Difference between pages "BitLocker Disk Encryption" and "TrueCrypt"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
m (some errors)
 
Line 1: Line 1:
'''BitLocker Disk Encryption''' (BDE) is [[Full Volume Encryption]] solution by [[Microsoft]] first included with the Enterprise and Ultimate editions of [[Windows|Windows Vista]]. It is also present in [[Windows|Windows 7]] along with a system for encrypting removable storage media devices, like [[USB]], which is called BitLocker To Go. Unlike previous versions of BitLocker, BTG allows the user to protect volumes with a password or smart card.
+
{{Infobox_Software |
 +
  name = Truecrypt |
 +
  maintainer = TrueCrypt Foundation |
 +
  os = {{Linux}}, {{Windows}}, OS X |
 +
  genre = {{Encryption}} |
 +
  license = TrueCrypt Collective License |
 +
  website = [http://www.truecrypt.org/ truecrypt.org] |
 +
}}
  
== BitLocker ==
+
'''TrueCrypt''' is an open source program to create and mount virtual encrypted disks in [[Windows|Windows Vista/XP/2000]] and [[Linux]] and [[Mac OS X|OS X]] as well as [[Whole Disk Encryption]] on Windows. It provides two levels of plausible deniability (hidden values / no signatures to make a distinction from random data), on the fly encryption and supports various encryption algorithms ([[AES|AES-256]], [[Serpent]] and [[Twofish]]).  As of version 6.0 TrueCrypt now supports hidden Operating Systems (Windows only).
Volumes encrypted with BitLocker will have a different signature than the standard [[NTFS]] header. Instead, they have in their volume header (first sector): <tt>2D 46 56 45 2D 46 53 2D</tt> or, in ASCII, <tt>-FVE-FS-</tt>.
+
  
These volumes can be identified by the BitLocker GUID/UUID: 4967d63b-2e29-4ad8-8399-f6a339e3d00.
+
== Forensic Acquisition ==
  
The actual data on the encrypted volume is protected with either 128-bit or 256-bit [[AES]] and optionally diffused using an algorithm called Elephant. The key used to do the encryption, the Full Volume Encryption Key (FVEK) and/or TWEAK key, is stored in the BitLocker metadata on the protected volume. The FVEK and/or TWEAK keys are encrypted using another key, namely the Volume Master Key (VMK). Several copies of the VMK are also stored in the metadata. Each copy of the VMK is encrypted using another key, also know as key-protector key. Some of the key-protectors are:
+
If you encounter a system that has a mounted TrueCrypt drive, it is imperative that you capture the contents of the encrypted drive before shutting down the system. Once the system is shutdown, the contents will be inaccessible unless you have the proper encryption key generated by a user's password. You may also need an additional datafile.
* TPM (Trusted Platform Module)
+
* Smart card
+
* recovery password
+
* start-up key
+
* clear key; this key-protector provides no protection
+
* user password
+
  
BitLocker has support for partial encrypted volumes.
+
== Attacks ==
 +
The only option for acquiring the content of a dismounted TrueCrypt drive is to do a brute-force password guessing attack. [[AccessData|AccessData's]] [[Password Recovery Toolkit]] and Distributed Network Attack ([[DNA]]) can both perform such an attack, but DNA is faster.
  
== BitLocker To Go ==
+
TrueCrypt also supports keyfiles (it uses the first 1024 kilobytes of any file, but can also use it's PRNG to generate such keys). It is important to look for anything that might be used as a keyfile (such as a 1024k file on a USB stick).
Volumes encrypted with BitLocker To Go will have a hybrid encrypted volume, meaning that part of the volume is unencrypted and contains applications to unlock the volume and the other part of the volume is encrypted. The "discovery drive" volume contains BitLocker To Go Reader to read from encrypted volumes on versions of Microsoft [[Windows]] without BitLocker support.
+
  
== manage-bde ==
+
== Hidden volumes ==
To view the BitLocker Drive Encryption (BDE) status on a running Windows system:
+
<pre>
+
manage-bde.exe -status
+
</pre>
+
  
To obtain the recovery password for volume C:
+
Hidden volume is a volume hidden within the free space of another TrueCrypt volume. Even when the outer volume is mounted, it is hard to prove whether there is a hidden volume or not.
<pre>
+
manage-bde.exe -protectors -get C: -Type recoverypassword
+
</pre>
+
  
Or just obtain the all “protectors” for volume C:
+
When a hidden volume is mounted, the operating system and third-party applications may write to non-hidden volumes information about the data stored in the hidden volume (e.g. filenames). It is important to look for such kind of information.
<pre>
+
manage-bde.exe -protectors -get C:
+
</pre>
+
  
== See Also ==
+
Previous versions of encrypted containers may be found in the journaling filesystems. It is important to track any changes within the free space of the outer volume to detect presence of a hidden container.
* [[BitLocker:_how_to_image]]
+
 
* [[Defeating Whole Disk Encryption]]
+
== Hidden Operating Systems ==
 +
 
 +
Hidden operating system is a system that is installed in a hidden TrueCrypt volume.
 +
 
 +
It is possible to detect network-enabled hidden operating systems by matching downloaded content (from network dump) with data on possible decoy system.
 +
 
 +
Investigator can also detect boot times by searching network dumps for IP packets with low IDs (only if Windows system is permanently connected to a LAN).
  
 
== External Links ==
 
== External Links ==
  
* [http://www.nvlabs.in/archives/1-NVbit-Accessing-Bitlocker-volumes-from-linux.html NVbit : Accessing Bitlocker volumes from linux], 2008
+
* [http://www.truecrypt.org/ Official website]
* Jesse D. Kornblum, [http://jessekornblum.com/publications/di09.html Implementing BitLocker for Forensic Analysis], ''Digital Investigation'', 2009
+
* [http://www.truecrypt.org/docs/?s=version-history Version history]
* [http://en.wikipedia.org/wiki/BitLocker_Drive_Encryption Wikipedia entry on BitLocker]
+
* [http://technet2.microsoft.com/WindowsVista/en/library/c61f2a12-8ae6-4957-b031-97b4d762cf311033.mspx?mfr=true Microsoft's Step by Step Guide]
+
* [http://technet.microsoft.com/en-us/windowsvista/aa906017.aspx Microsoft Technical Overview]
+
* [http://technet.microsoft.com/en-us/magazine/2009.05.win7.aspx An Introduction to Security in Windows 7]
+
* [http://www.microsoft.com/whdc/system/platform/hwsecurity/BitLockerFAQ.mspx Microsoft FAQ]
+
* [http://www.microsoft.com/downloads/details.aspx?FamilyID=131dae03-39ae-48be-a8d6-8b0034c92555&DisplayLang=en Microsoft Description of the Encryption Algorithm]
+
* [http://secude.com/htm/801/en/White_Paper%3A_Cold_Boot_Attacks.htm Cold Boot Attacks, Full Disk Encryption, and BitLocker]
+
* [http://code.google.com/p/libbde/ Project to read BitLocker encrypted volumes]
+
  
[[Category:Disk encryption]]
+
[[Category:Encryption]]
[[Category:Windows]]
+

Revision as of 10:59, 20 July 2008

Truecrypt
Maintainer: TrueCrypt Foundation
OS: Linux,Windows, OS X
Genre: Encryption
License: TrueCrypt Collective License
Website: truecrypt.org

TrueCrypt is an open source program to create and mount virtual encrypted disks in Windows Vista/XP/2000 and Linux and OS X as well as Whole Disk Encryption on Windows. It provides two levels of plausible deniability (hidden values / no signatures to make a distinction from random data), on the fly encryption and supports various encryption algorithms (AES-256, Serpent and Twofish). As of version 6.0 TrueCrypt now supports hidden Operating Systems (Windows only).

Forensic Acquisition

If you encounter a system that has a mounted TrueCrypt drive, it is imperative that you capture the contents of the encrypted drive before shutting down the system. Once the system is shutdown, the contents will be inaccessible unless you have the proper encryption key generated by a user's password. You may also need an additional datafile.

Attacks

The only option for acquiring the content of a dismounted TrueCrypt drive is to do a brute-force password guessing attack. AccessData's Password Recovery Toolkit and Distributed Network Attack (DNA) can both perform such an attack, but DNA is faster.

TrueCrypt also supports keyfiles (it uses the first 1024 kilobytes of any file, but can also use it's PRNG to generate such keys). It is important to look for anything that might be used as a keyfile (such as a 1024k file on a USB stick).

Hidden volumes

Hidden volume is a volume hidden within the free space of another TrueCrypt volume. Even when the outer volume is mounted, it is hard to prove whether there is a hidden volume or not.

When a hidden volume is mounted, the operating system and third-party applications may write to non-hidden volumes information about the data stored in the hidden volume (e.g. filenames). It is important to look for such kind of information.

Previous versions of encrypted containers may be found in the journaling filesystems. It is important to track any changes within the free space of the outer volume to detect presence of a hidden container.

Hidden Operating Systems

Hidden operating system is a system that is installed in a hidden TrueCrypt volume.

It is possible to detect network-enabled hidden operating systems by matching downloaded content (from network dump) with data on possible decoy system.

Investigator can also detect boot times by searching network dumps for IP packets with low IDs (only if Windows system is permanently connected to a LAN).

External Links