Theoretical Question/Thought about HardDrive Encryption

Discussion in 'privacy technology' started by Jonas, Apr 23, 2003.

Thread Status:
Not open for further replies.
  1. Jonas

    Jonas Registered Member

    Joined:
    Oct 30, 2002
    Posts:
    46
    Ok, excuss me if this sounds stupid, but i have been trying to read and learn all i can about encryption, particularly full harddrive encryption ala DCPP, SafeBoot, ect...

    The question that arose in my mind was what does the encryption do? If you install DCPP on your computer it will sector by sector encrypt the drive and all the information on that drive. My understanding of computer forensics is that investigators can recover files that have been deleated and even overwriten a number of times using special microscopes. So what about all the data you have on your computer when you install a new total hard drive encryption package? It just overwrites your old data with the new encrypted data. So wouldn't those same computer forensic techniques be able to recover some of your original files and data?

    I guess this question is that full harddrive encryption seems like it would only be secure if you installed on a brand new drive or recently sanitized drive, something i don't know if people take into consideration. Simple installing DCPP, for example to encrypt the data on your drive you still leaves you open for forensic examiners. Also, i take it once installed all future data would only be writen in cypher so that should be secure.


    Just thinking outloud and waiting for replies..

    Best wishes,
    Jonas
     
  2. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi Jonas!

    Let's say it like this, forensic investigators could recover your deleted harddisk which was encrypted with DCCP, but it would still be encrypted. They still had to crack the encryption!

    To be honest with you, I believe that intelligence services are able to crack this encryption (they use supercomputers), but therefore you don't just use one encryption tool. Make the life of such bastards as hard as possible! If you use DCCP and besides PGP or something else for sensitive data, they would just come to the next closed door! ;)

    I hope that helps so far! If you need further information let me know!

    Regards,

    Patrice
     
  3. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    I like this question :D , a thought has not yet crossed my mind!

    When we're dealing with corrupted hard disks we take all kind of precautions to prevent the recovery of data that still reside on the disk or that ever existed on it. We are indeed always warned that even overwritten data can be recovered given the correct tooling.
    I once tried this with a tool (Lost and found by Powerquest) and I was amazed at the data that such a tool can find. Most of it unuseable though.

    Encrypting the existing data will probably be sufficient to get the security you want. The data is overwritten by a (sort of) random pattern. Wether the underlying data can still be found... I don't know. It's a possibility, otherwise why would file shredders exist ..?

    One word of warning, though: one of the tools I used kept the encryption key on disk (we used full disk encryption). This part and the MBR were the only unencrypted disk sectors. But since the key was there, we made an estimated guess that using a supercomputer, decyphering would cost some 3 months. But that was 4 years ago :p
     
  4. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi meneer!

    File shredders overwrite the data on the harddisk with 0 and 1, so that they are useless. Forensic investigation wouldn't help you much. Well, it depends though how many times you have overwritten the place on the disk. Here a little advice on that:

    - 3 passes for personal use
    - 10 passes for commercial use
    - 18 passes for military use
    - 26 passes for maximum security

    You know why most of the files you recovered were useless? Because you have overwritten them already with new data. Only parts of it were still there.

    And to the supercomputers: No one knows exactly how fast they are. But let's say it like this, they are the fastest, most sophisticated computers which exist on this world (I think there are just two of them at the moment, but I'm not sure...). I'm pretty sure that it wouldn't take that long to hack the keys. But you can make it more difficult for them by using secure passwords. Passwords should contain combinations of letters/numbers/special characters and in my opinon be very long. I prefer passwords with more than 14 characters.

    I tell you, you learn a lot from trying to hack your own passwords about security. Try once a brute-force attack on your passwords and see how long it takes.

    Best regards!

    Patrice
     
  5. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    Hi Patrice,

    the theoretical question remains: in the case of full disk encryption of disk that already contains data, one time overwriting the cleartext files with the encrypted text is not the same as 1, 3 or 10 times overwriting with a random 0/1 bit pattern... ?

    When I mentioned using a super computer to decypher the key, I did not mean to crack my password, but to crack the 128 bit key used for disk encryption. Cracking my password is not a trivial matter, but won't certainly take 3 months on s supercomputer :)
     
  6. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi meneer!

    Ahh... now I got it what you meant! You mean, that when you buy DCPP and install it on your computer (where the OS and other progz are already installed) someone still could read information out of it, right? Well, to be honest, I don't know! I'm not using DCPP, but this would be a nice question to the support of DriveCrypt! Why not asking them this question? Do you wanna ask it or shall I do that?

    Best regards!

    Patrice
     
  7. Jonas

    Jonas Registered Member

    Joined:
    Oct 30, 2002
    Posts:
    46
    Yes, hello Patrice and Meneer,

    I work in criminology and my forensic freinds say the day is here that even 7x overwriting can be recovered, not just with software but with hardware (special microscopes). I am sorry if my original post was unclear at first but i see we are all on the same page now. The question is still unanswered and seems in theory to suggest that full disk encryption is only really secure when installed on a new disk or a VERY sanitized one. I hope to hear others on this issue as it seems to be a security precaution not mentioned before to the best of my knowledge.

    Peace,
    Jonas
     
  8. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi Jonas & meneer!

    Guess what, I was writing the support of DriveCrypt. Here's the answer of them:

    "I don't think the average computer forensic analysist has the equipment availabe to try and "depth read" the sectors to recover data previously stored on on a hard drive, when new data has been written to it. I believe such equipement is extrememly expensive involving electron microscopes, and the hard drive has to be physically dismantled.... and even then I understand that after a few write cycles the data cannot be recovered easily with such equipment

    Average forensic people just use programs like "encase"

    www.guidancesoftware.com

    Which doesn't do anything all that clever, just accesses the disk sectors via the OS....

    Still, if you are paranoind a new hard drive is the way to go. Install the OS, and then FULL encrypt it. Then only the OS could ever be in the clear...


    Regards,
    Shaun."

    Hope that helps...

    Best regards!

    Patrice
     
  9. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    Hi Patrice, Jonas,

    thanks for your answer.

    For recovery you can also visit this site:
    http://www.ibas.com/recovery/data-recovery-services.htm, they claim a very high degree of success...

    So that leaves two questions:
    I DriveCrypt is right and recovery tools are scarce, what's the use of file shredders (I mean the software version :) ?
    If drivecrypt is wrong: why use any encryption tool (yes, any... as every file is stored on disk once, in temp, or an other cache)?

    It seems to me that Drivcrypt answer shows that they too have no clue. This calls for a test, don't you think :D
     
  10. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi meneer!

    Sorry, but I don't see it like that! These guys know exactly what they are talking about. Go once to their site and check out who is in the team. You will soon realize that they know what they are doing.

    The use of file shredders is still very important. Why? If someone wins access over your system (quite easy if you haven't encrypted the whole harddisk with DCPP) he can run such forensic tools. There he will easily find all the data you tried to delete. If you use shredders (more than 7 passes), he won't find any data, which still is intact (but nevertheless he has control over your system...).

    Encryption tools help you hide your sensitive data. If someone has access over your system, he still has to crack the encryption. Quite difficult or let's say quite impossible (if you use a highly encrypted key and a good encryption software with no backdoor).

    The answer of the DriveCrypt Support was just answering the question if someone could still find some data on the computer if DCPP is installed not right after that Windows has been installed. And they are answering about such highly sophisticated forensic microscopes. Yes, they are able to find some data left there, but the longer you use the encrypted version of Windows the less probable it is that they find any data, which is still intact. But if you have already had encrypted files (sensitive data) on your machine and you install DCPP later on, they still aren't able to read this data.

    I hope you understand now, what the DriveCrypt Support meant. ;)

    Best regards!

    Patrice
     
  11. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    I'm impressed ;)

    Thanks for your trouble !
     
Loading...
Thread Status:
Not open for further replies.