Thursday, May 24, 2007

"Defeating" Whole Disk Encryption - Part 2 "Ok, I've got the password, now what"

In my last post I discussed some techniques for obtaining a PGP encrypted password from a DD image of the physical memory. Let's quickly take a look at how to tackle a dead box before we start to tie all this together.

Dead box:

I'm going to quickly go over this, as I haven't tested what I'm going to write about here.

Accessdata's Password Recovery Toolkit and Distributed Network Attack can be used to bruteforce a dead box. I have not done this, but I'm a big fan of all of Accessdata's tools.

So now we have broken the password/passphrase what are your choices?

Let us assume that you have the password, but you couldn't make a live image of the box. How to get in? Before I start, I'm going to put a big shout out to Dave Shaver over at the US Army's Computer Crime Investigative Unit - a lot of what follows is based on his research and work. . . There are a few other ways that might work here, but this is the one that I've tested.

The Attack:

You are going to need Vmware workstation and Encase. You will also need to download the PGP decryption .iso for the PGP encryption version that your box is running. You can download those here.

Step 1:

In VMware workstation create a VM that you can install Encase (XP, 2000 etc).

Step 2:

Boot your drive, install vmware tools - shutdown the VM.

Step 3.

Edit your shared folders , , and add the folder/drive to add the encrypted image files to something that the VM can access. You might also want to add the folder where you have the Encase installer executable and the Hasp Driver installation file (or you could download those from guidancesoftware.com - your call, but they need to be on the VM or in a folder the VM can access).

Step 4:

Add a second hard drive to your virtual machine. The second hard drive should be slightly larger than the original drive on the encrypted machine. So if the original drive was 188.6 GB, you will want to make your machine 188.7 in VMware. (Note: If you have problems, keep incrementally increasing the size of the drive)

Step 5:

Reboot the VM, install the hasp driver and Encase. With VMware in the foreground, plug in your Encase dongle and start Encase.


Step 6:

Encase should be running in forensic mode. Add the image into Encase. Go through the restoration procedures as if you were restoring the image to a drive, but here, you are going to restore the image to the second drive that we created in step 4. There's a how-to in the Encase manual if you are not sure of the procedures.

Step 7:

Power off your VM, take a copy of the file related to the step 4 drive and copy them to the drive where you have the original image files - copies are your friend here. It's good forensic practice and even if you don't think you need to do this, you'll see why you want to as you read on.

Step 8:

Edit the settings on your virtual drive. Remove the drive that you used to boot (the one we created in step 1). The only drive that should remain active for your VM is the drive from Step 4 - the restored image of the PGP encrypted computer.

Now it is decision time. What are you looking for? Will you be satisfied with only the files that are not deleted, or do you want to make a few changes to the drive and have the chance to get into unallocated space? The good news is that you can have it both ways.

We will tackle that in the next post.

No comments: