Hey Folks,
Today something different, an imaginery scenario that might have occured to many of you guys that will definetly be very interesting to discuss.
Okay , so we run a "Encrypted disk detecter script or any other piece of code that helps determine whether a live machine "logged on" is indeed encrypted or not. Smashing, so the drive look like its encrypted, We've got two options here,
a) take a logical image of the drive, which will then reveal all the files/folders in its original state (not encrypted),
b) take the RAM image, then try to find out the password to that encrpytion, and once the password comes to vision, we can shutdown the machine and take a physical image.
Alright, so at point b) , lets say we've taken the RAM image of the Windows 7workstation that has the encrypted container, but we don't know what encrpytion software was used (Bitlocker, truecrypt etc…), How do we get the password off the volatile image, run a string search of "passwd" into the image? or push the hibernation/pagefile to a commercial software ..?
Lets see where this takes us to..
Cheers Folks,
You can use Passware
As far as what it's doing, havent looked into it. But i hear it works well
I've heard Elcomsoft Forensic Disk Decryptor does the same, can someone validate that?
OR any open source decryptors ..
Thanks
We have both of these softwares. And we tried to decrypt locked logical disk via bitlocker. We did dump memory - via firewire or with any software (FTK imager).
When we decrypt it with Passware we need have a image of whole disc - and after that we decrypt the memory dump and we gain a key - restore key. We can use it for unlock the logical this and we can set new poasword. But we cant decrypt this with Passware - we need turn on the target computer or load the image on e.g. in virtual machine.
When we tried it decrypt in Elcomsoft, we can decrypt memory dump alone. We gain a key but in specific string which can be use for decrypt in Elcomsoft. Perhaps we dont need to turn on the computer or load to virtual machine - we can decrypt via image. But we have a problem with our image - elcomsoft says cannot find partitions for decrypt - we tried to connect direct hdd to our dorensic computer but doesnt work. We talk about it with Elcomsoft…
Do you have anyone other experience?
@Copyright What did you use to detect the encryption? It might have provided a hint as to what was used to encrypt. What did you use to image the live system? Only one program that I am aware of will grab both the RAM and pagefile.sys from a live system, the others will grab just the RAM…
In terms of analysis, I would also point you towards volatility to run against the dump and see what you can find…
@ForensicRanger Yes i'm sure its PGP encrpytion cause its my own device, i'm trying various keywords in a GREP comman hoping i can find the password. I grep'ed my real encryption password and i got 1 result but it only had my password which i entered, i wanted to see the structure of how the PGP stores password, any GREP expert here? what command should i use to include "password" whatever is before it.
I'll try volatility.
cheers
I'm not sure if you've come across the 'Cold Boot' attack that was the subject of this paper a few years ago
Whilst you already have your RAM image, you may (or may not) have much success with searching for a plaintext password. The paper describes techniques involved in searching the RAM image for RSA/AES/BitLocker cryptographic keys directly, and the source code is available to play with.
However, this assumes prior knowledge of the encryption product used. Maybe looking at volume headers on a disk image would point you in the right direction e.g. FVE-FS for a BitLocker volume. Not sure about TrueCrypt or any others though…
For dump memory and pagefile we used FTK imager…
We have only testing PCs, but I used for searching containers Passware Kit Professional and it is looks like it works good. And we tried encrypted disc detector - for detecting encrypted volumes…
We tried TCHunt too but we have some problem with this program.
Bitlocker - we find the key in memory dump - to use for lock the volume and you can change the password too - Passware.
Truecrypt - with memory dump and image physical hdd we can decrypted image and than we can mount it in e.g. - but we dont search a password… - Passware (it is very faskt about 60GB for 20min), elcomsoft wrote that cannot decrypt with this keys… ???
I've got the MEMORY DUMP of the PGP encrypted container, any chance i can reveal the password from this only?
What you need is a dump of the full working memory set for the PGP process including all drivers. The decryption key is stored somewhere in their data set. Is that what you mean by "memory dump of the PGP container"?
I've got the MEMORY DUMP of the PGP encrypted container, any chance i can reveal the password from this only?