One of the things that you can do to protect your data is to use encryption. You can either encrypt individual files, create a container to move files in to or encrypt a partition or disk. The main benefit of encryption is that a key, usually a password, is needed to access the data. A basic form of encryption is if you password protect a zip file, more advanced encryption can protect the whole system including the operating system partition from unauthorized users.
While it is important to pick a secure password during setup to prevent third parties from successfully guessing or brute forcing the password, it is important to note that there may be other means to gain access to the data.
Elcomsoft has just released its Forensic Disk Decryptor tool. The company states that it can decrypt the information stored in PGP, Bitlocker and TrueCrypt disks and containers. It needs to be noted that local access to the system is required for one of the methods used by the program to work. Encryption keys can be acquired by three means:
The encryption key can only be extracted from the hibernation file or memory dump if the container or disk has been mounted by the user. If you got the memory dump file or hibernation file, you can start the key search easily and at any time. Note that you need to select the right partition or encrypted container in the process.
If you do not have access to a hibernation file, you can create a memory dump easily with the Windows Memory Toolkit. Just download the free community edition and run the following commands:
Run the forensic tool afterwards and select the key extraction option. Point it to the created memory dump file and wait until it has been processed. You should see the keys being displays to you by the program afterwards.
Elcomsoft's Forensic Disk Decryptor works well if you can get your hands on a memory dump or hibernation file. All attack forms require local access to the system. It can be a useful tool if you forgot the master key and desperately need access to your data. While it is quite expensive, it costs €299, it may be your best hope of retrieving the key, provided that you are using hibernation or have a memory dump file that you have created while the container or disk were mounted on the system. Before you make a purchase, run the trial version to see if it can detect the keys.
You can disable the creation of an hibernation file to protect your system from this kind of attack. While you still need to make sure that no one can create a memory dump file or attack the system using a Firewire attack, it ensures that no one can extract the information when the PC is not booted.
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.