Conventional wisdom has been that files protected with good encryption can’t be cracked.
But a new, $300, wizard-driven app can unlock BitLocker-, PGP-, and TrueCrypt-encrypted files, folders, and drives — no matter how strong a password you’re using.
It’s the sort of story that could keep you up at night. Last month, Elcomsoft released the Elcomsoft Forensic Disk Decryptor (EFDD; more info), a program that opens encrypted files without trying to guess your password or attack it with brute force (Wikipedia info). In fact, the actual password is effectively irrelevant. A long, random string such as bS2f#[voIT+?@=Uq3a,.B provides no better protection against EFDD than would "password" or "12345."
That's the bad news. The good news? EFDD works only within a limited set of conditions — and those conditions are actually fairly easy to avoid. And it's not as if just anyone could put down $300 and use EFDD to quickly crack encrypted data. Although it's wizard-driven, EFDD is not all that easy to use.
Encryption cracking without guessing passwords
First, it's important to note that products such as EFDD serve a legal, legitimate purpose. If a user has forgotten his or her password, these forensic programs can restore access to otherwise lost data. If an employee purposely or accidentally locks a company out of its critical business files, password crackers are a perfectly legitimate recovery tool.
Other examples of legitimate uses for EFDD-like applications include Windows' own Encrypted File System (EFS) — an encryption tool I don't recommend. Windows automatically decrypts EFS-encrypted files when they're opened (provided you're properly signed in to the OS.) The process is so transparent, you can forget that you have encrypted files. Then, when your computer dies or you have to reinstall Windows, you suddenly discover your files are inaccessible. Microsoft provides a fix, but you need to have prepared for its use ahead of time.
An acquaintance was inadvertently locked out of his EFS-encrypted files when his PC died. When he plugged the hard drive into another computer via a USB adapter, he had an unpleasant surprise: his files were no longer accessible. He was lucky, however; using another Elcomsoft forensic product, Advanced EFS Data Recovery (info), he eventually unlocked his files. But a thief in possession of that hard drive could have done the same thing.
Of course, anything that can be used for legal purposes can be — and often is — adopted for malicious applications. And there's rarely a practical way to control who has access to password-/encryption-cracking software.
Cracking passwords is the most common way to unlock encrypted files, but it isn't the only way. The keys to decrypting your darkest secrets might be floating around in RAM from the last time you opened an encrypted file. Or perhaps, if Windows ran out of physical RAM, they're sitting in your swap file. They could also be hiding in your hibernation file — assuming that you hibernate your PC.
EFDD (or a similar app) searches those areas for possible keys. It then tries any keys it finds on your encrypted files. Sometimes it works; sometimes it doesn't.
EFDD's approach to encryption cracking isn't entirely new. Other products have also searched computers for the keys to your protected data. But EFDD specifically targets data encrypted by BitLocker, PGP, and TrueCrypt — encryption products users have relied on as unbreakable.
Does EFDD make cracking encrypted files easy?
A strong proponent of file encryption, I was intrigued by EFDD. It sounded like a potentially serious threat to data security. I decided to test it by seeing whether it could crack my personal TrueCrypt vault.
Before launching EFDD, I opened my vault, accessed a few files, and closed it again. If the encryption key were going to get left somewhere in memory or in a temporary system file (such as the pagefile), it should be there now.
EFDD started off like the world's easiest program. A simple wizard asked me a few pertinent questions that I had no trouble answering — what type of encryption I wanted to break (Figure 1), where to look for keys (Figure 2), and so on.
It then asked me for the memory-dump file — a file containing everything in system memory at the time the dump is created. I had to create the file — EFDD wouldn’t do it for me. The app’s help file recommended the free Community version of MoonSols Windows Memory Toolkit (info), a command-line program that you must launch as an administrator. After some frustrating experiments, I eventually made two different kinds of memory dumps; EFDD failed to find the proper key in either of them.
Because EFDD can also search for keys in the Windows hibernation file, I opened my vault again, accessed a couple of files, hibernated my PC, woke it up, closed the vault, and then tried EFDD again. This time, I didn’t have to create a memory dump; I just told EFDD to access c:\hiberfil.sys. But once again, it failed to find a key.
It turns out you can’t wake up a hibernating PC and then dig data out of the hibernation file. So I tried again; I put the PC into hibernation, then loaded Windows with another bootable drive. Unfortunately, Windows wouldn’t let me access the hibernation file.
I tried to crack my TrueCrypt vault many times with EFDD but finally gave up. Does this mean the program is worthless? Probably not. I’m not an expert hacker by any measure. Someone with better skills might have cracked my TrueCrypt file easily with EFDD. The point, however, is that EFDD doesn’t make encryption cracking easy.
Protect from malicious encryption cracking
To be effective, EFDD and similar programs require a specific set of conditions that most PC users can easily avoid.
It starts with that administrator requirement for a memory dump. Assuming your password isn’t easy to guess (and you’re not sharing your PC with an untrustworthy individual with admin access — in which case, you’re hosed, anyway), you should be safe.
Safe, at least, if you don’t leave your computer on and unprotected. Before walking away from your machine, shut it down or use either Windows’ Lock or Sleep mode. (Keep in mind that open encrypted files are accessible to anyone sitting at your keyboard whenever you’re signed in to Windows, when you’ve encrypted an entire drive, or you’re using Windows EFS. A data thief doesn’t even need a program such as EFDD.)
I recommend not using automatic encryption/decryption. It’s safer to manually open vaults with a password whenever you need an encrypted file. Yes, it’s a hassle; but if you consciously open the vault when you need its contents, and leave it closed the rest of the time, you’re less likely to leave it open when you shouldn’t.
So, what about the hibernation file? It’s basically a memory dump, containing everything in RAM when you last hibernated your PC. Unless you keep your entire drive encrypted, a tech-savvy criminal might be able to attach your hard drive to another PC, then use EFDD to scan this file for encryption keys.
To protect yourself, never hibernate Windows when encrypted files are open. Ensure you’ve closed any encrypted files before using hibernation — or simply never use it; sleep mode doesn’t use much more power than does hibernation.
TrueCrypt — my preferred encryption tool — offers another solution. In the program, select Settings/Preferences. In the Preferences dialog box’s Auto-Dismount section, check three options (shown in Figure 1): Screen saver is launched, Entering power saving mode, and Force auto-dismount even if volume contains open files or directories. In fact, you might want to check every option in that section — just to be safe.
Programs such as EFDD serve a useful purpose but can also be dangerous. However, with the right precautions — and, of course, long, hard-to-guess passwords — you needn’t lose any sleep over them.Legitimate app breaks popular encryption systems