Challenge: Complete Plausable Deniability

Discussion in 'privacy technology' started by domonbayle, Oct 29, 2008.

Thread Status:
Not open for further replies.
  1. domonbayle

    domonbayle Registered Member

    Joined:
    Oct 29, 2008
    Posts:
    15
    Heres the situation

    #1) Laptop, only one boot media, hard drive
    #2) Sits in an uncontrolled environment
    #3) Need to operate as normal, not appear out of the ordinary in any way during normal usage (this means custom bootloaders that advertise themselves are out)
    #4) Dual OS load, one OS hidden. Laptop will normally boot to the "decoy OS' which will be used daily
    #5) Full encryption on the hidden OS, to keep it from being seen from the decoy OS. It would be better if the decoy OS WASNT encrypted
    #6) Hidden OS completely locked down, impervious to attacks (keyloggers, trojans, modification, anything that might record transactions or data performed in it
    #7) Heres the kicker, both OSes have to be windows, i realize that this could all be done very easily with LUKS, but unfortunately i dont have that luxury


    OK, heres the ideas ive had so far

    #1) Dual OS booting w/ hidden OS = truecrypt or drivecrypt plus pack

    a) problems: truecrypt advertises its bootloader 17 different ways, its got the name plastered all over it, drivecrypt is better, gives an "invalid hard disk error" as a password prompt. Neither is ideal though, a blank blinking cursor would be the best solution.

    Secondary problem: rumor that if you actually use the decoy OS with DCPP, it can damage your hidden OS thats stored in free space on the main partition? havent confirmed this, but it could be an issue

    b) possible solutions: edit the bootloaders to get rid of all the extraneous identifying text? (possible or not, i wouldnt think theyre crypted)

    #2) Locking down the protected hidden OS

    a) some form of deepfreeze like program, which doesnt allow changes to the OS, and resets at every reboot
    b) the best anti-keylogger out there (this appears to be PrivacyKeyboard), this is a very important aspect of the scenario, it also needs to protect against screengrabs, rdp/vnc, and webcam snap grabs
    c) a standard antivirus for protection when OS is running (to prevent compromise during live state, prior to reset/reimage via deepfreeze'ish program)
    d) a preconfigured HIPS/firewall which is locked down to only allow specific apps to talk out of the OS
    e) A fast kill key, some keyboard shortcut, or icon that when clicked, hard reboots the machine, no questions asked, no sane shutdown, just instant off and rebooting to the default dummy OS

    Im up for suggestions on products for each of these solutions, as well as ideas on how i can lock the hidden OS down better (i think resetting on each reboot will do a pretty good job)


    Suggestions/comments/questions/insults/accusations welcomed, Theres a lot of very intelligent people here, and i would value any input you have

    Thanks in advance
     
  2. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Why does the hidden OS have to be windows? That requirement practically shoots yourself in the foot.
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,040
    Dumb question. If this is really that critical, why not just use two machines.
     
  4. domonbayle

    domonbayle Registered Member

    Joined:
    Oct 29, 2008
    Posts:
    15
    Sadly yes :( has to be windows. However if im operating at bootloader level, im not sure it matters what actual files im pointing to (unless you're discussing the problem that windows filesystems dont write contiguously (expound please, im interested to hear your perspective)

    I believe i can secure it ok (i know, oxymoron with windows), so if thats the issue, we can work with that, hiding it is the most important factor
     
  5. domonbayle

    domonbayle Registered Member

    Joined:
    Oct 29, 2008
    Posts:
    15
    As for two machines, its a covert scenario, several normal end users who will be using the device need to not suspect anything of the laptop, but certain users need to be able to access the "added value"
     
  6. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Definitely doable. But it isn't an off-the-shelf solution, it will have a large development cost.
     
  7. domonbayle

    domonbayle Registered Member

    Joined:
    Oct 29, 2008
    Posts:
    15
    Well, im not looking for an all in one solution, im looking to combine a number of pre-existing solutions (as suggested in the original post) to fit my needs, not having something new designed.

    So assuming i can hack up the bootloader in DCPP or truecrypt to get the hidden OS bit working and fairly invisible, what would you all recommend for the various portions of locking down the hidden os (deepfreeze type thing, av, anti-keylogger, etc)?
     
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,040
    Frankly I think you are setting yourself up for failure. If you indeed want it so secure, that unauthorized users don't know its there, then your condition #2 blows the whole thing. For example

    One solution I can think of that is sort of workable, is get an external drive that requires fingerprint access. Then install a something like VMware's Workstation. Build your VM machine on the external drive, and install and run whatever on it. Also install an innocuous vm machine on the main drive. So anyone firing up the workstation software won't know about the machine on the external drive unless they have the right fingers.

    The flaw in that is #2. I could at the right time switch out the drives, and by the time you know it the drive is gone, and once out of your hands you've lost.
     
  9. domonbayle

    domonbayle Registered Member

    Joined:
    Oct 29, 2008
    Posts:
    15
    Ok, but the drive will be encrypted, so they can take it and it wont do them any good. Lets assume thats a non-issue (also, its an ssd laptop, so good luck to them desoldering the chips from the board)
     
  10. DavidXanatos

    DavidXanatos Registered Member

    Joined:
    Sep 6, 2006
    Posts:
    112
    Location:
    Viena
    Well if you know C++ the easiest way to go is to modify TC'S bootloader, as you most likely know its open source so you just have to change some code lines and click compile, wuala you don it.

    You could get TC bootloader to have unencrypted C and boot it if a special key is not hold during boot, if it is you get an blinking cursor and can enter the password for the OS on D, but of cause you would have to have an explanation why D is encrypted and make users don't use t in order to don't destroy your hidden OS.

    And you have to know that any adversary that is not a complete idiot will imminently notice you bootloader and start pulling your fingernails until you give him your password, or you don't have any left and than it starts to be fun ;)

    its not a rumor its a fact.
     
  11. domonbayle

    domonbayle Registered Member

    Joined:
    Oct 29, 2008
    Posts:
    15
    Not bad DavidXanatos, I completely forgot that TC is open source, so i wouldnt have to go hex-editing strings, but could rather just edit and recompile.

    My C++ isnt great, and im not sure how i would implement the "while holding down a key business" but it sounds like a great place to start.

    Thank you very much for the first actual answer in this thread, rather than just telling me what cant be done.\

    It looks like all the code to clean up that bootloader visually is in BootMain.cpp, I can clean up the ASCII, but any hints on how to trigger the "holding a key down"?


    edit: so to get around that fact, that using the decoy OS will destroy the hidden os, i should just be make sure the decoy OS doesnt write to the second partition

    a la: http://img2.uploadhouse.com/fileuploads/2628/2628162bdbb78074b78614cad21b49f17afd0ef.png

    If i just put some junk files in there, make it look like an OEM restore partition (heck, i might even be able to make it a working OEM restore partition, that would look good) then write protect the partition/ delete the drive letter within the decoy OS. Any reason that shouldnt work?
     
    Last edited: Oct 29, 2008
  12. DavidXanatos

    DavidXanatos Registered Member

    Joined:
    Sep 6, 2006
    Posts:
    112
    Location:
    Viena
    I belie TC's bootloader code already have a variable that you have to set to 0 or 1 (the opposite of whatever is set normal) to remove all text without editing the strings.
    I'm not sure how to get the hold key, part I didn't looked in to is,
    and the last lime I was writing something that want designed to run under windows was over 5 years ago.

    Regarding not destroying the Hidden OS, yes you just have to not write to the outer volume of it, you could remove the drive letter in the dekoy os form that partition using the windows drive management.

    One thing I'm not sure about is how you can get an unencrypted decoy on C, I would suppose you have to encrypt C and create the hidden OS than decrypt C keeping the hidden OS and than restore TC's boot loader from the rescue CD.
     
  13. domonbayle

    domonbayle Registered Member

    Joined:
    Oct 29, 2008
    Posts:
    15
    Any idea where that line is? (1 or 0 to remove the text)

    http://pastebin.com/m44262104

    theres a pastebin of the relatively simple bootloader code.

    Any other help any of you could render to help me out would be greatly appreciated

    Goals:

    #1) make bootloader look much more innocuous, just a blinking cursor
    #2) Have the decoy OS boot be either automatic, when no text is entered, just a blank password (hit enter) or the hold key method DavidXanatos suggested.
     
  14. domonbayle

    domonbayle Registered Member

    Joined:
    Oct 29, 2008
    Posts:
    15
    Wow, locked threads on truecrypt forum for even asking about this :/ theyre really strict over there and i cant even pm the other people with the concern because its blocked.

    Anyway, i saw you over there too DavidXanatos, Considering we've nailed down the .cpp that all this can be solved in, would you mind poking at it for a moment and just seeing if it can be quickly changed?
     
  15. DavidXanatos

    DavidXanatos Registered Member

    Joined:
    Sep 6, 2006
    Posts:
    112
    Location:
    Viena
    in BootConsoleIo.cpp yoi can find static int ScreenOutputDisabled = 0; just set it to 1
     
    Last edited: Oct 30, 2008
  16. domonbayle

    domonbayle Registered Member

    Joined:
    Oct 29, 2008
    Posts:
    15
    AHA, excellent. One problem down, one to go
     
  17. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    You said that both OS have to be Windows, but you didn't say it had to be XP or an NT system. With a 9X system, you can do some pretty amazing stuff during bootup with nothing showing up on the screen. I use a batch file with a hidden menu, called from autoexec.bat to load an alternate registry. This could easily be expanded to overwrite the windows and program files directory using XX copy. The DOSLFN utility takes care of the truncated file name problem that's normally associated with DOS. A 9X system can be locked down just as well as an NT system using HIPS (SSM runs on 98 ), a rule based firewall, and the system policy editor. Scramdisk 3.01r3c can make an encrypted partition that's not visible to Windows using Blowfish or another strong algorithm which can be used to store the alternate system.

    Before I go any further, let me know if a 9X system is acceptable for what you're doing. DOS enables 9X users to do things that can only be dreamed of on NT systems, including what you're asking for.
     
  18. domonbayle

    domonbayle Registered Member

    Joined:
    Oct 29, 2008
    Posts:
    15
    I think i may have actually found a better solution:

    https://www.wilderssecurity.com/showthread.php?t=224119

    ^^ as detailed out there, the laptop comes with a "recovery partition" that you can launch by holding a key combo on startup. It appears from my research, that i can put whatever i want in there and make it bootable. So im going to make that my "hidden OS" partition, as its already decently protected from within windows, will look like something that belongs there "PQSERVICE" and I can then just TC that single small partition and lock it down so itll look like a restore partition

    Going to try this tonight
     
Thread Status:
Not open for further replies.