So you’ve installed full disk encryption using TrueCrypt. You also remembered from a previous article on here that contained in the TrueCrypt boot loader is the string “TrueCrypt Boot Loader” which is a dead giveaway to the fact that you are using encryption software. In response to this you have also performed the simple disk modification to get rid of the identifiable string with a hex editor like in this article.
Now your hard drive is free from unwanted tampering and access without your permission, right?
Well, not quite yet. There are a few more habits that you’re going to have to adopt to really prevent unwanted access to your system.
Full disk encryption can be a great anti-forensic method but it can be circumvented by a variety of things. This includes leaving your computer on without locking it or failing to activate a password protected screensaver that starts after you’re away. There is a risk that malware such as a keylogger could be installed by lack of proper anti-virus and anti-malware protection.
Network traffic can also be monitored with a wiretap warrant or in some cases no warrant at all. In fact, everyone is being monitored right now on a large scale in the United States as part of the “War on Terror.”
US government programs and software such as Project Echelon, the FBI’s carnivore (DCS1000), Cyber Knight, Magic Lantern, CIPAV, the NSA’s use of NarusInsight and many more are all used or are part of a network to monitor the US populace, foreign countries and individuals. These programs, databases and networks all violate your individual rights and are even more of a reason to encrypt and secure your private data.
I will be explaining extra habits and a few simple measures you should adopt to protect the contents of your encrypted hard disk. Most methods are fairly simple and most people don’t realize that they’re still vulnerable even after using disk encryption.
Password Protected Screensaver
When your computer has booted past the initial full disk encryption boot loader (pre-boot authentication) and is now running an operating system, it can be examined and acquired using live computer forensics acquisition techniques (such as imaging the disk to an external hard drive with FTK Imager). One of the easiest methods to stop this is with a screensaver password. Prompting for a password after the screensaver has loaded will make it nearly impossible to perform a live acquisition, because now the examiner must have the password to start any applications on the computer.
If there is no suspicion that your system is currently using full disk encryption then it will most likely be powered down and acquired offline with a hardware imaging device such as a logicube. It may also be booted from a live CD (Linux Live CD such as Raptor or HELIX3) and acquired this way. Once the hard drive has been powered off, any images acquired will be of the encrypted drive rendering them unreadable.
You should also be aware that there is a code injection technique to bypass or force a successful login on a password protected screensaver for Windows, MAC OS, and Linux systems using another PC and firewire. It is possible to dump the contents of RAM (where your encryption key is stored) with this method as well. It’s doubtful that local law enforcement would be able to do this or even know that it exists but agencies like the FBI most likely do. To prevent this you should disable all firewire ports on your system through BIOS.
How to enable a password protected screensaver on a Windows XP system:
- Right-click open area of desktop
- Click properties from the menu
- Choose the “Screen Saver” tab
- Checkmark “On resume, password protect”
- Set a desirable wait time for the screensaver to start. I suggest around 3 to 5 minutes because if your door were to be kicked in while you were in the bathroom and you did not have time to lock the computer, you would have to rely on the screensaver starting.
Autorun Features
Although sometimes autorun features for CDs, external drives and other media might be convenient, the feature is a security risk. If you work in IT you already know this. This feature should always be disabled in my opinion.
Leaving autorun enabled allows someone with a properly setup CD or more likely a USB thumb drive to install malware on your machine in very little time. All that is required is to simply plug the USB drive in, allow autorun to launch the malware and then remove the thumb drive after installation.
Failing to disable this may allow someone to sneak a keylogger onto your system which sends out logs to a remote host. This would really render full disk encryption useless as everything you are doing could still be monitored.
Microsoft has a knowledgebase article which covers completely disabling autorun here.
Hardware Keyloggers – watch what is plugged into your computer
If someone were to have physical access to your computer they could plug a hardware keylogger into the port used by the keyboard, much like one of the ones pictured here. They support both PS2 and USB and some keyloggers are designed to look like PS/2 and USB adapters, which might even fool a seasoned IT professional.
There are hardware keyloggers that can also be attached inside of the keyboard. These ones will need to be clipped in place or soldered. There are keyboards that act as keyloggers themselves. So if you’re at work one day and someone from IT comes in to replace your keyboard for no apparent reason, or you leave work for the day and come back the next day to a different keyboard, you should be suspicious.
These devices have a limited storage capacity of course but it is usually enough to capture a good majority of what has been typed on that system. This can include everything from passwords to encryption passphrases and even that bomb threat you wrote.
The government can install these when you are away with a sneak and peak search warrant. If you suspect that you may be being monitored by the law it is is probably a good idea to check the back of your computer and your keyboard occasionally. Don’t feel bad about being paranoid every time you check out the back of your box. These devices do exist and are used by law enforcement, employers and even spouses.
Some brands include:
- Keyshark
- KeyGhost
- KeyDevil
- KeeLog
Software Keyloggers
There are a variety of software keyloggers from commercial to the down-right malicious ones geared towards identity theft, account harvesting and fraud. You should always be running some sort of anti-spyware/malware/virus software on your computer.
One problem with using major security vendors software is that there is the possibility that the US government may have coerced companies into allowing government specific malware to slip through virus detection scans. In fact, chief researcher at Symantec was given a hypothetical situation like this and said that they would not update their virus tools so as to allow government malware to avoid detection.
One real life example of the FBI’s use of a keylogger like this was with the son of mob boss Nicodemo Scarfo. The FBI used a keylogger to get his PGP encryption passphrase.
Another FBI keylogger which has been public knowledge for a while now is the “Magic Lantern” trojan-based keylogger. The keylogger can be installed using any blackhat method in the book from malicious email attachments to exploiting security flaws in web browsers and the Windows operating system itself.
What can you do to protect yourself?
- Watch your back. If you’re part of any “scene” or group you might never know when someone has sold out and is now working for the feds. Don’t be social engineered into installing any software, etc.
- Keep a variety of active anti-malware scanners installed. I recommend installing a scanner that you manually run as well. If one company has sold out to the feds, maybe another has not.
- Follow previously stated good privacy tips of using full disk encryption and password protected accounts on your system. Use a password protected screensaver as well. This will prevent someone from walking up to your machine and just installing malware.
- You could use software like PeerGuardian and download the government IP block lists and even make your own. This way if there is an undetected keylogger on your system that was installed by an agency such as the FBI, you might block their access to it if it is acting as a backdoor or trojan horse.
Some software that would be beneficial:
- Spybot S&D (passive defense)
- MalwareBytes (manual scanning)
- Sopho’s Anti-Rootkit (Seriously get this, it’s awesome.)
- Avira Premium
- [Your Anti-Virus Choice]
Cold Boot Attack to Dump Encryption Keys
As I’ve mentioned in a previous article, there is a method for recovering encryption keys from RAM using a cold boot attack.
The best way to stop this is to make sure that whenever you leave your computer, you completely power it off. Don’t use standby or sleep mode, you must completely power it off. Data in DRAM will then fade based on RAM temperature with the colder it is, the longer it lasts (from seconds to over 10 minutes when sprayed with an inverted air can).
Is that everything?
Obviously, this is not everything you should be doing. One major section I’ve left out is encrypting network traffic. However, these methods will go a long way into ensuring that your fully encrypted hard disk is not compromised. Something as simple as failing to lock your computer or use a screensaver password when you’re away from it could blow your entire encryption scheme, allowing a full acquisition to be done on the readable contents of your hard drive.
Feel free share your opinions, comments, techniques and more if you wish. This is a very large subject. There could be a book written on this stuff and there probably is one somewhere.
I’ll work on an article on encrypting or obfuscating network traffic in the near future.
interesting article, I see you post a lot about Truecrypt, might want to check this out to go along with your articles.
http://diablohorn.wordpress.com/2009/01/01/truecrypt-variety-of-bruteforcing-options/
hiddenillusion, great article at diablohorn. I did leave out having a secure passphrase. I myself use at least a 15 character passphrase on all encrypted volumes and disks.
The best you can do is to make a long passphrase, substitute letters in it for numbers and symbols. Then at the end, beginning or maybe between words add symbol combinations that are easy to remember. This will make for a very difficult password to brute.
Great post! I also want to add, update your system and all your software! So many Windows users seem to not prioritize updates, but that’s the #1 way people end up hacking your computer. There’s always a new Windows file sharing bug, or web browser bug, or Flash player bug, or PDF reader bug, and the only way to be much safer is to promptly install updates.
And speaking of Windows file sharing: only have it enabled if you have a really good reason for it, and make sure that only authorized people are allowed to view your shares. It doesn’t matter if your disk is encrypted if you’re sharing your documents with others over the network.
Don’t forget to be logged in as user and not as admin. This creates another security layer since it might affect some rootkits and viruses from installing correctly.
For Truecrypt it might be a smart move to use a keyfile besides a strong password. Then an attacker needs to get hold of both your password and keyfile.
Watch out for Mantech’s MDD, it can make a complete memory dump. Might reveal keys, passwords of Truecrypt (did not have time to test this). Will discover Windows hashes for sure. See a nice article on:
http://taosecurity.blogspot.com/2009/03/using-forensic-tools-offensively.html Offensively
All great tips. Especially about updating software and disabling services you don’t need.
I do not use TrueCrypt volumes with a keyfile as I know I’m just going lose it
but very good tip.
You can completely circumvent the impact of keyloggers by using they XP on-screen keyboard to type your password.
This can be found at Start/Programs/Accessories/Accessibility.
If you find it too time consuming to do it this way you can just type a portion of it this way. Just make sure it’s always the same portion so they can never record that missing fragment with the logger.
How can I WHOLE-DISK encrypt a hard-drive with a dual-boot situation ? (IE: Linux/Windows) Anyway?
Nice post – really like the keyfile tip in the comments as well. Double layers of security like this are vital (or if your keyfile is on a biometric USB drive, triple layers!)
Freelance programmer
Hello
Nice article.
Say I have a 8G flash drive, If I encrypt entire drive then it comes up as unformatted drive in windows. So someone might just format the whole darn thing.
What I would like to do is to be able to disguise this 8G drive as 4G drive and the remaining 4G should remain invisible to unsuspecting user. Using TC I should be able to detect the hidden partition. For noraml windows it should appear like a 4G drive.
Is it possible? TIA
I’ve always wondered too, if you use sleep mode, what is stopping them from disconnecting your LAN and plugging it into their own laptop/rogue AP?
I know assigning a static IP would somewhat defer this..however, it could be a true problem.
Also, what if the had a USB->Ethernet dongle?
After which plugging it in, the OS automatically installs/uses it, and gets a new DHCP lease through it, allowing for our new friends to poke around wherever assuming they can get past your firewall..
So many possibilities!
Hi there,
Good article! I am playing around with TC as well and know the risks we still face. I am wondering about the ram copy issue. I do own a laptop with 1 GB of RAM, suppose I am working on it and they seize my laptop. Would it be adequate to let the machine reboot so the ram is cleared and overwritten? Not sure how much chance there is that my encryption key resides in the memory after a reboot. It would halt however on the truecrypt pw screen so there might not be a lot of memory overwritten.
I wrote a little batchfile btw to make things more difficult
I did bind it to an unused laptop key. When I press that key my screen is instantly locked, after a 2 second delay my TC volumes are forcefully dismounted and the laptop will proceed to reboot.
Batchfile content:
@ECHO OFF
BREAK=OFF
rundll32.exe user32.dll, LockWorkStation
“C:\TC\Sleep.exe” 2
“C:\Program Files\TrueCrypt\TrueCrypt.exe” /q /d /f
“C:\TC\Sleep.exe” 2
shutdown -f -r
EXIT
Dear illegal visitor,
can you tell me how did you assign a batch file to your laptop key? I’m looking for workarounds but no info at all.
What do you mean “bomb threat”? No need for that type of language at all, I mean what the **** are you even mentioning that for???? We’re not even talking about hiding illegal activity, don’t you think that language is a bit rash and disrespectful to people who have been killed by bombs?
Not really, nope, and are you on medication yet for being far too sensitive?
other very good esential software are: superantispyware / spyware doctor / trojan remover and kaspersky virus removal tool.
for prevent malicius code in autorun from pendrives, mp3, mp4, phones, ipod, etc. I use mx one, usb doctor or sokx pro.
ofcourse also is a good choice disable autorun in you desktop pc, netbook, notebook, etc.