PGP Disk Encryption

1. I'm not a lawyer…no impact, no idea.

2. A paper was just released describing how to find PGP WDE keys in memory dumps…not sure if that helps but thought I'd throw it out.

Do you know if the ex-employee used a key or a passphrase to encrypt the drive? Some places that have a policy for this also have a master key signing key set up for instances just like this…

Thanks. I will check with the company - but I suppose he used a passphrase.

Hi,

1. Legally, since the hard drive was the property of the company, is there a legal precedent to force the ex employee to provide the key?

This might be a stupid question, but have you tried asking the employee for the key?

I don't know about your jurisdiction, but we can't in mine. A magistrate (judge) can issue an order if the key is required to recover evidence in a case, but that's about it. Alternatively, get the employer to look through the employment contract; there might be a clause legally binding the user to provide "all business records" or something similar, which you might be able to use to provide some incentives to disclose the key.

2. Failing that, is anyone aware of any methods/tools other than brute force to break the encryption and access the drive?

Apart from using a corporate ADK if it was enabled (as above), I'm not aware of anything faster than brute force. Unless the implementation is seriously broken (and AFAIK, PGP isn't), the strength of the system should be the lower of the strength of the passphrase and the strength of the algorithm (and I'm betting the algorithm won't be the weak link).

Alternatively, most enterprise data lives in more than one place; if you've got the authority to search and it's legal in your jurisdiction, I'd look for documents emailed to/from the employee in question, looking in fileservers and checking for any backups the user created (esp. on removable media around his/her former desk).

Worst case, PRTK/DNA will brute force PGP passphrases, from memory.

Hope that helps.

RedCellSecurity,

Might wanna check out this link, seems like what you are talking about

http//news.cnet.com/8301-13578_3-9834495-38.html

Good luck.

Have a supercomputer handy? And the funds for many thousands of years required for a brute force "solution?"

If that drive is encrypted with PGP, and the passphrase is lost or otherwise not available, what you have is a paperweight.

Might want to try looking for other passwords on the computer (or specifically, by the user), and see if those or a variation of them work.

RedCellSecurity,

Might wanna check out this link, seems like what you are talking about

http//news.cnet.com/8301-13578_3-9834495-38.html

Good luck.

Thanks for the link. Interesting stuff.

I think that the case I am looking at is slightly different, in that the computer in question is company-owned. Therefore this gentleman should have to disclose the passphrase to his employer imho. We'll see how it proceeds.

Might want to try looking for other passwords on the computer (or specifically, by the user), and see if those or a variation of them work.

You're right of course, there's more chance that this government will reduce taxes before you brute force a PGP container.

Generate a 'dictionary' from his workstation for a dictionary attack, that will get it in hours or less if the chap has used a passphrase(s) using the usual keywords people use. If that doesn't get it, then unless someone knows of a specific weakness forget trying to brute-force unless you have a server farm the size of the USA. ?

I wonder what you ended up doing RedCellSecurity?

The only thing I can think of is brute force/dictionary on PGP WDE.

I have something similar to your, and I wonder what tool you used.