back to article PGP, TrueCrypt-encrypted files CRACKED by £300 tool

ElcomSoft has built a utility that forages for encryption keys in snapshots of a PC's memory to decrypt PGP and TrueCrypt-protected data. Forensic Disk Decryptor attempts to unlock information stored in disks and volumes encrypted by BitLocker, PGP or TrueCrypt. The tool is designed for criminal investigators, IT security bods …


This topic is closed for new posts.
  1. Mine's a pint


    Hibernation, is it really such a boon?

    1. pixl97

      Re: Hibernation?

      If anyone has ever read the Truecrypt site and forums they would already know 2 things.

      Hibernation and encryption don't work securely together. and,

      Disk encryption doesn't protect an open encrypted volume.

      Only a system that is designed to clear the encryption key out of memory at hibernation and ask for it again when waking up is secure to go to sleep. Other then that, turn it off. I need to to experiment with SSDs using full disk encryption to see what the performance is like for full shutdowns and startups. Oh, and if you ever use a SSD on for an encrypted disk and want to change your key, move all your data off and do a factory wipe on it.

      1. Dr. Vesselin Bontchev

        Re: Hibernation?

        Precisely. And PGPDisk goes as far as to disable hibernation by default. And clears the key from memory when no longer needed. And has a timeout after which it dismounts the disk (as does TrueCrypt).

        Plus, if this tool can sniff the disk encryption key only when the drive is mounted - what is the point? If the drive is still mounted, you can simply copy its contents - the disk encryption software will decrypt it on-the-fly for you. Not to mention that it is much simpler to install a keylogger (even a hardware one) than to sniff the computer's memory.

        This whole thing sounds like a lot of self-serving hype from the part of ElcomSoft.

        1. Anonymous Coward
          Anonymous Coward

          Re: Hibernation?

          "Plus, if this tool can sniff the disk encryption key only when the drive is mounted - what is the point? If the drive is still mounted, you can simply copy its contents - the disk encryption software will decrypt it on-the-fly for you."

          Exactly. The point is that you're tainting the evidence. I presume the way this is meant to be used is that you read the key from memory and save it somewhere such as a USB stick, then you power off the computer, make a forensic copy of the discs, and decrypt the copy with the key you have availed yourself of.

          Of course, you need prior intelligence or a keen instinct to know that encryption might be in use, as the standard forensic procedure is to walk up to the computer (take video, pics, notes, etc.) and pull the cord from the back of the machine (not the power outlet), or remove the battery in the case of a laptop or similar portable device. If you only discover that the target uses encryption by the time you have cloned the disks you'll be banging your head against the desk for a bit and eventually resort to some hopefully legalised form of rubber hose cryptanalysis.

          1. Ammaross Danan

            Re: Hibernation?

            The option to do Whole-Disk Encryption in TrueCrypt will encrypt the hibernation file as well. You are required to enter your decryption key upon start-up/resume, where it then decrypts the boot volume (with the hibernation file) and then continues to boot as normal. So even Hibernation with whole-disk encryption is safe for TrueCrypt installs.

        2. Wzrd1 Silver badge

          Re: Hibernation?

          That sounds precisely the issue.

          Self serving nonsense from a vendor trying to sell a product by precisely ignoring every precaution and probably disabling security features to induce the intended behaviour.

        3. Jaybus

          Re: Hibernation?

          Certainly it is hype. As always, no computer system can be protected from a skilled attacker when he is given physical access to a runing machine. Shall we also call the theft of a laptop a denial of service attack?.

      2. Anonymous Coward
        Anonymous Coward

        Re: Hibernation?

        I've seen encrypted swap with hibernation work on Ubuntu.

      3. Wzrd1 Silver badge

        Re: Hibernation?

        Absolute silliness.

        First, one never caches passwords.

        Second, one ALWAYS unmounts encrypted devices before entering hibernation.

        Third, one sets up a high explosive charge on the device in hibernation, as the BOFH and I agreed was a proper security practice.

        And DO look up BOFH, if you don't know what that is before you spill idiocy in the false form of grief over the last bit of humour.

    2. The Man Who Fell To Earth Silver badge

      Re: Hibernation?

      One has to wonder if fragmenting the key in memory a different way every time, and perhaps changing how periodically, would thwart this scheme...

  2. cyke1

    300+$ for such a limited tool?

    Only thing a smart person has to do is make it to the computer and pull the power cord, and most ppl now days don't use hibernate so that route is kinda useless.

    1. FartingHippo

      most ppl now days don't use hibernate

      What do you base that on?

      Anecdotally, I'd say a hell of a lot of people still use hibernate, certainly enough to make this a big deal.

    2. frank ly

      Re: 300+$ for such a limited tool?

      I use Hibernate all the time on my Windows laptop and have done for many years. It gives a quick and simple 'back to life' experience, compared to a full Start.

    3. Captain Hogwash

      Re: pull the power cord

      On a laptop? With some juice still in the battery?

      1. Dave 126 Silver badge

        Re: pull the power cord

        I was investigating a discrepancy between [used+free space] and [total space] of roughly 8GB (his RAM size) as displayed by Explorer on my mate's Win7 computer the other day... first Google result suggested a hibernation file could be responsible. It was. He has never used hibernation, so is this file just reserve the space for OS feature, or does it actually contain RAM contents?

        No biggie, just curious.

        [Edit: Ryan's comment below would suggest that it contains RAM contents]

        1. The Indomitable Gall

          Hibernation files

          I believe that once you activate the possibility of hibernation, a file is automatically created to reserve that space. It would be a bit of a bugger if you were in a rush to leave and hit "hibernate", only to have Windows start up the "disk cleanup wizard" for you....

          1. Anonymous Coward
            Anonymous Coward

            Re: Hibernation files

            It would be a real bugger if you didn't have hibernation activated and then Windows activated and required a reboot. I could just see Clippy asking if you need help with a reboot for activating hibernation.

        2. Charles 9

          Re: pull the power cord

          What happens is that, when hibernation is enabled, a file called HIBERFIL.SYS is allocated in the boot root directory. It's as big as your RAM allocation and is created to ensure the necessary space for hibernation is ready at hand. Once you hibernate once, the file will contain the RAM contents at the point of that hibernation. I would think HIBERFIL.SYS at any given point will thus contain the RAM contents of the last hibernation.

    4. DJ Smiley

      Re: 300+$ for such a limited tool?

      The funny part is when the police cut the power prior to entering to confuse and disorinate anyone inside.

      1. Joe User

        Re: 300+$ for such a limited tool?

        On a side note: it's £299, not $299. £1 = $1.62 U.S., so that would make it $484.

        1. N2

          Re: 300+$ for such a limited tool?

          Hmm, when I check its 299 Euros in France, currently the spot rate is around 1.23 so at around 1.21 on my CC it would cost £247.11

          I wonder if those clever chaps at Elcomsoft cant do currency conversions on the fly?

  3. probedb

    Useful at all?

    How is this of any use to anyone? I'm probably being brain dead but being as it gets the key from memory so you'd have to have made someone enter the password in the first place?

    Hibernate is a non-issue as you just don't use it.

    1. Christoph

      Re: Useful at all?

      The idea is that the target is already using their computer when plod charge into the house and hope they can get to the computer before the user gets to the power switch.

      1. DJ Smiley

        Re: Useful at all?

        Anyone needing to protect their data that badly...

        1. Doesn't host it locally

        2. has self destruct mechanisms for wiping the data in an emergency. (Yes, i believe one hosting company attempted to design a system which used thermite for this purpose).

        1. Cipher

          Re: Useful at all?

          And thermite is incredibly easy to make, none of the ingredients are on any control lists either. Once it starts burning, it isn't going out easily either...

      2. Anonymous Coward
        Anonymous Coward

        Re: Useful at all?

        The problem is this has already been known for a long time and the headline amounts to nothing more than scare tactics. Truecrypt itself, when properly used, has NOT been cracked. It's utter BS.

    2. Phil O'Sophical Silver badge

      Re: Useful at all?

      > you'd have to have made someone enter the password in the first place?

      Which is exactly what the article says. You have your nice secure laptop using an encrypted disk. When you boot it, it asks for the key to access files on the disk. When you enter that key it saves it somewhere handy in RAM so you don't need to enter it again and again.

      One way around that would be to not store the key, but as the article says, you'd then get a popup asking for it every time you open a file or folder, or write to a file.

      I'd have thought an obvious fix for the hibernate/sleep situation would be for the encryption software to catch whatever "hibernate beginning" signal gets sent, and rapidly zap the key. You'd need to enter it again after wakeup, but that's no major hardship.

    3. Jon Green

      Re: "Hibernate is a non-issue as you just don't use it."

      Let's say you've only ever used Hibernate once, by accident, two years ago, and you happened to have a TrueCrypt volume mounted at the time. Now, two years later, an investigator can look at that once-used hibernation file, extract your TrueCrypt password - assuming you haven't changed it since - and have unfettered access to the current disk contents in that volume.

      It only takes one slip in the complete life history of an encrypted item to invalidate any protection against a determined foe. That's why crypto is worse than useless in less-than-expert hands - it's actually harmful, as it gives a completely false sense of security unless utterly faultless data hygiene is observed.

      1. Adam 1

        Re: "Hibernate is a non-issue as you just don't use it."

        This would only work for volume based encryption surely. If you use system encryption then hiberfile would be unreadable

  4. NoneSuch Silver badge

    Only goes to show, encryption delays access to information. It can never stop access due to its very nature.

    1. James Hughes 1


      But when the delay is long, perhaps encryption does have its place...and I believe it still takes many years (hundreds ) to brute force most decent encryption.

  5. Anonymous Coward
    Anonymous Coward

    If using Truecrypts whole disk encryption then the hibernate file will be on the encrypted partition - so inaccessible until a password is entered.

    1. pPPPP

      This ^

      If you're using whole disk encryption, then oddly enough, the whole disk is encrypted.

      Of course, if you were planning to had over the password for the whole disk, and you had encrypted containers with the really secret stuff on them, then you're at risk.

      Hibernate's a pain in the backside nowadays. With a few gigs of RAM hibernating takes ages and it's quicker to boot from scratch.

      1. Stevie

        Not True.

        My 64-bit Win7 lappy hibernates in a few seconds and it has 8 gig of ram as of Tuesday night. As far as I can tell there is no appreciable change in hibernate time from Tuesday morning, when it had three gig.

        1. The Indomitable Gall

          Re: Not True.

          Are you using "hibernate" or "sleep"?

          Laptops have a sleep mode where the computer goes into a low power mode and keeps memory in RAM.

          "Hibernation" is possible on any PC: Windows writes the full system state to disc then powers down.

          If your computer takes a few seconds, it's just taking a nap, not bedding down for the winter, so it keeps the power connected to RAM while cutting the processor and hard-drive.

          1. pPPPP

            Re: Not True.

            Exactly. If you can hibernate 8 gigs or RAM in a few seconds you must have a super-fast hard drive. My 5200 rpm drive took minutes to hibernate 4 gigs.

        2. Anonymous Coward
          Anonymous Coward

          Re: Not True.

          'My 64-bit Win7 lappy hibernates in a few seconds and it has 8 gig of ram...."

          Really? On a laptop? Well my desktop with the hibernate file located to it's own physical drive away from the O/S drive has 16GB and it still takes in excess of 90 seconds to fully hibernate the system and a full power down. You sure you're not getting confused with sleep ( ultra low power mode but RAM still powered )?

          1. Anonymous Coward
            Anonymous Coward

            Re: Not True.

            I have a Corei5 Win7 Laptop with 6GB of Memory and a Samsung 256GB SSD - encrypted with whole disk encryption which does slow it down - at a guess maybe 20% performance degradation.

            I ran a quick test. It takes 21 seconds to hibernate. (Yes definitely hibernate not sleep)

            It resumes from hibernate in 30 seconds to the desktop with all my programs running.

            That's roughly the same time the same machine takes to boot with none of my programs running.

            Definitely worth it in my opinion. I always use it. Have used it with various machines for about 10 years. Never had a problem with it. It's just nice to start off where you left off, and also means the machine isn't sucking juice when you don't need it.

            Maybe once every couple of months I give it a reboot simply because the up time starts to become quite ramp up significantly quickly .... probably isn't necessary but kind of a habit.

          2. Anonymous Coward
            Anonymous Coward

            Re: Not True.

            TrueCrypt umounts when powersaving puts the computer to sleep, so I'll be surprised if it doesn't detect hibernate as well - has anyone checked?

  6. Ryan 7

    You might get lucky,

    And find it in pagefile.sys (or an expired hiberfil.sys), even if they disable Hibernation and pull the cord out when alerted.

    1. pixl97

      Re: You might get lucky,

      Which is why you should use full disk encryption or set your truecrypt drives to unmount themselves after some time of inactivity. When you unmount a drive Truecrypt actively erases they key from memory. Truecrypt also tries to make sure master keys don't hit the page file.

      1. Anonymous Coward
        Anonymous Coward

        Re: You might get lucky,

        Or disable swap if you have assloads of RAM?

    2. Ken Hagan Gold badge

      Re: You might get lucky,

      Previous comments have suggested that some of these products disable hibernation and others actively wipe keys prior to hibernating, so I doubt they will make the mistake of storing keys in pageable memory.

  7. Anonymous Coward
    Anonymous Coward

    As Mr ChriZ said

    If you're encrypting all of the system partition the hibernation and page file will also be encrypted, so bollocks to getting the password from there!

    Not sure how that works on non-Windows systems?

    1. bonkers

      Re: As Mr ChriZ said

      Would that really work? - it is windows that deals with "resurrection" from hibernate, and I don't think it has the option within this low-level code to put up a screen and ask you for the password? Maybe it does.

      Clearly the answer is to type the key in every time you return to the computer.

      I find yellow sticky-notes are useful aides to remembering these sorts of tediously long numbers.

      1. pPPPP

        Re: As Mr ChriZ said

        Windows does deal with resuming from hibernate. It doesn't deal with the Truecrypt password though. There's a boot loader in the MBR which Truecrypt uses to prompt for the password. If the password is correct, it hands over to the boot loader on the partition (ntldr or whatever....)

      2. Dave 126 Silver badge

        Re: As Mr ChriZ said

        >I find yellow sticky-notes are useful aides to remembering these sorts of tediously long numbers.

        ...whoever down-voted Bonkers for that has no sense of humour. G'dam, we should have requested a "Joke: missed" icon during the last commentard consultation.

        1. theblackhand

          Re: As Mr ChriZ said

          Maybe a picture showing a plane flying over someone head.....

    2. doveman

      Re: As Mr ChriZ said

      Not if the pagefile isn't on the System partition.

  8. jai

    that reminds me...

    must get around to installing MASSIVE electro-magnets on either side of the front door.

    although, yes, does mean my granny with the pacemaker won't be able to come visit anymore....

    1. Gordon 10

      Re: that reminds me...

      What about a suitcase EMP device under the stairs instead?

      1. Anonymous Coward
        Anonymous Coward

        Re: that reminds me...

        How about the reset button?

        Just make sure your BIOS is set to do a memory test as it boots and its all gone...

    2. frank ly

      Re: that reminds me...

      If you're really interested in doing 'dodgy stuff', you put a small networked drive under the floorboards with power and powerline data fed by cables to the underfloor mains wiring; and you encrypt it. Then, when you get your door kicked in, they take your computer and thumb drives and NAS box in the corner and DVDs and spend ages analysing them. In the meantime, you lift the floorboards and deal with the small network drive.

      Note: I am not a criminal, I'm a reasonably intelligent techie who can think about problems and propose 'solutions'.

      1. El Presidente

        Re: that reminds me...

        "Note: I am not a criminal, I'm a reasonably intelligent techie who can think about problems and propose 'solutions'."

        If I was a copper looking for IT kit in some premises I would find one powerline data plug and wonder where the other one was. Then I'd tear your house apart looking for it so not only would I get the drive I'd trash your house.

        1. Stoneshop

          Re: that reminds me...

          one powerline data plug

          As said, why would they only find one? But then, why powerline? It's almost a given you already have wireless. A small storage widget connecting to your WLAN router, with remote power off so that it won't in any way announce itself when it really shouldn't. If it doesn't have rotating disks it'll have very modest power requirements, and temperature will be of little concern either, so you could stick it in just about anything that you can get a low-voltage DC power feed to, like a garden gnome with a LED-lit lantern in its hand.

      2. Matt Bryant Silver badge

        Re: that reminds me...

        "..... In the meantime, you lift the floorboards and deal with the small network drive....." Yeah, nice idea, if only crims hadn't been hiding stuff under floorboards for centuries there is no way the coppers would think to look there! They might also get a bit suspicious when your laptop has a network drive listed which isn't amongst any collected gear.

        1. frank ly

          Re: that reminds me...

          It doesn't have to be under the floorboards; it could be incorporated into that nice electric fireplace with decorative surround. Also, you'll have other equipment with powerline data connections, as I do, such as printer, desktop computer, NAS drive.

          " ...when your laptop has a network drive listed which isn't amongst any collected gear."

          That is very easy to take care of. I'll leave you to figure it out for yourself.

          1. Matt Bryant Silver badge

            Re: Re: that reminds me...

            All very inventive, but all assuming the coppers haven't a clue, and yet the prisons are full of people that thought just that (including a fait chunk of Anonyputz "not-leaders"). Believe me, anything you can think of the coppers have probably already seen in practice.

          2. Dave 126 Silver badge

            Re: that reminds me...

            You just embed a microSD card in a floorboard, wired to some dummy nails. To access it, you place the bare ends of USB cable (stripped to the inner cables) on the heads of the nails and weigh them down.

            You don't have to be a criminal to think this way- I can't think of anything more mainstream and middle-class than musing on the details of 'perfect crimes', a la Sherlock Holmes, the creations of Agatha Christie or ITV's entire drama output.

            What was that decades-old story about a code hidden in Braille in the frieze encircling a room?

            1. Anonymous Coward
              Anonymous Coward

              Re: that reminds me...

              If you were really daft, you could just encrypt innocuous data, and tell Plod that under the data protection act you are required keep the details of third parties (your clients, for example) secure- just so you can make a snide remark about how they've been fined for failing to do the same, before giving them the key. I say daft, because police don't respond well to sarcasm.

              No matter, enjoying the news story at the moment about the Personal Protection Officer making up 'evidence' against the (then) Tory chief whip.

              Maybe the discussion here should be of ways of proving what was on your hard-disk at the time the police took it- so that nothing nasty is added after it leaves your house.

            2. Anonymous Coward
              Anonymous Coward

              If your going that overkill....

              Personally, If i lived in a large block of apartments or just a densely populated area, I'd hook up a raspberry pi somewhere in the building connected to a bluetooth adapter (or maybe in a nearby building). When the Five-0/mafia/horseman of the apocalypse arrive, execute a remote shell script that disables the bluetooth on the device and shuts the pi down. No way to track it down then? (without serious effort) Plus, the pi is stupidly small so is easier to secrete than a NAS but still has the functionality of a small PC.

              Of course, the data would still be on the card, but i'd count on the fact that nobody would find it.

              Source: I was an awesome hide and seek player.

              I can't think what dodgy stuff you would really need to hide though? :P I don't even keep sensitive information on my main PC.

      3. MachDiamond Silver badge

        Re: that reminds me...

        Looking around my computer corner, I can see putting a NAS box with wireless in the attic over the computer. It would be a project to carve out a hiding place in the concrete foundation. There is power in the attic and I would have a clear shot so the wireless could operate at max speed. If it were buried in the insulation, the coppers would have to be pretty diligent to find it (or know it was there). Going a bit further, my heater is up in the attic and an electrical box could be fitted to the side with a sticker that claims it's a "Zone Control" or some such for a nice bit of camouflage. I could run some wires to it, one of which would be an ethernet connection to my computer and it would look legitimate. The connector coming into my computer area would have to look like a standard installation and not some hacked in wiring that would raise flags.

        I don't know if the "Man" spends much time looking at how a computer in a home is wired up or not. It would seem that they will just collect the computer gear into boxes and cart it off to their "expert" or some third party they hire to have a look at what's on the drives. All this technology stuff is baffling to them. If they don't find anything, they might just guess that offending material is on "The Cloud". If you want some cover, get a storage account with Google and encrypt a load of electricity bills to put on it.

        First line of defense in this case would be to have a power switch handy. I am not too worried about getting raided as I'm not doing things that would interest the police (NSA, HLS, FBI, CIA, Interpol, NCTC, NOAA, SSA or the mall security) but I do happen to have my computer plugged into a power strip with a switch close to hand.

      4. PT

        Re: that reminds me...

        If you had any sense, you wouldn't keep the backup on your premises, encrypted or not. Standard Plod behaviour these days for all crimes from traffic tickets up is to seize everything electronic in the house, including your cell phone, and hold onto it for weeks. I'm sure in most cases they never even turn it on, they just want to cause you the maximum inconvenience. Whatever, a backup drive is no use to you if you don't have a computer to run it on. You need a full running backup computer off site in a place they don't know about.

    3. Stevie

      Re: that reminds me...

      "must get around to installing MASSIVE electro-magnets on either side of the front door."

      Lump hammer would be cheaper.

      "Lawks, it's the Peelers!"


      "Good morning officer, how may I be of assistance to you?"

      1. TRT Silver badge
        Paris Hilton

        Re: that reminds me...

        "Lawks, it's the Peelers!"


        "Good morning officer, how may I be of assistance to you?"

        "We''ve had a complaint that someone's been a very bad boy. Someone who's birthday it is today..."

        Tadada da daaaa

      2. Amorous Cowherder

        Re: that reminds me...

        @Stevie 0 15:36

        Plod: "Oh nothng much sir, we're just collecting for the Police charity fund and would like a donation. I say sir, what's that pile of smashed equipment on your living room floor? Please be careful you don't cut yourself. Have a good day sir!"

        Balls! Balls! Balls! My data! Arrrrrgh!

  9. I think so I am?

    Press power button ...

    and hold for 10 seconds or less for instant power off!

    Unless your sitting by your front door, you've got good 30 seconds before plod get you.

    But then again you can still go to jail for not handing over your pass-phrase. Hidden encrypted volume inside the encrypted drive :)

    1. Alan Brown Silver badge

      Re: Press power button ...

      alt-sysrq-b has the same effect as long as ram testing is enabled in bios.

      alt-sysrq-o may or may not be fast enough

      I've mused a cople of times about having something running which verifies nearby wifi points and/or bluetooth devices before giving access to a crypted drive.

  10. Anonymous Coward
    Anonymous Coward

    Here we again see the problem of opensource, it make it easy to break into. When will he learn?

    1. Anonymous Coward
      Anonymous Coward

      Presumably you "opensource" your passwords then, you idiot.

      1. Anonymous Coward
        Anonymous Coward

        It is the PGP opensources that here we see broken. And the many others, it is not my own password as I keep mine hidden away from the computers.

    2. Dr. Mouse

      "Here we again see the problem of opensource, it make it easy to break into. When will he learn?"

      I can't decide whether you are joking or not. I really hope you are...

    3. Anonymous Coward
      Anonymous Coward

      I'm guessing you are a troll, this has nothing about being "open source" this is about an inherent weakness in these systems that is increadibly hard to get round. Without using something like a smartcard (but you still have the big issue of the smart card being a physical object to unlock your encryption)

      The issue has been known about for years, there has been memory scrapers around for years that do the exact thing this product does..

  11. murmansk_mole
    Thumb Down

    So, this tool is not for cracking but for sniffing


    1. diodesign (Written by Reg staff) Silver badge

      Re: So, this tool is not for cracking but for sniffing

      But once successfully sniffed, you can crack on.


      1. ShadowedOne

        Re: So, this tool is not for cracking but for sniffing

        Isn't that rather like saying that once I have the key to the front door, I can pick the lock?

        1. Anonymous Coward
          Anonymous Coward

          Re: So, this tool is not for cracking but for sniffing

          "Isn't that rather like saying that once I have the key to the front door, I can pick the lock?"

          No, it's more like once I have you open the door for me with your key, then you let me take the key, go down Timpsons and come back with a copy and I can open your door as many times as I like!

      2. Dr. Mouse

        Re: So, this tool is not for cracking but for sniffing

        I would not recommend sniffing my crack.

        1. Anonymous Coward
          Anonymous Coward

          Re: So, this tool is not for cracking but for sniffing

          >sniffing my crack.



    2. sisk

      Re: So, this tool is not for cracking but for sniffing

      Do you really want to sniff cracks though?

      Yeah, yeah, I'm going.

  12. sqrt-1

    As far as I can see, the only benefit of the software is from legal point of view. Using the software requires the volume to be mounted, which means that data on the volume could be accessed/copied away, no special software required. My guess is, that in some countries (or most, IANAL) law states, that data copied from encrypted volume can't be used as a evidence, but original data can. In those cases the software would allow using of the data.

    As far as I can see, no cracking of encryption actually takes place.

    1. Anonymous Coward
      Anonymous Coward

      "As far as I can see"

      Yes, in a nutshell that's basically it.

  13. Anonymous Coward
    Anonymous Coward

    This was already known....

    There's nothing NEW here to warrant the SCARE headline. If you weren't using full disk encryption before, you were already screwed because of small clues and the page file. People also knew a mounted encrypted system wasn't safe either. If you're a dissident with something to hide, you better hook up a motion detector to power down the system if you're away ;)

  14. JaitcH

    My Toshiba powers off autoimatically ...

    when the power cord is pulled - I never bothered changing the batteries - the power outlets in the office are powered by expensive in the basement UPS + a hairy great generator.

    1. Anonymous Coward
      Anonymous Coward

      Re: My Toshiba powers off autoimatically ...

      "a hairy great generator"

      I always like my "great" generators to be very hairy!

  15. nigel 15

    decrypting a disk that is mounted

    Isn't that what the encryption software would be doing anyway?

  16. Anonymous Coward
    Anonymous Coward

    only windows?

    seems that it only runs on windows. any software that does that for mac, linux?

    1. Charles 9

      Re: only windows?

      IIRC the system RAM is a device in Linux (/dev/mem). With the right access, I think it's possible to duplicate it to a file to obtain a RAM image. Bob's your uncle from there. There's also /dev/kmem which images the kernel RAM, but I'm pretty sure TrueCrypt uses FUSE, meaning it's in userspace, so it would reside in system RAM.

      MacOS took /dev/mem out for security reasons. There seem to be ways around it if you really need it, though.

  17. mark l 2 Silver badge

    Half the time the plod are not even clever enough to know what to take and what not to take never mind know about what to do to avoid loosing encryption keys stored in memory. I know a girl whos house was raided by the police because her ex boyfriend had been doing identify fraud from there. I went around to help her clean up and the police had taken her the computer, mobile phone, usb drive, some DVD/RW and CDRs, bank statements as you would expect. But i noticed they had left a load of other stuff that i would have thought they should have taken, such as the hard drive PVR box under the TV which is essential a NAS box so you could store data on if you wished, there were lots of DVD that looked like originals because they were in cases with colour inlay cards but infact were bought from some Asian bloke down the pub so could have contained anything but they didn't even check them.

  18. Alistair
    Big Brother

    valid use:

    'ere .. scuze me PFY, come into my office fer a moment.

    Why look -- its the dear lady from HR. You appear to need a new job, good day sir.

    The only case where I can think of a legitimate use for the tool is in cases where corporate data may be in encrypted containers under an individual's control, and said individual is marched out the door. The systems involved may well be left up and running as the individual is marched out, but considering the possible issues with the dismissal, one would likely be far happier relying on the results from this tool than on either records left behind by the individual (i.e some shared password vault entry) or the individual's statement on the way out the door. (And, yes, I've sadly seen issues of this nature happen. And had to mop up from that, and would have had greatly appreciated this tool had we been dealing with encrypted containers .... think SSL certificates and apache)

    Certainly, the case of "plod investigates" is a legitimate use but as we can see from discussions here, its very likely that they'll only get so far on that front with someone that might have a clue about security. The tool clearly has its limits. Sadly, idiots abound, and this tool takes advantage of that fact.

  19. Spoddyhalfwit

    Even without full disk encryption I feel safe using Tru Crypt. I guess it depends on what you're trying to hide.

    If its just a few piccies of Linda Lusardi with her jugs out I doubt anyone is going to be buying software for 300 bucks to have a free peek.

  20. jason 7

    I always say.....

    ...encryption is just there to stop the guy who nicked/found your laptop on the train, taking a look at what's there before he wipes it and sticks something else on it or hands it in to the relevant parties.

    If you have data that requires a greater level than that then speak to someone else or change your data policies on remote equipment.

    1. Ramiro
      Thumb Up

      Re: I always say.....

      I was halfway posting very much the same comment, but saw yours.

      I had also considered giving you laptop to relatives, and forgetting to wipe the disk, and having everyone in the family having a laugh at your "media files"...

  21. Dazed and Confused

    Needs Firewire

    So another way to protect yourself would be a piece of SW which automatically detected when something was plugged into the FW (or other interface dumb enough to allow direct memory access) and wiped the key from memory.

  22. MissingSecurity

    So basically...

    This is the same as you cloning a live system's RAM with tools (such as the SANS Sift Kit) than digging through it with a HEX editor to find the passphrase, except you can spend 300$ and only do this on Windows, with a few points and clicks...

    The caveat here is that it doesn't need to be live, you just needed to hibernate at some point with your Encrypted Mount Point, mounted.

    Can't we already do this with opensource tools? (IE Your Linux Distribution of choice)

  23. Someone

    Solution: TRESOR

    Although, it’s limited* and fiddly to use. We’re really waiting on CPU manufacturers to provide explicit on-die solutions.

    For all the talk of on-site digital triage and making memory dumps, of the accounts I’ve read, the police power everything down as soon as possible. The current thinking is to preserve any disk-based evidence and prevent remote access, with encryption rarely being encountered. If the police have surveilled you enough to know they should leave your computer switched on, they probably already have enough information that they don’t need Forensic Disk Decryptor.

    *There’s a version for x86 without AES-NI, but it has a speed penalty and is limited to AES128.

  24. Daniel B.

    FileVault 2 defeat ElcomSoft Tool!

    pmset -a destroyfvkeyonstandby 1 hibernatemode 25

    'Nuff said. Can't get a crypto key that never, ever leaves RAM, and if the MBP is in sleep mode, the RAM's powered off as well. Looks like this was a damn fine setting after all!

  25. Anonymous Coward
    Anonymous Coward


    You do realise that powered off BT/wifi devices can be detected by resonant sweep right?

    Essentially they absorb power in the ceramic antenna, so a nearby transceiver will be able to sense a drop in transfer efficiency which allows the hidden device to be located by triangulation.

    1. <shakes head>

      Re: Interesting

      you just put a big box of old wifi kit on top of the hiding place.

  26. Anonymous Coward
    Anonymous Coward

    The main and only weakness of crypto containers is human factor.


    The main and only weakness of crypto containers is human factor.


    The main and only weakness of crypto containers is gun control.



    1. Anonymous Coward
      Anonymous Coward

      Re: The main and only weakness of crypto containers is human factor.

      better vote me up, I could use it.

  27. Electrohippy

    Go backwards with storage technology - not forwards!

    If I may suggest a more sensible approach to this problem. Save all your sensitive data using old computer equipment to "vintage" media including an IBM RAMAC, 5¼" floppies (hard-sectored preferably), Syquest drives, Sony MD-DATA, Philips audio cassette, VHS video cassette, punched paper tape and the like.

    Most of today's up-and-coming fresh-faced young forensic investigators don't even recognise half of these as computer media, let alone have any knowledge about how to read them, even if they have the fully operational machine right in front of them with a copy of any passwords that may have been used.

    True it takes me 3 hours to access a pic from a set of microcassettes on my Epson HX-20 p0rn collection (also vintage of course). Can be frustrating at times. But whatever.

    1. Stoneshop

      Re: Go backwards with storage technology - not forwards!

      True it takes me 3 hours to access a pic from a set of microcassettes

      And how many of them do you need to store one Scarlett Johansson snap?

  28. Jo 5

    nested encryption

    You can defeat this and any future vulns by having an encrypted operating system inside a encrypted partition, then within that create an encrypted partition, and then within that create what Trucrypt call a hidden encrypted partition. Use 4 different passphrases.

    But if the russian mafia or the cia special interrogation unit want you to give up your passphrases with a hot iron and some pliers, or a wet towel, then even if you are andy mcnabb you will eventually be handing them over.

  29. Anonymous Coward
    Anonymous Coward


    Elevated command prompt:

    powercfg -h off

    Removes Hibernation and Hybrid Sleep from the power options [+Start Menu] and deletes hyberfil.sys

    Personally every windows box I've had ran like a dog following resume from hibernation. YMMV

  30. daveeff

    what a waste of time

    So when the truecrypt drive is mounted you can get the password - and do what? Mount the drive???

    It's dismounted when you power off, if you suspend & restore it's re-mounted.

    There could be an issue that the m/c suspends itself one with it mounted & that file then contains the key but in theory if that data is there you can restore and voila the volume is mounted again.

    Next thing you'll tell me is my car might get nicked because the steering lock is disabled when I'm driving.


  31. Anonymous Coward
    Anonymous Coward

    Remote server in a outbuilding running a very hardened linux, full disk encryption, encrypted throw away key swap, no suspend and a daemon that detects a usb lead being unplugged for a device concreted into the floor that shuts the server down immediately.

    Tell them to bring a jackhammer, some of those hot wire splicey thingies and lots of expertise with custom boot images. Then and only then can they have my full collection of 80's chiptunes, ascii porn and amiga demos :)

  32. doveman

    Why Steggles?

    "Simon Steggles, director of forensics at data recovery biz Disklabs, said ElcomSoft's utility merely automates a process for retrieving decryption keys that is already used by computer forensics teams, if not the wider IT community.

    "In forensics, we have known about this for years. It only works when the computer is switched on. Once it is powered down, the RAM memory is gone and you lose that key," Steggles explained.

    "Coincidentally, I looked at the Truecrypt website yesterday and noted that it said on the site that it does on-the-fly encrypting and decrypting, which means that the key must be in the RAM.""

    Err, why the comment from someone who's so unfamiliar with Truecrypt that he had to look at the website to find out it does on the-fly encrypting? And refers to random access memory as random access memory memory!

    "Director of forensics" huh?

  33. joh348

    USB memory

    If you used a product like Security Guardian then you could turn off the memory completely and not worry about people getting at the passwords.

This topic is closed for new posts.

Other stories you might like