Full Disk Encryption Hard For Law Enforcement To Crack

If you'd rather keep your data private, take heart: disk encryption is a lot harder to break than techno-thriller movies and TV shows make it out to be, to the chagrin of some branches of law enforcement. MrSeb writes with word of a paper titled "The growing impact of full disk encryption on digital forensics" [abstract here to paywalled article] that illustrates just how difficult it is. According to the paper, co-authored by a member of US-CERT, "[T]here are three main problems with full disk encryption (FDE): First, evidence-gathering goons can turn off the computer (for transportation) without realizing it's encrypted, and thus can't get back at the data (unless the arrestee gives up his password, which he doesn't have to do); second, if the analysis team doesn't know that the disk is encrypted, it can waste hours trying to read something that's ultimately unreadable; and finally, in the case of hardware-level disk encryption, tampering with the device can trigger self-destruction of the data. The paper does go on to suggest some ways to ameliorate these issues, but ultimately the researchers aren't hopeful: 'Research is needed to develop new techniques and technology for breaking or bypassing full disk encryption.'"

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:I wish this was the case in the UK

[Anonymous Coward]

If they know it's a truecrypt drive, they probably would suspect that there's another partition so will try and charge you anyway for withholding.

So basically they make your life hell for a year till charges are dropped and would use any little excuse to question & detain you.

Anti-FUD

[spudnic]

So how are we to know that this isn't anti-FUD?

"Yes, Citizen, your full disk encryption is just too much for us to crack. I guess you're in the clear."

Re:I wish this was the case in the UK

[durrr]

I haven't bothered with hidden partitions, yet. Does it mean I'm subject to legal punishment for not using this feature and thus lacking a password to give to law enforcement so they can take part of my extensive collection of crustacean pornography?

And if that, then what happens when truecrypt suddenly accepts multiple hidden partitions or other more complex schemes? Everyone goes to jail because lawmakers somehow ascended beyond full retard?

Re:I wish this was the case in the UK

[fuzzyfuzzyfungus]

It may not help the poor bastard being asked for them; but, depending on the implementation, delivering the keys may simply not be possible.

It takes a pretty exceptional human to actually remember a useful crypto key, so most systems store the key for you and depend on a password, passphrase, and/or some sort of hardware device to grant access to the key. If the system that actually stores the crypto key is designed to resist tampering, there are a reasonable number of initial attempts at forensics that might trip tamper detection and cause the key to be wiped, irrevocably.

Your classier cryptographic coprocessor modules offer such tamper resistance, and the enthusiasm of DRM peddlers and corporate customers who have backups; but really, really, hate data-breach stories will likely continue to push it further down into cheaper and more common business desktops and laptops.

(Even the TPMs of today may be pretty tricky to subvert without pissing them off, though I don't think that they are required to adhere to the same anti-tamper standards as the more serious hardware security modules).

kind of the point

[Surt]

I mean ... what's the point of encryption that your foes, police or otherwise, can bypass?

Re:obligatory

[fuzzyfuzzyfungus]

Why would we resort to torture when we have pain compliance?

Re:Giving up passwords

[Xugumad]

Frequently intrigued how many people miss that much of the US constitution was written to provide rights people didn't have in the UK...

Re:Anti-FUD

[betterunixthanunix]

That is not how the police in America work. When they cannot crack a cryptosystem, they try to get it outlawed or prevent it from becoming mainstream, and then push for a system with a backdoor. When they manage to crack a system e.g. the Hushmail attack, they parade it around and declare that no matter what anyone does the police will be able to defeat it.

If this sounds like Doublethink to you, perhaps you should take a look around and reconsider your views on whether it was Orwell or Huxley who was correct.

Re:I wish this was the case in the UK

[sco08y]

We need an encryption package that has *two* passwords:

• One normal one that decrypts as usual;
• A second one that formats the disk and installs a standard version of Windows

You use password #1, but if arrested you give up password #2.

That's brilliant, but how do you get the police to use this software? Especially after they've pulled the drive out and plugged it into their forensics kit?

Re:"more research?"

[betterunixthanunix]

well we [the industry] will be just happy selling encryption with the tagline: so secure - no one can break it - except your average McForensic dude with a software package you can torrent. See, secure!

More like the software industry wants to remain friendly with the Department of Justice, and will gladly push a DoJ-approved cryptosystem on their customers unless their customers start jumping ship. Remember the clipper chip and how a certain large telecom was prepared to play along?

Re:I wish this was the case in the UK

[Dogbertius]

Sadly, the notion of "plausible deniability" works both ways. If they (ie: the authorities) are aware it is a TrueCrypt volume, they can just demand you hand over the passwords for the inner and outer volumes. If you provide just one key (ie: the password for the outer volume that contains junk you don't care about), and you are in a country that demonstrates little to no respect for civil rights, they could very well jail you, even if you aren't using a hidden volume.

Secondly, the authorities demanding you hand over the key (strangely enough) isn't covered under fifth amendment rights, so again, they can demand you hand over the keys, or you could be jailed almost indefinitely.

Finally, there are some interesting articles by Bruce Schneier on alternate means of incrimination. www.schneier.com/paper-truecrypt-dfs.pdf

In short, there are many ways to give a judge the idea that the use of a hidden volume is likely (ie: check path histories for previously opened files, check temp folders, etc). Not only would these indicate the possibility of a hidden volume, but some files that were meant to be encrypted may be 100% available (eg: Microsoft Word makes temporary backups of files in your %APPDATA% folders in case it crashes and you want to recover your work; as one example). Unless one is very diligent and knows what he/she is doing with respect to encrypting data, it would seem the only safe method is to encrypt the entire disk and boot off of it exclusively, all while keeping the machine itself disconnected from the internet to avoid hacking attempts, and locked in massive safe so the authorities don't install a keylogger (application or physical device) or start taking snapshots of your disk daily to aid in cracking the password.

You may be able to secure your data, but with multiple means of data accidentally being leaked due to the OS or various applications used in day-to-day life, along with unscrupulous policing agencies allowed to overrule fundamental civil rights, it is likely that one will ultimately lose their data and/or freedom either way.

Here's a clue LEO guys...

[bmo]

While I currently do not run full disk encryption on my laptop and I have never done anything to warrant arrest, I have thought about full disk encryption. Especially in these days of a growing police state, it is not my job to make your job easier. If the news stories keep going the way they are, I suspect that within the year, I will simply migrate over with strong encryption and that will be that.

Because I do not like the increasingly adversarial and militarized role the police have been taking. I'm sure I'm not alone. While I do not wear tinfoil, the news events of late give me pause.

--
BMO - shiny side out.

I've got a solution!

[PopeRatzo]

Use biometrics instead of a password.

Your system unlocks via your foreign friend's iris, which you get via his smartphone's camera.

Now, when the police want to get access to your computer, they have to try to extradite your friend. You can't give them a password because there is no password. The only way to unlock your system is if your friend puts his eye up to his smartphone's camera and you put your smartphone up to your computer's iris scanner. They'd have to figure out a way to compel your friend, who lives in a country that may not have extradition treaty with your particular tyrannical hellhole.

Yeah, I know it's inconvenient, but it would be worth it to frustrate the monsters who have seized power.

Of course, by that point they'd probably just use rendition to send you someplace where you'll be tortured, just for making them have to work for a living. US or UK, I don't think there's any line they won't cross. Not any more. There's no longer a pretense to anything like personal rights. Unless your name ends in "Inc." you just don't have rights any more.

Re:Deniable encryption only works in theory

[izomiac]

I figured that plausible deniability applies both ways. You deny that you have any more hidden volumes, they deny that you've given them all relevant passwords. In the UK that means running afoul of that law. In less kind parts of the world (or society) that means you will be tortured until you give up the "real" password, repeated ad infinitum as there's no way to determine the number of hidden volumes. Sucks to be you if what they're looking for doesn't exist, there's no way for you to prove that and break the cycle.

IMHO, plausibly deniability is for reasonable and less motivated opponents (e.g. some family members). If you're worried about a less savory type, you need to visibly destroy the data. E.g., put it on RAM disks that will shut down if someone opens your closet door and doesn't type the correct code in 30 seconds. You'll be charged with destruction of evidence in a courtroom, and presumed guilty elsewhere, but it's a calculated risk. Wiping the header that is used to convert your password into the actual crypto key is another possibility that potentially allows for later recovery, but your opponent may assume that as well.

Re:I wish this was the case in the UK

[MaskedSlacker]

where they'll find some kinky and embarrassing (but not illegal) stuff to keep them busy. At worst they'll think you're a secret crossdressing BDSM fetishist or whatever

I recommend BDSM furry granny porn. Just so they don't try to claim the 30-something girl in the porn is 17 and falsely charge you with child porn possession just for kicks (it's happened).

Re:Giving up passwords

[MaskedSlacker]

Identity theft. Laptops are quite stealable, and I have a lot of financial/confidential client data on mine.

You could retort: Well, what's wrong with Law Enforcement seeing it then?

Answer: Not much, but anything they can crack the crooks can crack better.

Re:I wish this was the case in the UK

[Anonymous Coward]

I have a great little program that produces random numbers out of the random.data file.
Funny thing is, truecrypt thinks it's a partition...

Re:I wish this was the case in the UK

[mikael]

These days, the disk controller for the disk drive is logically tied to the hard disk drive platter itself, by an encryption key. If you tried swapping round the controllers to repair the disk drive, that wouldn't work as the encryption keys are different.
You wouldn't even get the disk information sector back.

Re:obligatory

[xaxa]

Trick, cajole, threaten, inconvenience, stress, discomfit, and a whole host of other verbs that come just shy of it, but not quite outright torture yet.

From the videos of what the US police have done this week I wouldn't be so sure.

http://boingboing.net/2011/11/18/police-pepper-spraying-arrest.html [boingboing.net] for instance.

(I would call pepper spraying someone so much they're coughing up blood 45 minutes later torture, but maybe Americans call it 'discomfort'.)

Re:obligatory

[shutdown -p now]

Keep in mind that there's this thing called "extraordinary rendition", where you can be a U.S. citizen detained on U.S. soil by U.S. agencies - and end up somewhere in Egypt, where the local goons are politely asked to obtain the keys from you without resorting to any illegal measures *wink wink*.

Mind you, this requires one to be designated a "suspected terrorist" today, but then all it takes is for executive to say that you're one. They likely won't bother for a pedo, but if, say, you worked on WikiLeaks, that might be a different matter.

Re:I wish this was the case in the UK

[theedgeofoblivious]

Or what?

They'll prosecute you for not giving them your password?

If they had enough evidence that they were able to get a search warrant to get the data on your computer, you were probably already about to be prosecuted for something pretty substantial.

If you had a choice between being prosecuted for not giving them your password or being prosecuted for whatever else you were about to be prosecuted for, I expect that in most cases you'd want to be prosecuted for not giving them your password.

The government can threaten you with an alternative prosecution, but they can never actually compel you to give up your password.

Re:I wish this was the case in the UK

[Teun]

It's about time some Brit went to the European Court of Human Rights, according to most legal opinion you don't have to incriminate yourself.

More research?

[cheekyjohnson]

"Research is needed to develop new techniques and technology for breaking or bypassing full disk encryption."

And, if they somehow manage that, research will be needed to develop new techniques and technology for creating even stronger encryption.

Re:Deniable encryption only works in theory

[Chris Mattern]

there's no way to determine the number of hidden volumes.

Am I missing something here? The physical disk has a known, fixed size. When the size of all the volumes you have discovered (including their free space) add up to the size of the physical disk, you've found everything.