HDD decryption

Forensics Focus had an article about some software that "Decrypts TrueCrypt Hard Disks in Minutes". A pretty impressive & scary claim! Wondering how it works? I was too, so a quick visit to the manufacturers website gives some details on how the software works for HDD decryption:

Passware Kit scans the physical memory image file (acquired while the encrypted BitLocker or TrueCrypt disk was mounted, even if the target computer was locked), extracts all the encryption keys, and decrypts the given volume. Such memory images can be acquired using Passware FireWire Memory Imager (included in Passware Kit Forensic), or third-party tools, such as ManTech Physical Memory Dump Utility or win32dd.

Overall Steps

* Acquire a memory image of the seized computer
* Create an encrypted disk image (required for BitLocker only)
* Run Passware Kit to recover the encryption keys and decrypt the hard disk

So there is no gaping hole in the full disk encryption of bitlocker or truecrypt, the software extracts the keys from the forensically captured physical memory while the encrypted volume is mounted. This just further highlights the importance of being able to perform a live acquisition of the physical memory when the use of encryption is suspected...

0 comments:

Post a Comment