Bitlocker, PGP and TrueCrypt Disks and containers can be cracked.

[Ninja]

Anyone have any ideas if its work really on 10-15+ symbols passes?

Forensic Access to Encrypted BitLocker, PGP and TrueCrypt Disks and Containers

Perform the complete forensic analysis of encrypted disks and volumes protected with desktop and portable versions of BitLocker, PGP and TrueCrypt. Elcomsoft Forensic Disk Decryptor allows decrypting data from encrypted containers or mounting encrypted volumes, providing full forensic access to protected information stored in the three most popular types of crypto containers. Access to encrypted information is provided in real-time.
Features and Benefits

Decrypts information stored in three most popular crypto containers
Mounts encrypted BitLocker, PGP and TrueCrypt volumes
Supports removable media encrypted with BitLocker To Go
Supports both encrypted containers and full disk encryption
Acquires protection keys from RAM dumps, hibernation files
Extracts all the keys from a memory dump at once if there is more than one crypto container in the system
Fast acquisition (limited only by disk read speeds)
Zero-footprint operation leaves no traces and requires no modifications to encrypted volume contents
Recovers and stores original encryption keys
Supports all 32-bit and 64-bit versions of Windows

Access Information Stored in Popular Crypto Containers

ElcomSoft offers investigators a fast, easy way to access encrypted information stored in crypto containers created by BitLocker, PGP and TrueCrypt.
Two Access Modes*

Access is provided by either decrypting the entire content of an encrypted volume or by mounting the volume as a drive letter in unlocked, unencrypted mode.
Complete Decryption

In complete decryption mode, Elcomsoft Forensic Disk Decryptor will automatically decrypt the entire content of the encrypted container, providing investigators with full, unrestricted access to absolutely all information stored on encrypted volumes.
Real-Time Access to Encrypted Information

In real-time mode, Elcomsoft Forensic Disk Decryptor mounts the encrypted volume as a new drive letter on the investigator’s PC. In this mode, forensic specialists enjoy fast, real-time access to protected information. Information read from mounted disks and volumes is decrypted on-the-fly in real time.

* Another program Elcomsoft Distributed Password Recovery allows attacking plain-text passwords protecting the encrypted containers with a range of advanced attacks including dictionary, mask and permutation attacks in addition to brute-force.
Zero Footprint Operation

ElcomSoft offers a forensically sound solution. The tool provides true zero-footprint operation, leaving no traces and making no changes to the contents of encrypted volumes.
Three Ways to Acquire Encryption Keys

Elcomsoft Forensic Disk Decryptor needs the original encryption keys in order to access protected information stored in crypto containers. The encryption keys can be derived from hibernation files or memory dump files acquired while the encrypted volume was mounted. There are three ways available to acquire the original encryption keys:

By analyzing the hibernation file (if the PC being analyzed is turned off);
By analyzing a memory dump file *
By performing a FireWire attack ** (PC being analyzed must be running with encrypted volumes mounted).

* A memory dump of a running PC can be acquired with one of the readily available forensic tools such as MoonSols Windows Memory Toolkit
** A free tool launched on investigator’s PC is required to perform the FireWire attack (e.g. Inception)
Acquiring Encryption Keys

Generally, the choice of one of the three attacks depends on the running state of the PC being analyzed. It also depends on whether or not installation of a forensic tool is possible on a PC under investigation.

If the PC being investigated is turned off, the encryption keys can be retrieved from the hibernation file. The encrypted volume must be mounted before the computer went to sleep. If the volume is dismounted before hibernation, the encryption keys may not be derived from the hibernation file.

If the PC is turned on, a memory dump can be taken with any forensic tool if installation of such tool is permitted (e.g. the PC is unlocked and logged-in account has administrative privileges). The encrypted volume must be mounted at the time of memory dump acquisition. Good description of this technology (and complete list of free and commercial memory acquisition tools) is available at http://www.forensicswiki.org/wiki/Tools:Memory_Imaging.

Finally, if the PC being investigated is turned on but installing forensic tools is not possible (e.g. the PC is locked or logged-in account lacks administrative privileges), a remote attack via a FireWire port can be performed in order to obtain a memory dump. This attack requires the use of a free third-party tool (such as Inception: http://www.breaknenter.org/projects/inception/), and offers near 100% results due to the implementation of FireWire protocol that enables direct memory access. Both the target PC and the computer used for acquisition must have FireWire (IEEE 1394) ports.

Once the original encryption keys are acquired, Elcomsoft Forensic Disk Decryptor stores the keys for future access, and offers an option to either decrypt the entire content of encrypted container or mount the protected disk as another drive letter for real-time access.
Supported Disk Encryption Tools

Elcomsoft Forensic Disk Decryptor works with encrypted volumes created by current versions of BitLocker, PGP and TrueCrypt, including removable and flash storage media encrypted with BitLocker To Go. Supports PGP encrypted containers and full disk encryption.
Compatibility

Elcomsoft Forensic Disk Decryptor runs in all 32-bit and 64-bit editions of Windows XP, Vista, Windows 7, 2003 and 2008 Server.

(c) elcomsoft

 

[cardproject]

RU
http://www.securitylab.ru/news/435544.php

 

[lastexile]

it's unimportant. container must be mounted on the time of access to the computer. this is equivalent to access to all the information without this program.

 

[vinokur]

From the website:

Linear scalability with no overhead allows using up to 10,000 workstations without performance drop-off
Allows up to 64 CPUs or CPU cores and up to 32 GPUs per processing node

 

[ViDoG]

If you use TrueCrypt recommend to read:

When a computer hibernates (or enters a power-saving mode), the content of its system memory is written to a so-called hibernation file on the hard drive. You can configure TrueCrypt (Settings > Preferences > Dismount all when: Entering power saving mode) to automatically dismount all mounted TrueCrypt volumes, erase their master keys stored in RAM, and cached passwords (stored in RAM), if there are any, before the computer hibernates (or enters a power-saving mode). However, keep in mind, that if you do not use system encryption (see the chapter System Encryption), TrueCrypt still cannot reliably prevent the contents of sensitive files opened in RAM from being saved unencrypted to a hibernation file. Note that when you open a file stored on a TrueCrypt volume, for example, in a text editor, then the content of the file is stored unencrypted in RAM (and it may remain unencrypted in RAM until the computer is turned off).

 

[dum.ps]

Just mount your drive when you and dismount when you're not using and you'll be fine.

 

[Ninja]

But as i understand, it will read keys from memory which leavins there even after dismount? atleast with old pgpdisk this flaw exist. what about now? they fixed it?

 

[Bablo]

From what I understand, if the PC is turned off then the only way to unencrypt the mounted volume is by using a key stored in the hibernation file?
but if hibernation is disabled then surely this would not be possible?

 

[StrictlyBusiness]

bump, i would like to learn more about this.

 

[dum.ps]

Ninja, It stay In memory after you turn off your pc for couple minutes.
Quality ram wipe much faster than normal ones.

 

[sb.techadvs]

there is way to key, even if hibernation is turned off. The Key Get's Stored in The Ram, Stays for a bit of time like dum.ps Said. One way they do this is Freeze the computer or Store Memory in Cold to buy them time while they extract the data on another pc. Cold Boot Attack. Other ways but kinda high , lazy to write detail. But for them to do this you have to be very high on there wanted list as not many can do this. they would have to do raid with the IT guys there with them at a time of arrest.

 

[Thameswater]

id like to start using this

any tuts or info around? i know nothing about it

 

[Bablo]

check the ultimate security guide, it's pretty detailed. but yes sb.techadvs, I know about the cold boot attack but that has been around for some time.

this thread is suggesting that truecrypt containers can be cracked on their own however.

 

[Thameswater]

thanks

 

[sb.techadvs]

Anything is Possible, Just Depends High Profile you are. But, honestly i don't think any of us have to worry, as most pd/state agencies Don't have the resources to crack the truecrypt encryption or any encryption or even try. Most dont even have encase or similar products. The only people who would have this resources to try would be The Feds, But for them to invest all that time and money for them to outsource to MIT or those 3 old guys who lead encryption in the us (forgot there names/Organization), you have to be high profile Case, Similar To nickjohnson i think.

 

[eggdrop]

I use pgp and there was some glitch in 9.x version were you can be able bypass key but that was 100kb file i want to see how can this be done with 16gb and 50+ char

http://www.pgp.net/pgpnet/pgp-faq/pgp-faq-security-questions.html

I don't understand if your problem is because you lost pass or want to decrypt stolen one or in case feds get your pc (in this case the question is how they get you)

 

[Badger]

From what I understand, if the PC is turned off then the only way to unencrypt the mounted volume is by using a key stored in the hibernation file?
but if hibernation is disabled then surely this would not be possible?

When you shut down PC, truecrypt deletes the key stores in RAM as part of shut down process so that it cannot be extracted later.

http://www.truecrypt.org/docs/unencrypted-data-in-ram

When a non-system TrueCrypt volume is dismounted, TrueCrypt erases its master keys (stored in RAM). When the computer is cleanly restarted (or cleanly shut down), all non-system TrueCrypt volumes are automatically dismounted and, thus, all master keys stored in RAM are erased by the TrueCrypt driver (except master keys for system partitions/drives — see below). However, when power supply is abruptly interrupted, when the computer is reset (not cleanly restarted), or when the system crashes, TrueCrypt naturally stops running and therefore cannot erase any keys or any other sensitive data. Furthermore, as Microsoft does not provide any appropriate API for handling hibernation and shutdown, master keys used for system encryption cannot be reliably (and are not) erased from RAM when the computer hibernates, is shut down or restarted.**

To summarize, TrueCrypt cannot and does not ensure that RAM contains no sensitive data (e.g. passwords, master keys, or decrypted data). Therefore, after each session in which you work with a TrueCrypt volume or in which an encrypted operating system is running, you must shut down (or, if the hibernation file is encrypted, hibernate) the computer and then leave it powered off for at least several minutes (the longer, the better) before turning it on again. This is required to clear the RAM.

http://www.truecrypt.org/docs/hibernation-file

notes that if you are using WDE then the issue does not matter as your entire disk is encrypted, including hibernation file.

Always encrypt your ENTIRE drive/OS with bootloader encryption and never leave computer on when you are not at it!

 

[Thameswater]

ahh crap, this doesnt suppost 64bit windows 8