Jump to content

Disk Encryption


.exe
 Share

Recommended Posts

It appears the more security conscious companies have become wise to the hacking communities utilities for password recovery (namely Ophcrack).

This utility relies on being able to read the SAM database of a Windows machine by booting into Linux (unless you recover these password using a hash dump (which is hard as Windows locks down access to this file when it starts). By encrypting hard drives its impossible to recover information using a live cd (distro cant read the SAM because the encryption service starts at preboot).

So is anybody working on any kind of workaround for the encryption (probably impossible as this is being rolled out by multiple vendors). Im guessing you would need a usb hack or an exploit using Jasager wirelessly in order to get at the hash?

Link to comment
Share on other sites

Would it be possible to attach a usb key to the computer to dump out the ram and capture the key? The specific system used where I work has integrated this encryption mechanism into the windows login screen (it unlocks machine and generates decryption key).

Link to comment
Share on other sites

Would it be possible to attach a usb key to the computer to dump out the ram and capture the key? The specific system used where I work has integrated this encryption mechanism into the windows login screen (it unlocks machine and generates decryption key).

Assuming that they have autorun enabled, yes, you should be able to run an app to dump the RAM.

Link to comment
Share on other sites

Would it be possible to attach a usb key to the computer to dump out the ram and capture the key? The specific system used where I work has integrated this encryption mechanism into the windows login screen (it unlocks machine and generates decryption key).

This is much easier with Firewire because it has direct memory access, it can suck out a dump of the RAM without the OS even knowing.

Link to comment
Share on other sites

Assuming that they have physical control of the computer when the disk is decrypted. If you shut down your computer the normal way the TC driver will erase the password from the RAM.

Ah yes, but the whole reason this attack works is that by cooling the RAM chip, it slows degradation of the memory after it has been shut down. I sat through a talk at Toorcon by Jake Appelbaum, one of the hackers who worked on this attack. He said this technique is the one currently being used by the FBI and DHS.

Mr. Appelbaum went on to say that you could swipe the laptop from say, a coffee shop, cool the ram chip with the air duster quickly which buys you 10 more minutes, then you could drop the ram chip into a thermos of liquid nitrogen. Now you have over an hour to get the chip back to your place to get the encryption keys from RAM.

The problem with this attack isn't so much time, it is gaining physical access which is what you are all proposing anyway.

Link to comment
Share on other sites

Swiping means you alert the target and dicking around with liquid nitrogen is not only impracticle but if you mess it up its going to mean you lose your fingers... (although this is useful in a purely educational way).

You probably need about 30 seconds to restart the machine and dump the RAM so cooling may not come into the equation if your quick enough AND you do it at the targets machine.

Spinright would probably repair the degradation if any if you ran it on the dump. So the trade off for degradation would be fixing the data once its been grabbed.

The two most popular systems are Bitlocker (Vista) and Checkpoint (currently being used by IBM and other major brands).

What solutions are available for RAM dumping off a usb stick? If it is more practical then how would you go about doing this via firmware? Breakout box attached to a PCMCIA slot? Moves data to the board which has RAM powered by a battery.

If you can pull this data onto storage as far as the target knows there computer has just restarted (which you could put down to Windows patches, act of god, sunspots...........).

Link to comment
Share on other sites

  • 2 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...