Forensic tool to decrypt TrueCrypt, Bitlocker and PGP containers and disks released
One of the things that you can do to protect your data is to use encryption. You can either encrypt individual files, create a container to move files in to or encrypt a partition or disk. The main benefit of encryption is that a key, usually a password, is needed to access the data. A basic form of encryption is if you password protect a zip file, more advanced encryption can protect the whole system including the operating system partition from unauthorized users.
While it is important to pick a secure password during setup to prevent third parties from successfully guessing or brute forcing the password, it is important to note that there may be other means to gain access to the data.
Elcomsoft has just released its Forensic Disk Decryptor tool. The company states that it can decrypt the information stored in PGP, Bitlocker and TrueCrypt disks and containers. It needs to be noted that local access to the system is required for one of the methods used by the program to work. Encryption keys can be acquired by three means:
- By analyzing the hibernation file
- By analyzing a memory dump file
- By performing a FireWire attack
The encryption key can only be extracted from the hibernation file or memory dump if the container or disk has been mounted by the user. If you got the memory dump file or hibernation file, you can start the key search easily and at any time. Note that you need to select the right partition or encrypted container in the process.
If you do not have access to a hibernation file, you can create a memory dump easily with the Windows Memory Toolkit. Just download the free community edition and run the following commands:
- Open an elevated command prompt. Do so with a tap on the Windows key, typing cmd, right-clicking the result and selecting to run as administrator.
- Navigate to the directory you have extracted the memory dump tool to.
- Run the command win64dd /m 0 /r /f x:\dump\mem.bin
- If your OS is 32-bit, replace win64dd with win32dd. You may also need to change the path at the end. Keep in mind that the file will be as large as the memory installed in the computer.
Run the forensic tool afterwards and select the key extraction option. Point it to the created memory dump file and wait until it has been processed. You should see the keys being displays to you by the program afterwards.
Elcomsoft's Forensic Disk Decryptor works well if you can get your hands on a memory dump or hibernation file. All attack forms require local access to the system. It can be a useful tool if you forgot the master key and desperately need access to your data. While it is quite expensive, it costs â‚¬299, it may be your best hope of retrieving the key, provided that you are using hibernation or have a memory dump file that you have created while the container or disk were mounted on the system. Before you make a purchase, run the trial version to see if it can detect the keys.
You can disable the creation of an hibernation file to protect your system from this kind of attack. While you still need to make sure that no one can create a memory dump file or attack the system using a Firewire attack, it ensures that no one can extract the information when the PC is not booted.