“Encryption threatens to lead all of us to a very dark place.”

Slides:



Advertisements
Similar presentations
Microsoft ® Official Course First Look Clinic Overview of Windows 8 By Ragowo Riantory, S.Kom, MCP.
Advertisements

Rambling on the Private Data Security
Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.
Installing Windows 7 Lesson 2.
Data Encryption Overview South Seas Corporation Jared Owensby.
MDOP 2010: Diagnostic and Recovery Toolset (DaRT) Speaker Fabrizio Grossi
 Contents 1.Introduction about operating system. 2. What is 32 bit and 64 bit operating system. 3. File systems. 4. Minimum requirement for Windows 7.
How to Install Windows 7.
File System and Full Volume Encryption Sachin Patel CSE 590TU 3/9/2006.
ENCRYPTION Coffee Hour for August HISTORY OF ENCRYPTION Scytale Ciphers – paper wrapped around rod, receiver needed same size rod to get the message.
Installing Windows Vista Lesson 2. Skills Matrix Technology SkillObjective DomainObjective # Performing a Clean Installation Set up Windows Vista as the.
VMWare Workstation Installation. Starting Vmware Workstation Go to the start menu and start the VMware Workstation program. *Note: The following instructions.
Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.
Hands-On Microsoft Windows Server 2008
Mac OS Lion Memory Forensics Using IEEE 1394 to Bypass FileVault 2 Full Volume Encryption. Todd Garrison September 18, 2011.
© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 1 Third Edition Chapter 6 Today’s Windows Windows Vista and Windows 7 McGraw-Hill.
Microsoft ® Official Course Module 8 Securing Windows 8 Desktops.
Week #7 Objectives: Secure Windows 7 Desktop
© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 1 Third Edition Chapter 5 Windows XP Professional McGraw-Hill.
Cosc 4765 Trusted Platform Module. What is TPM The TPM hardware along with its supporting software and firmware provides the platform root of trust. –It.
IST 222 Day 3. Homework for Today Take up homework and go over Go to Microsoft website and check out their hardware compatibility list.
Managing Applications, Services, Folders, and Libraries Lesson 4.
Understand Encryption LESSON 2.5_A Security Fundamentals.
© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 1 Third Edition Chapter 6 Today’s Windows Windows Vista and Windows 7 McGraw-Hill.
SQL SERVER 2008 Installation Guide A Step by Step Guide Prepared by Hassan Tariq.
Lesson 18: Configuring Security for Mobile Devices MOAC : Configuring Windows 8.1.
HOW TO INSTALL WINDOWS 7? This step-by-step guide demonstrates how to install Windows 7 Ultimate. The guide is similar for other versions of Windows 7.
Chapter 8 Forensic Duplication Spring Incident Response & Computer Forensics.
John Samuels October, Why Now?  Vista Problems  New Features  >4GB Memory Support  Experience.
Windows Vista Configuration MCTS : NTFS Security Features and File Sharing.
How to Reset Forgotten Windows 8 Password password.html.
How to Create and Use a VericrYPT CONTAINER
Systems Architecture Microsoft BitLocker -> securing data on mobile devices Johannes Marotzke
Installing Windows 7 Lesson 2.
UNM Encryption Services in Development
Configuring Encryption and Advanced Auditing
Chapter Fifteen Working with Windows 8/8.1.
SmartCenter for Pointsec - MI
Chapter Objectives In this chapter, you will learn:
Presented by Kartik Patel
Chapter Objectives In this chapter, you will learn:
Guide to Linux Installation and Administration, 2e
Chapter 1 Getting Started
CS101 Booting A Computer.
How to Bypass Windows 8 Password without Reset Disk
OS X Yosemite Troubleshooting 9L0-066 Exam Questions Pack
Hardware security: The use of a Trusted Platform Module
Desktop Virtualization
4 Windows 7.
RBS Remote Business Support System
Introduction to Computers
תרגול 9 – Windows Security
Introduction to Computers
Chapter 2 Objectives Identify Windows 7 Hardware Requirements.
OPERATING SYSTEMS.
Booting Up 15-Nov-18 boot.ppt.
Starting the computer. Every day we are using an operating system and most specifically a Windows operating system but most of us are not aware of the.
CHFI & Digital Forensics [Part.1] - Basics & FTK Imager
Chapter 3: Windows7 Part 3.
Press ESC for Startup Options © Microsoft Corporation.
Hiding Information, Encryption, and Bypasses
System & Network Administration (MCSA & RHCSA)
Using TrueCrypt 6th May 2009.
TPM, UEFI, Trusted Boot, Secure Boot
The bios.
Installing Windows Exam: 902
Instructor Materials Chapter 5: Windows Installation
IBM Tivoli Storage Manager
What is an operating system An operating system is the most important software that runs on a computer. It manages the computer's memory and processes,
Presentation transcript:

“Encryption threatens to lead all of us to a very dark place.” Disk Encryption “Encryption threatens to lead all of us to a very dark place.” ~ James Comey

Overview Encrypted Drives Bitlocker Small note on Apple FileVault Homework

Encrypted Drives Different types of file encryption Disk Encryption Full Partial File-system Level Encryption Files Directories Stackable file system encryption

Encrypted Drives Issues How is the volume decrypted (password, token, both)? Where are the keys stored? Which encryption algorithm? When should the data be decrypted? Boot time, mount time, user login time, etc.? Should there be a backdoor? In what circumstances? User forgets their password and authenticates some other way?

Encrypted Drives Why? Full-disk encryption is really a last ditch effort to protect your data If your computer is on (you don’t have to be logged in) it means nothing If it’s off why are you carrying around a brick all day? You should still use it

Encrypted Drives Identifying Encryption software often still has metadata, magic numbers and headers stored on the drive? Thinking about full disk encryption, and knowing what you know now about the boot process, where do you think this data might reside? Encrypted Partition? What programs are installed on the system? Various tools will perform the identification process for you. A lot of the time is encryption technology specific(dislocker for Bitlocker https://github.com/Aorimn/dislocker/, etc.)

BitLocker BDE - is Full Volume Encryption solution by Microsoft first included with the Enterprise and Ultimate editions of Windows Vista. It is also present in Windows 7 and later version along with a system for encrypting removable storage media devices, like USB, which is called BitLocker To Go. A newer non/backwards compatible Bitlocker was released with Windows 10. Newer versions allow “multi-factor” authentication This may be a user-entered pin and the TPM or user-password and token With a recovery-key you can bypass any multi-factor authentication Can be used to port block DMA If used in conjunction with TPM can have defenses against hardware based attacks Side-note Bitlocker is disabled during Windows updates… (Might be an interesting research area)

BitLocker AES-CBC, AES-XTS (https://sockpuppet.org/blog/2014/04/30/you-dont- want-xts/ ), 128 or 256 bits Creates its own partition to contain unlocking code to decrypt your disk. If using BitLocker-to-GO you will have a hybrid encrypted volume Supports network unlock functionality User has to be logged in to a network before they can decrypt the volume or they have to enter a pin. A lot of administrative and enterprise benefits Integrates well with Windows ;)

BitLocker If the computer is on, you generally have nothing to worry about (you still might hit a few snags) We will talk about recovering these keys during our memory forensics slides The keys may be in memory or they could be stored in Active Directory services If the computer is off it may be a bit more difficult If you are working a criminal case it appears from my reading you will generally be able to get the recovery key directly from the user (by court order), if they are cooperating. We will talk about tools to detect and mount and encrypted BitLocker volume (https://github.com/Aorimn/dislocker/ )

BitLocker dislocker dislocker-bek: for dissecting a .bek(recovery key) file and printing information about it dislocker-metadata: for printing information about a BitLocker- encrypted volume dislocker-find: not a binary but a Ruby script which tries to find BitLocker encrypted partition among the plugged-in disks (only work if the library is compiled with the Ruby bindings) dislocker-file: for decrypting a BitLocker encrypted partition into a flat file formatted as an NTFS partition you can mount

BitLocker dislocker dislocker-fuse: the one you're using when calling `dislocker', which dynamically decrypts a BitLocker encrypted partition using FUSE Dislocker - Given a decryption mean, the program is used to read or write BitLocker encrypted volumes. Technically, the program will create a virtual NTFS partition that you can mount as any other NTFS partition. dislocker -V encrypted.bitlocker -f /path/to/usb/file.BEK -- /mnt/ntfs -V - volume Encrypted.bitlocker - dd of bitlocker volume --user-password - pass user password to use for decryption

BitLocker Other tools bdeinfo bdemount Final note If you are using a Windows 7 machine as your forensics analyst platform but you are analyzing a Windows 10 Bitlocker volume you will not be able to decrypt the volume using conventional forensics tools (EnCase, FTK, and others). You will need to switch to a Windows 10 machine

Apple FileVault2 XTS-AES-128 encryption with a 256-bit key File Vault Options If you're using OS X Yosemite or later, you can choose to use your iCloud account to unlock your disk and reset your password.* If you're using OS X Mavericks, you can choose to store a FileVault recovery key with Apple by providing the questions and answers to three security questions. Choose answers that you're sure to remember.* If you don't want to use iCloud FileVault recovery, you can create a local recovery key. Keep the letters and numbers of the key somewhere safe—other than on your encrypted startup disk.

Apple FileVault2 XTS-AES-128 encryption with a 256-bit key Key Recovery RAM capturing tool must be executed on a running computer with FileVault 2 container unlocked and a user logged in Go for the weakest link depending on how the key may have been stored Can you get into their phone? Weak passwords Or..

Apple FileVault2 Key Recovery Just grab the wipe key from the recovery partition EncryptedRoot.plist.wipekey use that to derive the key to unlock the filevault volume But wait that’s encrypted Yeah encrypted with a key that is stored in the recovery drive partition headers But wait that only work in OS X Lion (circa 2011) Sure now it is more difficult but it depends on the option the user chose when setting up the encryption Most likely will have to grab it from dumped RAM Or grab the password hashes and use http://openciphers.sourceforge.net/oc/vfcrack.php to crack the FileVault volume

Apple FileVault2 Mounting https://github.com/libyal/libfvde/wiki/Mounting libfvde paper - https://eprint.iacr.org/2012/374.pdf

Questions?

Homework Problem 1 Problem 2

Relevant Links FileVault2 Mounting - http://az4n6.blogspot.com/2016/07/mounting- and-reimaging-encrypted.html?m=1 FileVault2 how does it work? Some interesting RE stuff as well https://www.cl.cam.ac.uk/~osc22/docs/cl_fv2_presentation_2012.pdf https://docs.microsoft.com/en-us/windows/security/information- protection/bitlocker/bitlocker-frequently-asked-questions https://docs.microsoft.com/en-us/windows/security/information- protection/bitlocker/bitlocker-device-encryption-overview-windows-10 https://github.com/Aorimn/dislocker/

Interesting Forensics Papers Forensics tool automation and parallel imaging and carving http://www.ingentaconnect.com/contentone/ist/ei/2017/00002017/00 000007/art00005 Subverting hardware firmware bootkits https://www.sciencedirect.com/science/article/pii/S1742287617303316

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.