tool that can decrypt TrueCrypt now for sale

Discussion in 'privacy problems' started by vpndude2012, Dec 24, 2012.

Thread Status:
Not open for further replies.
  1. vpndude2012

    vpndude2012 Registered Member

    Joined:
    Dec 19, 2012
    Posts:
    7
    Location:
    sweeden
    Hey, not sure if we are aloud to post hyper link, so i will post the conent of the website page, but if you goggle TrueCrypt in news, you should fine many articles. also if allowed i could post the link.


    Russian firm ElcomSoft on Thursday announced the release of Elcomsoft Forensic Disk Decryptor (EFDD), a new forensic tool that can reportedly access information stored in disks and volumes encrypted with desktop and portable versions of BitLocker, PGP, and TrueCrypt. EFDD runs on all 32-bit and 64-bit editions of Windows XP, Windows Vista, and Windows 7, as well as Windows 2003 and Windows Server 2008. The price tag isn’t outrageous, but EFDD will still set you back a solid $299.

    EFDD offers access to encrypted information either by completely decrypting everything or by doing so for individual files in real time. You can choose to either decrypt all files and folders stored in the cryptographic container (full, unrestricted forensic access to all stored information) or mount the encrypted volume as new drive letter for instant access (information is decrypted on-the-fly).

    ast but not least, the tool offers zero-footprint operation with no alterations or modifications to original content. If you want to get in and out without making a mess, this is particularly crucial whether you’re an investigator or a spy.

    So, how does it work? Elcomsoft Forensic Disk Decryptor acquires the necessary decryption keys by analyzing memory dumps and/or hibernation files obtained from the target PC. You’ll thus need to get a memory dump from a running PC (locked or unlocked) with encrypted volumes mounted, via a standard forensic product or via a FireWire attack. Alternatively, decryption keys can also be derived from hibernation files if a target PC is turned off.

    “The new product includes algorithms allowing us to analyze dumps of computers’ volatile memory, locating areas that contain the decryption keys,” ElcomSoft CEO Vladimir Katalov said in a statement. “Sometimes the keys are discovered by analyzing byte sequences, and sometimes by examining crypto containers’ internal structures. When searching for PGP keys, the user can significantly speed up the process if the exact encryption algorithm is known.”

    The full feature list for EFDD is as follows:

    Decrypts information stored in three most popular crypto containers.
    Mounts encrypted BitLocker, PGP and TrueCrypt volumes.
    Supports removable media encrypted with BitLocker To Go.
    Supports both encrypted containers and full disk encryption.
    Acquires protection keys from RAM dumps, hibernation files.
    Extracts all the keys from a memory dump at once if there is more than one crypto container in the system.
    Fast acquisition (limited only by disk read speeds).
    Zero-footprint operation leaves no traces and requires no modifications to encrypted volume contents.
    Recovers and stores original encryption keys.
    Supports all 32-bit and 64-bit versions of Windows.

    Update: The title of this article previously said “cracking” but has been changed to “decrypting” to more accurately describe the tool.

    considerations is there anything we can do to safeguard with memory dumps and ram and hibernation . also should we look at other software. At 299 it wont take long for every advisory Im not sure can they also use this program with remote access?
     
  2. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    Re: tool that can that can decrypt TrueCrypt now for sale

    Don't fall for the misleading advertising hype. They're not actually able to decrypt TrueCrypt or other encryption programs from scratch, they're merely attempting to capture the keys and/or the passwords from running systems. These are known issues that have existed for many years. TrueCrypt's documentation discusses various approaches for dealing with these types of threats, but you have to realize that the primary function of TC and most other data encryption programs is to protect your data while it's "at rest" (i.e. volumes are dismounted or the computer is turned off), not while they're in use. The key needs to be in RAM while the volume is mounted, otherwise TrueCrypt and similar programs are unable to perform on-the-fly encryption/decryption. (If desired the password can also be cached for convenience, but that's optional.)

    The bottom line is, if your volume is mounted then it's vulnerable, just as the contents of a floor safe are more vulnerable while the door is open. By the same token, your automobile is much easier to steal if the key is already in the ignition. If you left the motor running and got out of your car and somebody quickly jumped in and drove your car away, would it be accurate for them to claim that they had developed an amazing new method that allows them to defeat automotive door and ignition locks? Could they offer their fabulous new technique for sale on the internet? Sure they could, but it would be false advertising. They didn't defeat the locks, they merely captured the keys during a vulnerable moment.

    Obvious steps, known to those who read the documentation, include not enabling hibernation unless the entire operating system is encrypted, not walking away from mounted volumes, dismounting sensitive volumes when they're not in use (which instantly wipes the key from RAM), etc.

    PS: I'm pretty sure it's ok to post the link
     
  3. vpndude2012

    vpndude2012 Registered Member

    Joined:
    Dec 19, 2012
    Posts:
    7
    Location:
    sweeden
    Re: tool that can that can decrypt TrueCrypt now for sale

    so you should never mount while on line do it when your not connected to the net?

    and how do you disable hibernation ?
     
  4. EncryptedBytes

    EncryptedBytes Registered Member

    Joined:
    Feb 20, 2011
    Posts:
    449
    Location:
    N/A
    Re: tool that can that can decrypt TrueCrypt now for sale

    You can disabled hibernation via the command line on Windows Vista/7/8 by typing:

    Code:
    powercfg -h off
    Note: The above command will disable hibernation, delete the hiberfil.sys file, and will also disable fast startup in Windows 8.

    I will piggy back on what Dantz said about the article above being nothing more than marketing hogwash and as someone who has performed forensic analysis on encrypted machines, when your machine is in a state of rest with TrueCrypt your information is most definitely safe. Remember most data protection solutions such as Truecrypt are for protecting your information at rest (unmounted/encrypted states). As Dantz's analogy illustrated, when the drives/containers are mounted they are vulnerable.

    In terms of mounting/unmounting with an internet connection, in all honesty the chance of compromise depends on your overall security set up, if you are operating within an untrusted computing environment you do run a risk of compromise regardless of any network/internet connection present. I'll echo Dantz again as this is spot on advice:

    I feel the biggest folly most users make with TrueCrypt is not taking into account the third party applications(Microsoft Office, etc) that interact with their encrypted files. There in my opinion lies the biggest risk. Those applications unless configured otherwise write to unencrypted volumes and contain information on the encrypted container and/or the actual sensitive data itself (temporary files, etc).
     
  5. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    Re: tool that can that can decrypt TrueCrypt now for sale

    Yes!

    It's best to open encrypted files, and to mount encrypted volumes, only in whole-disk encrypted systems.
     
  6. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
    Re: tool that can that can decrypt TrueCrypt now for sale

    Question on the hiberfil.sys file on W7: is this file overwritten every time I hibernate/sleep my PC, or does it keep information of previous Hibernations/sleep?

    I ask this because when I am at home I usually put PC on sleep rather then shuttind down, while a TC partition is mounted.
     
  7. 0strodamus

    0strodamus Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    1,047
    Location:
    United Surveillance States
    Re: tool that can that can decrypt TrueCrypt now for sale

    I don't think this is a very wise combination. You're leaving yourself wide open to a physical intruder very easily getting all of your private info.
     
  8. Enigm

    Enigm Registered Member

    Joined:
    Dec 11, 2008
    Posts:
    188
    Re: tool that can that can decrypt TrueCrypt now for sale

    Please read pages 87-88 of the TrueCrypt manual ..

    Actually, read this entire chapter :
    http://www.truecrypt.org/docs/?s=security-requirements-and-precautions
     
  9. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
  10. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    Lets keep the discussion in one thread (referenced above). Thanks.
     
Loading...
Thread Status:
Not open for further replies.