Industry News

World’s Most Used Encryption Technologies, Cracked in No Time with $299 Forensics Tool

With more and more sensitive data on mobile devices, software encryption has witnessed quite a boom in recent years. Backed by independent developers (such as TrueCrypt) or built into the operating system directly (BitLocker), software encryption managed to keep data away from prying eyes.

Until now.

 Russian data recovery specialist Elcomsoft, announced immediate availability [warning:pdf link] for their Elcomsoft Forensic Disk Decryptor, software that can unlock information stored in disks and volumes encrypted by BitLocker, PGP or TrueCrypt. While these data containers are virtually unbreakable without the password used at encryption time, they can be easily decrypted using an unconventional approach: retrieving the key from the system memory.

By design, these encrypted volumes require a password to perform a read / write operation, but, since prompting for passwords every time a file is accessed would be a party-breaker, these encryption keys are cached (stored) in the computer memory.

The Elcomsoft tool analyzes memory dumps taken while these encrypted volumes are mounted and isolates the encryption keys. When the process is over, the forensic team (or attacker) can mount the volumes as they would normally do and authenticate with the data provided by the forensics tool.

“The new product includes algorithms allowing us to analyze dumps of computers’ volatile memory, locating areas that contain the decryption keys,” wrote Vladimir Katalov in a blog post. “Sometimes the keys are discovered by analyzing byte sequences, and sometimes by examining crypto containers’ internal structures. When searching for PGP keys, the user can significantly speed up the process if the exact encryption algorithm is known.”

To dump memory on a system, one needs physical access to the target computer so they can run a third party memory dumping application or to carry a FireWire attack. But this does not mean only authorized personnel (i.e. IT staff or law enforcement) can dump the memory of a computer, as memory dumps can be restored from hibernation files (i.e. if you sent your laptop to hibernation and you forgot the laptop in the cab on your way home) or partially, via cold boot attacks.

Bottom-line: this tool is a great addition for law enforcement to gather evidence against cyber-criminals who hide essential data in encrypted containers, but can also leave room for opportunistic attacks against your laptop, in case you lose it, so make sure you keep an eye on your device at all times, whether you’re using encryption or not. Or better yet, how about some highly-encrypted storage in the cloud for your critical data?

About the author


Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.