True crypt can be broken? read this!

[demoneye]

hi all


i am sure someone somewhere on this forums already Referred to this.

http://www.lostpassword.com/hdd-decryption.htm

but i wounder if its falls , why it kept on the owner site??


10x

[box750]

The most important part of that page is this one:

Passware Kit scans the physical memory image file (acquired while the encrypted BitLocker or TrueCrypt disk was mounted, even if the target computer was locked)

For this to work your fully encrypted drive needs to be mounted and decrypted when someone gets hold of it, and if someone can get hold of your computer while it is mounted and decrypted, the less of your worries is some program pulling the encryption key from RAM and reusing it, if you switch your computer off when you are not around you are safe, if you use a screensaver (locked), you are not.

[demoneye]

oww...

its so dummy approach so i misunderstood it maybe
if its all about when your pc is mounted and decrypted u can EVEN insert a usb hd and copy al the data HAHA why using all this dump and stuff

10x mate for lighting it to me

[lordraiden]

Quote:

Originally Posted by box750

The most important part of that page is this one:

Passware Kit scans the physical memory image file (acquired while the encrypted BitLocker or TrueCrypt disk was mounted, even if the target computer was locked)

For this to work your fully encrypted drive needs to be mounted and decrypted when someone gets hold of it, and if someone can get hold of your computer while it is mounted and decrypted, the less of your worries is some program pulling the encryption key from RAM and reusing it, if you switch your computer off when you are not around you are safe, if you use a screensaver (locked), you are not.

But the "hacker" should be able to unlock (password protected) your pc first? no?

If I disable the hibernation I'm protected?

BTW nice blog, although I miss RSS

[chiraldude]

I don't know about bitlocker but if you read the Truecrypt docs you will find a warning(s?) about using hibernation.
In theory, if you are using full system/disk encryption of all disks in the machine, the hiberfil.sys file should also be encrypted. To be sure, don't use hibernation and turn off your computer when you leave.

Bottom line is that encryption is not magic. If you don't understand the details of how it works your data is much more vulnerable.

I suspect local law enforcement counts on stupid criminals blindly trusting encryption to lock their data. I just hate to see police having to purchase software like Passware Kit at such a high price.

[demoneye]

Quote:

Originally Posted by chiraldude

I suspect local law enforcement counts on stupid criminals blindly trusting encryption to lock their data. I just hate to see police having to purchase software like Passware Kit at such a high price.

police and other law enforcement groups as far as i know cant break true crypt by it password .

i mean ignore the stupid users , they cant brake it by software or any trap doors

[chiraldude]

A stupid user is someone that uses truecrypt but doesn't understand what they are doing. An example is someone that uses file based containers because full system encryption is to hard to figure out.
For example, if you use a file based container, hibernate your system and leave your computer unattended. In that case, passware like programs have no problem capturing the master keys from hiberfil.sys

If you are not stupid and have data you want kept secret, use full system encryption and turn off hibernation. Never walk away from your system without a full shutdown. In that case it is impossible for even the NSA to crack your encryption.

[J_L]

Just because you're using file based containers doesn't mean you're stupid and don't understand truecrypt. Some people don't need to encrypt their entire system, only very important files.

I do somewhat agree with your second statement though (except hiberfil.sys can be easily encrypted).

[Hungry Man]

or encrypt specific files and turn off hibernation... lmao

[x942]

Quote:

Originally Posted by chiraldude

I don't know about bitlocker but if you read the Truecrypt docs you will find a warning(s?) about using hibernation.
In theory, if you are using full system/disk encryption of all disks in the machine, the hiberfil.sys file should also be encrypted. To be sure, don't use hibernation and turn off your computer when you leave.

Bottom line is that encryption is not magic. If you don't understand the details of how it works your data is much more vulnerable.

I suspect local law enforcement counts on stupid criminals blindly trusting encryption to lock their data. I just hate to see police having to purchase software like Passware Kit at such a high price.

Both encrypt it if you encrypt all partitions. Bitlocker disables sleep mode when using it. I also recommend enabling encrypted page file and hibernation file in gpedit this adds a second layer of AES-256 bit encryption to those files.

As long as the computer is hibernated it is safe however if an attacker can intercept the hibernation file at boot time than you can be compromised. All in all don't hibernate or at least don't resume in an unsafe location.

[demoneye]

Quote:

Originally Posted by x942

Both encrypt it if you encrypt all partitions. Bitlocker disables sleep mode when using it. I also recommend enabling encrypted page file and hibernation file in gpedit this adds a second layer of AES-256 bit encryption to those files.

this refer only to full hd encryption ? not container file encryption?

[box750]

Quote:

Originally Posted by lordraiden

But the "hacker" should be able to unlock (password protected) your pc first? no?

If I disable the hibernation I'm protected?

There is no need to "unlock" your password protected screensaver, it is possible to plug in a USB thumbdrive that will use Windows autorun to execute a script and get your encryption keys from RAM. If your computer is not hibernating then disabling hibernation will not protect you, the encryption keys will be found in RAM memory.

[Noob]

If they have physical access to your PC with the disk mounted, you have more serious things to worry about ;Ð

[x942]

Quote:

Originally Posted by demoneye

this refer only to full hd encryption ? not container file encryption?

Encrypting page file works in both cases however if you use a container it is not recommended to hibernate UNLESS you clear it from cache. I don't bother with hibernate but with FDE it should be fine as long as the resume process isn't intercepted and you don't allow an attacker access when mounted.

box750:

Quote:

here is no need to "unlock" your password protected screensaver, it is possible to plug in a USB thumbdrive that will use Windows autorun to execute a script and get your encryption keys from RAM. If your computer is not hibernating then disabling hibernation will not protect you, the encryption keys will be found in RAM memory.

Yes and no. While a screensaver wont do anything you can mitigate it by disabling autorun and using window 7's lockscreen. This is much harder to bypass but not by much I recommend shutting down or only using it in a trusted location to keep the honest people out

[x942]

Also according to TrueCrypt FDE protects hibernation and page file:

Quote:

Note: The issue described below does not affect you if the system partition or system drive is encrypted* (for more information, see the chapter System Encryption) and if the hibernation file is located on any of the partitions within the key scope of system encryption (which it typically is, by default), for example, on the partition where Windows is installed. When the computer hibernates, data are encrypted on the fly before they are written to the hibernation file.

And this disclaimer about XP and windows 2003:

Quote:

* Disclaimer: As Windows XP and Windows 2003 do not provide any API for encryption of hibernation files, TrueCrypt has to modify undocumented components of Windows XP/2003 in order to allow users to encrypt hibernation files. Therefore, TrueCrypt cannot guarantee that Windows XP/2003 hibernation files will always be encrypted. In response to our public complaint regarding the missing API, Microsoft began providing a public API for encryption of hibernation files on Windows Vista and later versions of Windows (for more information, see the Version History, section TrueCrypt 5.1a). Since version 7.0, TrueCrypt has used this API and therefore has been able to safely encrypt hibernation files under Windows Vista and later versions of Windows. Therefore, if you use Windows XP/2003 and want the hibernation file to be safely encrypted, we strongly recommend that you upgrade to Windows Vista or later and to TrueCrypt 7.0 or later.

Source

Same goes for Paging Files and Memory Dumps

As long as the disk is NOT mounted you are safe and CAN use hibernation without compromise. HOWEVER if an attacker has the mounted disk they CAN, obviously, copy those files and grab the key latter on.

So don't boot in a hostile environment unless you can protect your computer physically and do NOT walk away in such an environment leaving it logged on. At least hibernate it.

[caspian]

Quote:

Originally Posted by chiraldude

In that case, passware like programs have no problem capturing the master keys from hiberfil.sys

That assumes that you have malware on your computer.

[caspian]

Quote:

Originally Posted by box750

There is no need to "unlock" your password protected screensaver, it is possible to plug in a USB thumbdrive that will use Windows autorun to execute a script and get your encryption keys from RAM. If your computer is not hibernating then disabling hibernation will not protect you, the encryption keys will be found in RAM memory.

But if you dismount TrueCrypt and restart your computer, then nothing, at that point, other than some type of installed keylogger can get anything, correct?

[chiraldude]

Quote:

Originally Posted by caspian

That assumes that you have malware on your computer.

Eh??

The OP noted that a program called "Passware" can extract encryption keys from memory and/or hiberfil.sys
No malware required. Of course if your system is compromised with malware, encryption can't be trusted to protect you.

The real bottom line is that modern encryption is mathematically unbreakable. It is pointless to try to bruteforce guess strong passwords for something like Truecrypt. The only way to "break" the encryption is to bypass it by capturing passwords after they are entered. To ensure your data is safe from sophisticated attacks, never connect to a network, only enter your passwords in a secured area, and shut down your system if you leave.
Even if you operate with this level of security, your adversary could suddenly break down your door and prevent you from shutting down your system. In that case you would need some sort of hardware based security that automatically shut down your system under such circumstances. This may or may not be possible.

[x942]

Quote:

Originally Posted by chiraldude

Eh??

The OP noted that a program called "Passware" can extract encryption keys from memory and/or hiberfil.sys
No malware required. Of course if your system is compromised with malware, encryption can't be trusted to protect you.

The real bottom line is that modern encryption is mathematically unbreakable. It is pointless to try to bruteforce guess strong passwords for something like Truecrypt. The only way to "break" the encryption is to bypass it by capturing passwords after they are entered. To ensure your data is safe from sophisticated attacks, never connect to a network, only enter your passwords in a secured area, and shut down your system if you leave.
Even if you operate with this level of security, your adversary could suddenly break down your door and prevent you from shutting down your system. In that case you would need some sort of hardware based security that automatically shut down your system under such circumstances. This may or may not be possible.

I know this isn't what you mean but interestingly Avast detects it as a PUP (potentially unwanted program). I guess some AV's don't like this thing anyways.