With more and more sensitive data on mobile devices, software encryption has witnessed quite a boom in recent years. Backed by independent developers (such as TrueCrypt) or built into the operating system directly (BitLocker), software encryption managed to keep data away from prying eyes.
Â Russian data recovery specialist Elcomsoft, announced immediate availability [warning:pdf link] for their Elcomsoft Forensic Disk Decryptor, software that can unlock information stored in disks and volumes encrypted by BitLocker, PGP or TrueCrypt. While these data containers are virtually unbreakable without the password used at encryption time, they can be easily decrypted using an unconventional approach: retrieving the key from the system memory.
By design, these encrypted volumes require a password to perform a read / write operation, but, since prompting for passwords every time a file is accessed would be a party-breaker, these encryption keys are cached (stored) in the computer memory.
The Elcomsoft tool analyzes memory dumps taken while these encrypted volumes are mounted and isolates the encryption keys. When the process is over, the forensic team (or attacker) can mount the volumes as they would normally do and authenticate with the data provided by the forensics tool.
â€œThe new product includes algorithms allowing us to analyze dumps of computersâ€™ volatile memory, locating areas that contain the decryption keys,” wrote Vladimir Katalov in a blog post. â€œSometimes the keys are discovered by analyzing byte sequences, and sometimes by examining crypto containersâ€™ internal structures. When searching for PGP keys, the user can significantly speed up the process if the exact encryption algorithm is known.â€
To dump memory on a system, one needs physical access to the target computer so they can run a third party memory dumping application or to carry a FireWire attack. But this does not mean only authorized personnel (i.e. IT staff or law enforcement) can dump the memory of a computer, as memory dumps can be restored from hibernation files (i.e. if you sent your laptop to hibernation and you forgot the laptop in the cab on your way home) or partially, via cold boot attacks.
Bottom-line: this tool is a great addition for law enforcement to gather evidence against cyber-criminals who hide essential data in encrypted containers, but can also leave room for opportunistic attacks against your laptop, in case you lose it, so make sure you keep an eye on your device at all times, whether youâ€™re using encryption or not. Or better yet, how about some highly-encrypted storage in the cloud for your critical data?