[Hrgeeks] [Issa-tidewater] TrueCrypt and BitLocker cracked...

Tue Apr 6 10:17:02 EDT 2010

In the event that neither of these shortcuts helps, PRTK has a Truecrypt module for brute force. I've also used PRTK to crack PGP Wholedisk encryption. Everything that one needs to crack a PGP wholedisk encrypted volume is in the first cylinder. dd the first 64 sectors to a file, drop it into PRTK and wait. If time is of the essence, look into DNA. A 5000 node  license is available. ; - )

________________________________
From: hrgeeks-bounces at hrgeeks.com [hrgeeks-bounces at hrgeeks.com] On Behalf Of Harris CIV Randy L [Randy.Harris at usmc-mccs.org]
Sent: Tuesday, April 06, 2010 8:43 AM
To: Bob Hodges; Branson Matheson
Cc: issa-tidewater at sandsecurity.com; HRGeeks
Subject: Re: [Hrgeeks] [Issa-tidewater] TrueCrypt and BitLocker cracked...

Bob,

I was at the Department of Defense Cyber Crime Conference in January and one of the topics was forensics on an encrypted hard drive.  Needless to say the preferred method was to capture the PC with the user logged in and then export the encryption keys.  Failing that little bit of luck you could also image the hard drive, load it as a virtual image and then reset the operating system passwords using forensics tools provided by DoD Cyber Crime Command.  If you can reset all the  user account passwords to a null value you do not need the encryption key.

As you said - lack of physical security = game over.

Regards,

Randy L. Harris, MSM
CISSP, CISA, CISM, CCSE, MCSE, SnortCP
Chief Information Security Officer
Headquarters, U.S. Marine Corps
Personal and Family Readiness Division (MRI)
3044 Catlin Avenue
Quantico, VA 22134-5099
(w) (703) 432-2974
(f) (703) 784-1249
(c) (703) 989-6631
(DSN) 378-2974
randy.harris at usmc-mccs.org<mailto:randy.harris at usmc-mccs.org>

From: issa-tidewater-bounces at mail.sandsecurity.com [mailto:issa-tidewater-bounces at mail.sandsecurity.com] On Behalf Of Bob Hodges
Sent: Thursday, April 01, 2010 13:25 PM
To: Branson Matheson
Cc: issa-tidewater at sandsecurity.com; HRGeeks
Subject: Re: [Issa-tidewater] TrueCrypt and BitLocker cracked...

Unless I read this wrong, the laptop has to up and running, to retrieve the stored key in memory.
1. Physical ownership = game over
2. Why not just DD the disk if it is running?  Who needs the key?

Of course I could be wrong.
-Bob-
On Wed, Mar 31, 2010 at 5:02 PM, Branson Matheson <branson at sandsecurity.com<mailto:branson at sandsecurity.com>> wrote:
Hey all ...

 Since this has been the subject of much discussion and the topic of not a few ISSA presentations lately.. I wanted to forward on this little gem.  A bit concerning.

http://www.net-security.org/secworld.php?id=9077&utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+HelpNetSecurity+%28Help+Net+Security%29

All your bits are belong to us.

-b

Branson Matheson
branson at sandsecurity.com<mailto:branson at sandsecurity.com>
757-320-4230

_______________________________________________
Issa-tidewater mailing list
Issa-tidewater at mail.sandsecurity.com<mailto:Issa-tidewater at mail.sandsecurity.com>
https://mail.sandsecurity.com/mailman/listinfo/issa-tidewater

________________________________
CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information or otherwise be protected by law. Any access, use, disclosure or distribution of this email message by anyone other than the intended recipient(s) is unauthorized and prohibited. If you are not an intended recipient (or an agent acting on an intended recipient's behalf), please contact the sender by reply email and immediately destroy all copies of the original message. Virus scanning is recommended on all email attachments.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://hrgeeks.com/pipermail/hrgeeks/attachments/20100406/2205f14e/attachment.htm 