Hotspot use of truecrypt ,opinions please

[vane]

I posted these questions on the truecrypt board but up to now i had no reactions yet.
Because of a broader user base (i think) on this board i thought to ask for opinions here.

Current use: i have a netbook with windows 7 , ( no page file) ,a usb stick with a TC filecontainer on it.
I go to a public wifi access point,open the encrypted filecontainer ,in this container sits a portable Firefox which i start.( using the Tor network, but i am going to use a VPN).
i save some webpages ( in Scrapbook ,an extension also residing in the container) ,so, when i'm done i dismount the container.
I want to make this setup more secure if possible ;
1. there is the problem of "wear leveling" with the usb stick ;this could be alleviated by moving the file container to the hd.
2. Data leaks to the Os, via the usual suspects, temp files , dr. Watson , bsd's.
I would like to hear opinions on alternatives.
1. encrypted system ,with TC filecontainer on it. reading this forum i believe that , for instance , after a bsd, upon reboot the possible plaintext remnants in ram are gone ?
2. encrypted system and decoy os ,the reason for the decoy: imagine this situation : threat : the netbook is possibly being taken forcefully ,no time to close firefox and dismount properly,
see : "Shuttng down laptop instantly"at: http://forums.truecrypt.org/viewtopic.php?t=22355 , creating a bsd ,see : http://www.howtogeek.com/howto/40427...olor-you-want/
so, in case of emergency ,create a bsd, pc reboots into decoy os , so all data in ram will be gone, and adversary sits in the decoy.
I hope this all makes sense, what would be a good way to achieve my goal ; no data leaking and if possible emergency shutdown.
Thanks for any suggestions

[markedmanner]

You could use Returnil on your system. Enable it before mounting your truecrypt volume from your USB. Then set Returnil to wipe all disk changes at computer startup. That way any of the BSOD etc. you are worrying about is not saved. As far as emergency shutdown this is the quickest way I know of: http://www.ehow.com/how_4758555_fast...f-windows.html

[vane]

Quote:

Originally Posted by markedmanner

You could use Returnil on your system. Enable it before mounting your truecrypt volume from your USB. Then set Returnil to wipe all disk changes at computer startup. That way any of the BSOD etc. you are worrying about is not saved.

Thank you for helping out, i am reading up on Returnil , see how it works , a virtual environment is a different approach ,i am mainly concerned with plaintext remnants residing somewhere on disk after a forced reboot.

Quote:

As far as emergency shutdown this is the quickest way I know of: http://www.ehow.com/how_4758555_fast...f-windows.html

Good tip i'll try this out.

[CloneRanger]

You could also use Calomel in FF which can use just RAM for caching



http://www.wilderssecurity.com/showthread.php?t=285561

Also mentioned in these threads as well - http://www.wilderssecurity.com/searc...archid=4036255

[vane]

Thank you ,seems a useful extension for my purpose.
Cheers

Quote:

Originally Posted by CloneRanger

You could also use Calomel in FF which can use just RAM for caching



http://www.wilderssecurity.com/showthread.php?t=285561

Also mentioned in these threads as well - http://www.wilderssecurity.com/searc...archid=4036255

[chiraldude]

1. there is the problem of "wear leveling" with the usb stick ;this could be alleviated by moving the file container to the hd.
Wear leveling is not an issue if you always save encrypted data to the usb drive. (Only if you encrypt data in-place)

2. Data leaks to the Os, via the usual suspects, temp files , dr. Watson , bsd's.
No much you can do about this. Windows does what Windows does...


1. I believe that , for instance , after a bsd, upon reboot the possible plaintext remnants in ram are gone ?
The physical ram fades away. I have read posts from people asserting that Windows sometimes writes pagefile like data even if you disable the pagefile. Again with Windows you can never be sure.

2. encrypted system and decoy os ,the reason for the decoy: imagine this situation : threat : the netbook is possibly being taken forcefully ,no time to close firefox and dismount properly, data in ram will be gone, and adversary sits in the decoy.
I think you can have a hotkey to dismount all truecrypt containers. Probably just plain system encryption would be best. If you can crash the system with a hotkey then the thief will be left with a system that can't be read or booted without a password. Hidden OS is a real PITA to set up so unless you expect your adversary will force you to give the password it's overkill.

[x942]

Quote:

Originally Posted by chiraldude

1. there is the problem of "wear leveling" with the usb stick ;this could be alleviated by moving the file container to the hd.
Wear leveling is not an issue if you always save encrypted data to the usb drive. (Only if you encrypt data in-place)

2. Data leaks to the Os, via the usual suspects, temp files , dr. Watson , bsd's.
No much you can do about this. Windows does what Windows does...


1. I believe that , for instance , after a bsd, upon reboot the possible plaintext remnants in ram are gone ?
The physical ram fades away. I have read posts from people asserting that Windows sometimes writes pagefile like data even if you disable the pagefile. Again with Windows you can never be sure.

2. encrypted system and decoy os ,the reason for the decoy: imagine this situation : threat : the netbook is possibly being taken forcefully ,no time to close firefox and dismount properly, data in ram will be gone, and adversary sits in the decoy.
I think you can have a hotkey to dismount all truecrypt containers. Probably just plain system encryption would be best. If you can crash the system with a hotkey then the thief will be left with a system that can't be read or booted without a password. Hidden OS is a real PITA to set up so unless you expect your adversary will force you to give the password it's overkill.

To achieve the hotkey Crash you can either use DiskCryptor (free/GPL) or modify this registry:

Quote:

Click on Start and then Run.

In the text box in the Run window, type regedit and click OK. This will open the Registry Editor program.

Locate the HKEY_LOCAL_MACHINE folder under My Computer and click on the (+) sign next the folder name to expand the folder.

Continue to expand folders until you reach the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt registry key.

Select the Parameters key under i8042prt.

From the menu, select Edit, then New and finally DWORD Value.

On the right-hand side of the screen, a new value will appear. Name this new value CrashOnCtrlScroll. The value must be named this exactly to function properly.

Double-click on the CrashOnCtrlScroll DWORD value you just created and set the Value data to 1.

Click OK and then close Registry Editor.

Restart your PC and log back in as you normally do.

To create the BSOD, press and hold the Ctrl key on the right side of the keyboard while you press the Scroll Lock key twice in quick succession.

Warning: Your system will lock up and need to be restarted after causing the BSOD so make sure any work you are doing is saved and all programs are closed before initiating the keystrokes above.

The BSOD will appear on screen.

(From:http://pcsupport.about.com/od/tipstr...makebsodxp.htm)

And finally a little C# script that can do the same:

Code:

using System;
using System.Runtime.InteropServices;
using System.Diagnostics;

namespace ConsoleApplication3
{
class Program
{
[DllImport("ntdll")]
static extern int NtSetInformationProcess(IntPtr p, int c, ref int i, int l);

static void SetEssential()
{
int e = 1;
NtSetInformationProcess(Process.GetCurrentProcess().Handle, 29, ref e, 4);
}

static void SetUnessential()
{
int e = 0;
NtSetInformationProcess(Process.GetCurrentProcess().Handle, 29, ref e, 4);
}

static void Main(string[] args)
{
SetEssential();
Console.ReadLine();
SetUnessential();
}
}
}

To prevent data leaks FDE is pretty much the only way. I would say use FDE and Encrypt the entire Flash Drive as well. Then use CCleaner and FileShreder/Eraser to clean up windows once in a while.

[vane]

@chiraldude

Quote:

2. encrypted system and decoy os ,the reason for the decoy: imagine this situation : threat : the netbook is possibly being taken forcefully ,no time to close firefox and dismount properly, data in ram will be gone, and adversary sits in the decoy.
I think you can have a hotkey to dismount all truecrypt containers. Probably just plain system encryption would be best.

Yes i think so to ,System encrypt a clean win 7 install, i still have a XP on the first partition,i'd like to keep this as an unencrypted boot option, but i'm not sure if this will work ,TC encrypts win 7 "in place" but then the win bootloader gets replaced with the TC loader ; i looked in the forum and the docs but couldn't find an answer on how to enable dualbooting in this scenario.
I

Quote:

f you can crash the system with a hotkey then the thief will be left with a system that can't be read or booted without a password. Hidden OS is a real PITA to set up so unless you expect your adversary will force you to give the password it's overkill

Yes it seems to be a rather complicated process.

[vane]

Quote:

Originally Posted by x942

To achieve the hotkey Crash you can either use DiskCryptor (free/GPL) or modify this registry:

(From:http://pcsupport.about.com/od/tipstr...makebsodxp.htm)

And finally a little C# script that can do the same:

To prevent data leaks FDE is pretty much the only way. I would say use FDE and Encrypt the entire Flash Drive as well. Then use CCleaner and FileShreder/Eraser to clean up windows once in a while.

Thanks for the code , i have some solutions to try out now.
I think i do away with the flash drive , if i go for system encryption i can do my things in the os ; i don't want to go for FDE as yet , i'll try system encryption first i think .

[dantz]

RE emergency shutdown: It's not realistic to think that you'll be able to enter a system-crashing hotkey combination right before a thief tries to steal your computer. You'd have to be a mind reader! More likely the thief would wait until you looked away or stepped away, then they'd quietly grab your computer and run.

Assuming that most "grab and run" thieves would quickly close the laptop's lid in order to conceal their prize and aid their getaway, here's what you can do to help protect your sensitive data:

1) Store all sensitive data in a TrueCrypt volume such as a file container
2) Make sure the TC background task is enabled
3) Set up your laptop to enter power-saving mode whenever the lid is closed
4) Set TrueCrypt's preferences to forcefully auto-dismount all open volumes when entering power-saving mode.
5) In case the lid doesn't get closed during the theft, you can also specify that a forcible auto-dismount will occur after a short period of inactivity. Most thieves won't be using the stolen computer for awhile, as they have to get away from the area first.

[vane]

Quote:

Originally Posted by dantz

RE emergency shutdown: It's not realistic to think that you'll be able to enter a system-crashing hotkey combination right before a thief tries to steal your computer. You'd have to be a mind reader! More likely the thief would wait until you looked away or stepped away, then they'd quietly grab your computer and run.

Assuming that most "grab and run" thieves would quickly close the laptop's lid in order to conceal their prize and aid their getaway, here's what you can do to help protect your sensitive data:

1) Store all sensitive data in a TrueCrypt volume such as a file container
2) Make sure the TC background task is enabled
3) Set up your laptop to enter power-saving mode whenever the lid is closed
4) Set TrueCrypt's preferences to forcefully auto-dismount all open volumes when entering power-saving mode.
5) In case the lid doesn't get closed during the theft, you can also specify that a forcible auto-dismount will occur after a short period of inactivity. Most thieves won't be using the stolen computer for awhile, as they have to get away from the area first.

A very good suggestion, following this line of thought ,the simple solution would be to use system encryption, and choose in win power options "what to do when the lid is closed" Shutdown.
No volumes /containers have to be dismounted , the system is encrypted again after shutdown so i don't have to worry about plain text remnants etc.,
To prevent nagging about waiting applications ,i could use this:
"The following command would shut down instantly.
%windir%\System32\shutdown.exe -s -f -t 00 "