion computers for the purpose of
distributed cracking. This means that it would be 4.3 billion or 2 to the 32 times faster
than a single computer. This means we could simply take 2 to the 128 combinations
for 128-bit encryption and divide it by 2 to the 32 which means that 2 to the 96 bits
are left. With 96 bits left, it’s still 4.3 billion times stronger than 64 bit encryption. 64
bit encryption happens to be the world record for the biggest RC5 bit key cracked in
2002 which took nearly 5 years to achieve for a massive distributed attack.
 Encryption – How does it work, cont’d.

• Now that we know that the distributed attacks will only shave off a few bits, what about Moore’s
law which historically meant that computers roughly doubled in speed every 18 months? That
means in 48 years we can shave another 32 bits off the encryption armor which means 5 trillion
future computers might get lucky in 5 years to find the key for RC5 128-bit encryption. But with
256-bit AES encryption, that moves the date out another 192 years before computers are
predicted to be fast enough to even attempt a massively distributed attack. To give you an idea
how big 256 bits is, it’s roughly equal to the number of atoms in the universe!
• Once some of these basic facts on encryption become clear, "is encryption crackable" isn’t the
right question because the real question is "when can it be cracked and will it matter then". This is
just like Bank safes which are rated by the time it takes an attacker to crack it open and never sold
as "uncrackable". Encryption strength and the number of bits used are selected based on how
many decades the data needs to be kept safe. For a secure E-Commerce transaction, the data
being transmitted is moot after a few decades which is why 128-bit encryption is perfectly suitable
since it’s considered unbreakable for the next few decades. For top secret classified data that
needs to remain secret for the next 100 years, the Government uses NIST certified 256-bit AES
encryption. So the next time someone tells you that encryption is crackable, ask him if he’ll be
around on this earth to see it demonstrated. -- GEORGE OU, ZDNET
 Encryption – a clue to defeat
• Standards and cryptographic software and
hardware to perform encryption are widely
available, but successfully using encryption to
ensure security may be a challenging problem.
A single slip-up in system design or execution
can allow successful attacks. Sometimes an
adversary can obtain unencrypted information
without directly undoing the encryption.
-- from Wikipedia
 Defeating Encryption
• There are several ways to defeat
encryption. They can be categorized into
four main groups:

- Intelligence Gathering (not discussed today)

- Surprise Seizure via Hotplug
- Key Recovery (includes suspect cooperation)
- Password Attack
Defeating Encryption using Surprise Seizure

• Prevent the system from sleeping, by

moving the mouse or using a mouse
jiggler.
• Image the computer in the clear, before
encryption is invoked.
• Transport the computer, while turned on,
to a lab for further investigation.
• Search the RAM for keys.
Surprise Seizure with removal: WiebeTech’s HotPlug

• Currently in use in federal law enforcement

agencies and at other law enforcement agencies

• “Lets Cops move desktops without shutting them

down.”

• Doesn’t prevent sleeping – Mouse Jiggler is also

needed (but included).
 Key Recovery
• Ask the suspect to give you the key. Worth a
try, right?
• Gather *everything* in the room – USB keys,
USB drives, paper, etc. The backup recovery
key is probably there somewhere.
• Follow forensic procedures for Bitlocker and
other devices.

Reference:http://www.forensickb.com/2008/01/incident
-response-recovering-bitlocker.html
 Password (key) Attack – Ed Felten
• Today eight colleagues and I are releasing a significant new
research result. We show that disk encryption, the standard
approach to protecting sensitive data on laptops, can be defeated by
relatively simple methods. We demonstrate our methods by using
them to defeat three popular disk encryption products: BitLocker,
which comes with Windows Vista; FileVault, which comes with
MacOS X; and dm-crypt, which is used with Linux. The research
team includes J. Alex Halderman, Seth D. Schoen, Nadia Heninger,
William Clarkson, William Paul, Joseph A. Calandrino, Ariel J.
Feldman, Jacob Appelbaum, and Edward W. Felten.

- Posted Feb. 21, 2008 at http://freedom-to-tinker.com/blog/felten/new-

research-result-cold-boot-attacks-disk-encryption
 Keystroke Logging
• Software-based keyloggers
• Hardware-based keyloggers
• Wireless keyboard sniffers
• Keyboard overlays
• Acoustic keyloggers
• Electromagnetic emissions (eg
Tempest)
• Optical surveillance
 Encryption Recap, what we know
• Encryption is widespread
• Encryption is (not) bullet proof
• Properly done, it does work well
• OS Encryption is often achieved via Bitlocker,
especially in a corporate environment
• WDE via Seagate, Hitachi and others, especially
in laptops
• Enclosure / Bay Encryption via CRU-Dataport
and other competitors
• Software Encryption, via PGP and 26,099 other
companies
 Encryption Recap, what we know
• Encryption is nearly impossible to crack via
attack
• It’s not plaintext hiding behind a passkey
• It is mathematical and well designed.
 Encryption Recap, what we know
• Plan ahead – anticipate encryption and perform
intelligence gathering.

• Use element of surprise – examine the computer while it

is unlocked, and keep it unlocked until imaging complete

• Look for the key, everywhere. Ask the suspect. Use

“social engineering”. This is your best option.

• Keystroke Logging – many methods.

• Use a key recovery attack. Methodologies are evolving.

HotPlug
Encrypting Drive Bay from CRU-DataPort
Forensic RTX
RTX 400QR
 Inline USB WriteBlocker
(Enter to win at our booth)
Encrypting Technologies for
the Forensic Investigator
Thanks for listening.
Your questions and comments are
invited.

Presented by James Wiebe, VP R&D CRU-WiebeTech

james@wiebetech.com
www.CRU-DataPort.com
www.wiebetech.com