New tool targets BitLocker, TrueCrypt full disk encryption


Russian digital forensics firm ElcomSoft has unveiled a new Forensic Disk Decryptor software that it says can make it possible to decrypt encrypted file volumes protected by tools such as BitLocker, PGP and TrueCrypt.

To be clear, the tool does not actually defeat the security mechanisms behind tools such as BitLocker, but instead recovers the security keys from the computer's operating memory. This can be done by working from memory dumps captured using forensic tools or through a live FireWire attack.

Obviously, the computer must be switched on, and the protected data volume must already be mounted. It is also possible to retrieve decryption keys from a hibernation file, according to the company. Forensics software vendor Passware earlier this year released a similar feature into its Passware Kit Forensic, though it isn't clear if it will work on a hibernation file.

"The new product includes algorithms allowing us to analyze dumps of computers' volatile memory, locating areas that contain the decryption keys," wrote CEO Vladimir Katalov on the company's blog. "Sometimes the keys are discovered by analyzing byte sequences, and sometimes by examining crypto containers' internal structures." He added that knowing the exact algorithm for PGP can significantly speed up the process.

ElcomSoft has a long track record of successfully crafting attacks against security mechanisms such as the image verification system for Nikon and Canon cameras, the on-board encryption employed by the iPhone 3GS and even the encryption used by the BlackBerry Desktop Software to protect data backups.

For more:
- check out this article at InformationWeek

Related Articles:
What's stopping your company from implementing full disk encryption?
Intelligence agencies stymied by full disk encryption