Elcomsoft’s Forensic Decryption Software Moves the Needle for Practical Cryptography


Cryptography is the go-to defense for cybersecurity, it’s essentially the strongbox of the computing era—and just like a strongbox it’s not designed to keep the contents perfectly safe from all perpetrators, it’s designed to resist their attempts to get at it. It’s still possible for the Hole In The Wall gang to derail your train, make off with your payroll safe, and blow it open with TNT. However, given that technology to defeat locks advances with technology to make better locks, we can expect more subtle forms of extracting encrypted contents than TNT (brute force.)

News is that Elcomsoft just released a Forensic Disk Decryptor running at about $299. According to the press, this software can beat protected volumes generated by popular crypography apps such as BitLocker, PGP and TrueCrypt

This software doesn’t decrypt encrypted volumes directly—however, what it does is a little bit more insidious: it watches an already running computer to determine the encryption keys for the volume it’s currently accessing. This is to TNT to a safe as a master locksmith is to a safe lock, determining what the proper sequence is by peering into the inner workings of the lock while it’s in operation.

The three ways that the software can acquire the encryption keys are listed as: via analyzing the hibernation file (if the PC being analyzed is turned off); via analyzing a memory dump file; or via performing a FireWire attack (PC being analyzed must be running with encrypted volumes mounted).

Basically, the software is pulling out current memory and sifting through it for something that looks like an encryption key. Most encryption techniques are currently vulnerable to this because in order to decrypt something the key must be available in order to proceed and process it—ordinarily the key itself is also encrypted but it must be decrypted in order to do its job. That’s when the Forensic Decryptor swoops in.

Some encryption techniques avoid this by running decryption through an external dongle that safely stores the key, by storing the key in volatile CPU memory (so that an interruption causes the key to evaporate), and other tricks to avoid it residing in main memory where it could be dumped. Of course, for the second option, people who put a computer into hibernate with an encrypted volume still running are just asking for trouble (dismount before shut down people!)

Keep in mind, for this decryption method to retrieve keys direct physical access to the computer is required. Anyone staring at an encrypted volume cold will not be able to use any of the above processes.

Chances are this will be a great boon to law enforcement (who just seized someone’s laptop or PC) and potentially bad guys who have successfully breached the physical security at a data center—I expect software like this to start appearing on USB keys carried by more experienced and adventurous hackers looking to schmooze their way into the server room.

And Sometimes the Bad Guys Use TNT

Above, I mentioned brute force (as an analogy to using TNT to blow open a safe) and while products such as the Forensic Disk Decryptor doesn’t use this method, we are starting to see more powerful rigs appear in the consumer market capable of surprising number crunching. It’s not a supercomputer or a Beowulf cluster, but this 25 GPU rig that appeared at Passwords^12 in Norway could represent what you might expect hackers looking for a buck might be using on their ill gotten database dumps in the future.

Brute force decryption is still going to be extremely expensive as cryptography advances. It’s expensive not just in equipment but also in time spent. Also, the benefit is that you don’t need physical access to the device to actually use it; you only need the encrypted files.

With groups like LulzSec, and hacker movements like Anonymous and AntiSec prowling for leaky databases, encrypting the data is only the beginning of the battle, a stopgap if the firewall or access controls fail.

However, it’s a part of keeping data secret that cannot be forgone even if the tug-of-war of technology is still running at breakneck speed.