Bitlocker No Real Threat To Decryption?

An anonymous reader writes "The Register is running a story called 'Vista encryption 'no threat' to computer forensics'. The article explains that despite some initial concerns that lawbreakers would benefit from built-in strong encryption, it's unlikely the Bitlocker technology will slow down most digital forensic analysts. What kind of measures does one need to take to make sure no one but yourself has access to your data? Is Bitlocker just good enough (keeping out your siblings) or does it miss the whole purpose of the encryption entirely?" One would hope an international criminal mastermind could do better than the encryption built into Vista.

Summary of article

Just to save everyone the time....

"If you don't use encryption technologies properly, they will not serve it's purpose."

Agree: TrueCrypt useful

[KWTm]

One major advantage of TrueCrypt: works on both Linux and Windows. Can't remember if there's a Mac version. Nope, there isn't. Here's the TrueCrypt web site.

Having researched TrueCrypt and compared the alternatives, I have started using it routinely. It's not so much that I have something to hide, or that what I want kept private requires as strong an encryption as TrueCrypt. It's more than I simply want a convenient way to encrypt something, forget about it, and not have to worry about it later.

My personal financial data resides in a TrueCrypt volume. To lock up all of those files, I just umount the volume, and that's it.

I also wanted to make an offsite backup of our more valuable personal data in case of disaster, such as a fire that burns down our home, destroying the backups stored at home. For example, we have some digital photos with some irreplaceable priceless memories. So I decided to burn them onto DVD and have my relatives, who live out of town, hang onto copies. But relatives can be nosy, and interspersed in the photos could be things I don't want other people to see, from badly taken photos that "make me look fat" to photos of bank statements and legal documents for which we wanted to store a non-paper copy.

So, I created TrueCrypt volumes of the appropriate size to burn to DVD, and then stashed our photos inside. We've got about 4 years' worth of photos (JPEGs) on two (different) DVDs with our relatives in two locations.

I don't want to encrypt something with cheap encryption, and then worry 4 years down the road when someone discovers a flaw in the scheme. You might ask, "What? Are your non-geek relatives going to go about cracking your encryption?" You never know. What if I become someone --let's not say famous, but prominent? Say some sort of social activist fighting for software freedom? Who knows what could happen to my offsite backup DVDs in 4 years --suppose some hired maid accidentally dumps them in the trash, and are noticed by the neighbourhood trash-diving geek? What if some big company or other enemy happens to get their hands on copies and try to use some embarrassing photos to pressure me? I want to be able to rip off my tinfoil hat and laugh, "Don't be ridiculous! That would never happen!"

TrueCrypt gives me that peace of mind. Among its other features is multiple scheme encryption. Are you worried that AES might get cracked next year? Encrypt with AES, and then encrypt the result with Blowfish.[1] Or Twofish first, then CAST5. TrueCrypt offers multiple options, and it does not store the result anywhere. How does it know that you used AES-then-Blowfish encryption? Because it tries all of the schemes one by one. It tries AES alone with the password you gave. Doesn't work. Tries Blowfish alone. Tries about half a dozen other single-encryption schemes. Then it tries the multiple combinations: Blowfish-Serpent, then AES-Blowfish, etc., going down the list until something works. If nothing works, then it concludes that you entered the wrong password.

It's not a perfect solution, and one drawback with TrueCrypt is that I can't use it on my work computer where I don't have administrator rights. But otherwise it has all the advantages I'm looking for: secure, cross-platform, on-the-fly, open source freedom ... and most of all, it's usable: it exists and is easy to use. Because, much as crypto-security fascinates me, I don't want to tinker all the time.

Just like a screwdriver: when I want to use it, I don't want to have to Google for user manuals. I just want to do what I need with it, and not have to think about it.

---
[1]: Incidentally, the advantage of AES-with-Blowfish is *not* that you can't crack Blowfish even after the AES on your TrueCrypt file is cracked. Once your AES crypto is cracked, the password is known and the same password will be used for the Blowfish decryption. (Remember, TrueCrypt is open source --once the

First hand experience

[Matey-O]

Having just completed a Forensics bootcamp, I was frankly amazed at what the current state of the art practices are in password cracking. Even the smallest commonly used keys would take a Computer for Every Person On the Planet 300,000 years to brute force crack.

Face it, you ain't gonna get there with more horsepower.

But, the guy's a Bronco fan? Index broncos.com and add it to the dictionary. Enter his wife, daughter, marriage date, favorite car, and pets. The dictionary generation software has taken great strides in Making lists of MuffySpot1996 type entries.

Not enough to crack your password? Hmm. Better hope you didn't use it with another program that happened to write it's ram to swap. The forensics tools index EVERY number and word on the drives you enter into evidence. Evidence can be data from your iPod, cellphone, and PDA. It can be from the exchange server and it can be from hotmail.com

Is he Russian? Add the russian dictionary to the search.

So, here's what we have: a Custom dictionary, Russian and English dictionaries, an index of every unique character string captured on all removable and non-removable storage.

That's a lotta chinks in the armor. And Crooks usually aren't that smart.

It was a very enlightening class. During the lab it _easily_ guessed my tier two and three passwords...it didn't get my tier one Passwords, but I didn't enter all my evidence for submission either.

Re:First hand experience

[Kjella]

Most people pick a crappy passphrase, when in reality it's not that hard choosing a good passphrase. Start off with a passphrase, plain english and something you'll remember by heart:

"oneringtoholdthemallandindarknessbindthem"

Throw in the following three things:
1) Capital letter
2) Number
3) Special char

"onerinGgtoholdthemallandindark666nessbin!dthem"

Now remember the "special words": rinGg, dark666ness, bin!d, you'll find those much easier to remember in context.

The length kills any brute force attack, with the added "typos" the number of permutations is huge, killing any dictionary attack. In fact, this one is probably way overkill already.

Re:PGP?

[init100]

But it is true that if you are on trial for a crime in Minnesota, there's a precedent for the mere fact that you have PGP software on your computer to be used against you as evidence for the prosecution--despite the prosecutor's witness himself saying that PGP capable software is already available in OSX.

So, if you're on trial in Minnesota, you'd better not be using a Mac? Or Linux, since many distributions also include GnuPG.

Conclusion: Use Windows to be safe. It's encryption software is bad enough to not make you go to jail.