Presentation is loading. Please wait.

Presentation is loading. Please wait.

“Encryption threatens to lead all of us to a very dark place.”

Published byRudolf Maurer Modified over 5 years ago

Similar presentations

Presentation on theme: "“Encryption threatens to lead all of us to a very dark place.”"— Presentation transcript:

1 “Encryption threatens to lead all of us to a very dark place.”
Disk Encryption “Encryption threatens to lead all of us to a very dark place.” ~ James Comey

2 Overview Encrypted Drives Bitlocker Small note on Apple FileVault
Homework

3 Encrypted Drives Different types of file encryption Disk Encryption
Full Partial File-system Level Encryption Files Directories Stackable file system encryption

4 Encrypted Drives Issues
How is the volume decrypted (password, token, both)? Where are the keys stored? Which encryption algorithm? When should the data be decrypted? Boot time, mount time, user login time, etc.? Should there be a backdoor? In what circumstances? User forgets their password and authenticates some other way?

5 Encrypted Drives Why? Full-disk encryption is really a last ditch effort to protect your data If your computer is on (you don’t have to be logged in) it means nothing If it’s off why are you carrying around a brick all day? You should still use it

6 Encrypted Drives Identifying
Encryption software often still has metadata, magic numbers and headers stored on the drive? Thinking about full disk encryption, and knowing what you know now about the boot process, where do you think this data might reside? Encrypted Partition? What programs are installed on the system? Various tools will perform the identification process for you. A lot of the time is encryption technology specific(dislocker for Bitlocker etc.)

7 BitLocker BDE - is Full Volume Encryption solution by Microsoft first included with the Enterprise and Ultimate editions of Windows Vista. It is also present in Windows 7 and later version along with a system for encrypting removable storage media devices, like USB, which is called BitLocker To Go. A newer non/backwards compatible Bitlocker was released with Windows 10. Newer versions allow “multi-factor” authentication This may be a user-entered pin and the TPM or user-password and token With a recovery-key you can bypass any multi-factor authentication Can be used to port block DMA If used in conjunction with TPM can have defenses against hardware based attacks Side-note Bitlocker is disabled during Windows updates… (Might be an interesting research area)

8 BitLocker AES-CBC, AES-XTS ( want-xts/ ), 128 or 256 bits Creates its own partition to contain unlocking code to decrypt your disk. If using BitLocker-to-GO you will have a hybrid encrypted volume Supports network unlock functionality User has to be logged in to a network before they can decrypt the volume or they have to enter a pin. A lot of administrative and enterprise benefits Integrates well with Windows ;)

9 BitLocker If the computer is on, you generally have nothing to worry about (you still might hit a few snags) We will talk about recovering these keys during our memory forensics slides The keys may be in memory or they could be stored in Active Directory services If the computer is off it may be a bit more difficult If you are working a criminal case it appears from my reading you will generally be able to get the recovery key directly from the user (by court order), if they are cooperating. We will talk about tools to detect and mount and encrypted BitLocker volume ( )

10 BitLocker dislocker dislocker-bek: for dissecting a .bek(recovery key) file and printing information about it dislocker-metadata: for printing information about a BitLocker- encrypted volume dislocker-find: not a binary but a Ruby script which tries to find BitLocker encrypted partition among the plugged-in disks (only work if the library is compiled with the Ruby bindings) dislocker-file: for decrypting a BitLocker encrypted partition into a flat file formatted as an NTFS partition you can mount

11 BitLocker dislocker dislocker-fuse: the one you're using when calling `dislocker', which dynamically decrypts a BitLocker encrypted partition using FUSE Dislocker - Given a decryption mean, the program is used to read or write BitLocker encrypted volumes. Technically, the program will create a virtual NTFS partition that you can mount as any other NTFS partition. dislocker -V encrypted.bitlocker -f /path/to/usb/file.BEK -- /mnt/ntfs -V - volume Encrypted.bitlocker - dd of bitlocker volume --user-password - pass user password to use for decryption

12 BitLocker Other tools bdeinfo bdemount Final note
If you are using a Windows 7 machine as your forensics analyst platform but you are analyzing a Windows 10 Bitlocker volume you will not be able to decrypt the volume using conventional forensics tools (EnCase, FTK, and others). You will need to switch to a Windows 10 machine

13 Apple FileVault2 XTS-AES-128 encryption with a 256-bit key
File Vault Options If you're using OS X Yosemite or later, you can choose to use your iCloud account to unlock your disk and reset your password.* If you're using OS X Mavericks, you can choose to store a FileVault recovery key with Apple by providing the questions and answers to three security questions. Choose answers that you're sure to remember.* If you don't want to use iCloud FileVault recovery, you can create a local recovery key. Keep the letters and numbers of the key somewhere safe—other than on your encrypted startup disk.

14 Apple FileVault2 XTS-AES-128 encryption with a 256-bit key
Key Recovery RAM capturing tool must be executed on a running computer with FileVault 2 container unlocked and a user logged in Go for the weakest link depending on how the key may have been stored Can you get into their phone? Weak passwords Or..

15 Apple FileVault2 Key Recovery
Just grab the wipe key from the recovery partition EncryptedRoot.plist.wipekey use that to derive the key to unlock the filevault volume But wait that’s encrypted Yeah encrypted with a key that is stored in the recovery drive partition headers But wait that only work in OS X Lion (circa 2011) Sure now it is more difficult but it depends on the option the user chose when setting up the encryption Most likely will have to grab it from dumped RAM Or grab the password hashes and use to crack the FileVault volume

16 Apple FileVault2 Mounting
libfvde paper -

17 Questions?

18 Homework Problem 1 Problem 2

19 Relevant Links FileVault2 Mounting - and-reimaging-encrypted.html?m=1 FileVault2 how does it work? Some interesting RE stuff as well protection/bitlocker/bitlocker-frequently-asked-questions protection/bitlocker/bitlocker-device-encryption-overview-windows-10

20 Interesting Forensics Papers
Forensics tool automation and parallel imaging and carving /art00005 Subverting hardware firmware bootkits

Download ppt "“Encryption threatens to lead all of us to a very dark place.”"

Similar presentations

Microsoft ® Official Course First Look Clinic Overview of Windows 8 By Ragowo Riantory, S.Kom, MCP.

Microsoft ® Official Course First Look Clinic Overview of Windows 8 By Ragowo Riantory, S.Kom, MCP.
Rambling on the Private Data Security

Rambling on the Private Data Security
Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.

Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.
Installing Windows 7 Lesson 2.

Installing Windows 7 Lesson 2.
Data Encryption Overview South Seas Corporation Jared Owensby.

Data Encryption Overview South Seas Corporation Jared Owensby.
MDOP 2010: Diagnostic and Recovery Toolset (DaRT) Speaker Fabrizio Grossi

MDOP 2010: Diagnostic and Recovery Toolset (DaRT) Speaker Fabrizio Grossi
 Contents 1.Introduction about operating system. 2. What is 32 bit and 64 bit operating system. 3. File systems. 4. Minimum requirement for Windows 7.

 Contents 1.Introduction about operating system. 2. What is 32 bit and 64 bit operating system. 3. File systems. 4. Minimum requirement for Windows 7.
How to Install Windows 7.

How to Install Windows 7.
File System and Full Volume Encryption Sachin Patel CSE 590TU 3/9/2006.

File System and Full Volume Encryption Sachin Patel CSE 590TU 3/9/2006.
ENCRYPTION Coffee Hour for August 2014. HISTORY OF ENCRYPTION Scytale Ciphers – paper wrapped around rod, receiver needed same size rod to get the message.

ENCRYPTION Coffee Hour for August HISTORY OF ENCRYPTION Scytale Ciphers – paper wrapped around rod, receiver needed same size rod to get the message.
Installing Windows Vista Lesson 2. Skills Matrix Technology SkillObjective DomainObjective # Performing a Clean Installation Set up Windows Vista as the.

Installing Windows Vista Lesson 2. Skills Matrix Technology SkillObjective DomainObjective # Performing a Clean Installation Set up Windows Vista as the.
VMWare Workstation Installation. Starting Vmware Workstation Go to the start menu and start the VMware Workstation program. *Note: The following instructions.

VMWare Workstation Installation. Starting Vmware Workstation Go to the start menu and start the VMware Workstation program. *Note: The following instructions.
Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.

Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.
Hands-On Microsoft Windows Server 2008

Hands-On Microsoft Windows Server 2008
Mac OS Lion Memory Forensics Using IEEE 1394 to Bypass FileVault 2 Full Volume Encryption. Todd Garrison September 18, 2011.

Mac OS Lion Memory Forensics Using IEEE 1394 to Bypass FileVault 2 Full Volume Encryption. Todd Garrison September 18, 2011.
© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 1 Third Edition Chapter 6 Today’s Windows Windows Vista and Windows 7 McGraw-Hill.

© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 1 Third Edition Chapter 6 Today’s Windows Windows Vista and Windows 7 McGraw-Hill.
Microsoft ® Official Course Module 8 Securing Windows 8 Desktops.

Microsoft ® Official Course Module 8 Securing Windows 8 Desktops.
Week #7 Objectives: Secure Windows 7 Desktop

Week #7 Objectives: Secure Windows 7 Desktop
© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 1 Third Edition Chapter 5 Windows XP Professional McGraw-Hill.

© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 1 Third Edition Chapter 5 Windows XP Professional McGraw-Hill.
Cosc 4765 Trusted Platform Module. What is TPM The TPM hardware along with its supporting software and firmware provides the platform root of trust. –It.

Cosc 4765 Trusted Platform Module. What is TPM The TPM hardware along with its supporting software and firmware provides the platform root of trust. –It.

Similar presentations

Ads by Google