La firma rusa ElcomSoft anunció el jueves el lanzamiento de Elcomsoft Forense disco Decryptor (EFDD), una nueva herramienta forense que al parecer puede acceder a la información almacenada en los discos y volúmenes cifrados con versiones de escritorio y portátiles de BitLocker, PGP, y TrueCrypt. EFDD se ejecuta en todas las ediciones de 32-bit y 64-bit de Windows XP, Windows Vista y Windows 7, así como Windows 2003 y Windows Server 2008.
Necesita un volcado de la memoria del equipo, que puede llegar a ser bastante dificil de obtener. Así que aunque no dudo que sea una buena herramienta, tiene una utilidad limitada.
Generally, the choice of one of the three attacks depends on the running state of the PC being analyzed. It also depends on whether or not installation of a forensic tool is possible on a PC under investigation.
If the PC being investigated is turned off, the encryption keys can be retrieved from the hibernation file. The encrypted volume must be mounted before the computer went to sleep. If the volume is dismounted before hibernation, the encryption keys may not be derived from the hibernation file.
If the PC is turned on, a memory dump can be taken with any forensic tool if installation of such tool is permitted (e.g. the PC is unlocked and logged-in account has administrative privileges). The encrypted volume must be mounted at the time of memory dump acquisition. Good description of this technology (and complete list of free and commercial memory acquisition tools) is available at http://www.forensicswiki.org/wiki/Tools:Memory_Imaging.
Finally, if the PC being investigated is turned on but installing forensic tools is not possible (e.g. the PC is locked or logged-in account lacks administrative privileges), a remote attack via a FireWire port can be performed in order to obtain a memory dump. This attack requires the use of a free third-party tool (such as Inception: http://www.breaknenter.org/projects/inception/), and offers near 100% results due to the implementation of FireWire protocol that enables direct memory access. Both the target PC and the computer used for acquisition must have FireWire (IEEE 1394) ports.
Once the original encryption keys are acquired, Elcomsoft Forensic Disk Decryptor stores the keys for future access, and offers an option to either decrypt the entire content of encrypted container or mount the protected disk as another drive letter for real-time access.
So, how does it work? Elcomsoft Forensic Disk Decryptor acquires the necessary decryption keys by analyzing memory dumps and/or hibernation files obtained from the target PC. Y que es la novedad?? Necesitas un volcado de memoria completo del ordenador... vamos, disco duro portatil, reinicias y ya no funciona .
Con los discos SSD, el hibernar es casi irrelevante, dado la inmediatez de un re-arranque... pero alguien que cree un programita que ANTES de hibernar desmonte todos los discos truecrypt... sería suficiente para convertir este programa en basurilla.
Comentarios
Necesita un volcado de la memoria del equipo, que puede llegar a ser bastante dificil de obtener. Así que aunque no dudo que sea una buena herramienta, tiene una utilidad limitada.
#1 #2
"Acquiring Encryption Keys
Generally, the choice of one of the three attacks depends on the running state of the PC being analyzed. It also depends on whether or not installation of a forensic tool is possible on a PC under investigation.
If the PC being investigated is turned off, the encryption keys can be retrieved from the hibernation file. The encrypted volume must be mounted before the computer went to sleep. If the volume is dismounted before hibernation, the encryption keys may not be derived from the hibernation file.
If the PC is turned on, a memory dump can be taken with any forensic tool if installation of such tool is permitted (e.g. the PC is unlocked and logged-in account has administrative privileges). The encrypted volume must be mounted at the time of memory dump acquisition. Good description of this technology (and complete list of free and commercial memory acquisition tools) is available at http://www.forensicswiki.org/wiki/Tools:Memory_Imaging.
Finally, if the PC being investigated is turned on but installing forensic tools is not possible (e.g. the PC is locked or logged-in account lacks administrative privileges), a remote attack via a FireWire port can be performed in order to obtain a memory dump. This attack requires the use of a free third-party tool (such as Inception: http://www.breaknenter.org/projects/inception/), and offers near 100% results due to the implementation of FireWire protocol that enables direct memory access. Both the target PC and the computer used for acquisition must have FireWire (IEEE 1394) ports.
Once the original encryption keys are acquired, Elcomsoft Forensic Disk Decryptor stores the keys for future access, and offers an option to either decrypt the entire content of encrypted container or mount the protected disk as another drive letter for real-time access.
http://www.elcomsoft.com/efdd.html
So, how does it work? Elcomsoft Forensic Disk Decryptor acquires the necessary decryption keys by analyzing memory dumps and/or hibernation files obtained from the target PC. Y que es la novedad?? Necesitas un volcado de memoria completo del ordenador... vamos, disco duro portatil, reinicias y ya no funciona
.
Con los discos SSD, el hibernar es casi irrelevante, dado la inmediatez de un re-arranque... pero alguien que cree un programita que ANTES de hibernar desmonte todos los discos truecrypt... sería suficiente para convertir este programa en basurilla.