Tuesday, November 22, 2011

Is it hard to crack full Disk Encryption For Law Enforcement ?

If you'd rather keep your data private, take heart: disk encryption is a lot harder to break than techno-thriller movies and TV shows make it out to be, to the chagrin of some branches of law enforcement. MrSeb writes with word of a paper titled "The growing impact of full disk encryption on digital forensics" that illustrates just how difficult it is. According to the paper, co-authored by a member of US-CERT.

Abstract of Paper is available here, and Short Info written below:
The increasing use of full disk encryption (FDE) can significantly hamper digital investigations, potentially preventing access to all digital evidence in a case. The practice of shutting down an evidential computer is not an acceptable technique when dealing with FDE or even volume encryption because it may result in all data on the device being rendered inaccessible for forensic examination. To address this challenge, there is a pressing need for more effective on-scene capabilities to detect and preserve encryption prior to pulling the plug. In addition, to give digital investigators the best chance of obtaining decrypted data in the field, prosecutors need to prepare search warrants with FDE in mind. This paper describes how FDE has hampered past investigations, and how circumventing FDE has benefited certain cases. This paper goes on to provide guidance for gathering items at the crime scene that may be useful for accessing encrypted data, and for performing on-scene forensic acquisitions of live computer systems. These measures increase the chances of acquiring digital evidence in an unencrypted state or capturing an encryption key or passphrase. Some implications for drafting and executing search warrants to dealing with FDE are discussed.

The paper does go on to suggest some ways to ameliorate these issues, though Better awareness at the evidence-gathering stage would help, but it also suggests “on-scene forensic acquisition” of data, which involves ripping unencrypted data from volatile, live memory with the cryogenic RAM freezing technique, presumably). Ultimately, though, the researchers aren’t hopeful: “Research is needed to develop new techniques and technology for breaking or bypassing full disk encryption,” concludes the paper.