Microsoft Helps Police Crack Your Computer

IGnatius T Foobar writes "Microsoft has developed a small plug-in device that investigators can use to quickly extract forensic data from computers that "may have been used in crimes." It basically bypasses all of the Windows security (decrypting passwords, etc.) in order to eliminate all that pesky privacy when the police have physical access to your computer. Just one more reason not to run Windows on your computer."

I dunno...

[Otter]

It basically bypasses all of the Windows security...

The article is extremely vague, but I don't see where this assertion came from. It sounds like they're distributing USB drives with a collection of cracking and monitoring tools; like what any self-respecting 1337 h4x0r carries around with him. If that's correct, there's no reason to think the same thing couldn't be done for Linux.

Re:What could possibly go wrong?

[tokul]

Reverse engineering and ...

Why do you have to reverse engineer it when tools already exist?

TrueCrypt !

[unrealmp3]

For local data privacy, I would use TrueCrypt, not Windows EFS. Use Full Disk Encryption on TrueCrypt, and their COFEE thumbdrive won't be of any help.

Seriously?

"It basically bypasses all of the Windows security (decrypting passwords, etc.) in order to eliminate all that pesky privacy when the police have physical access to your computer."

WOW; that's a really biased summary. Here's what the article actually says:

"The device contains 150 commands that can dramatically cut the time it takes to gather digital evidence, which is becoming more important in real-world crime, as well as cybercrime. It can decrypt passwords and analyze a computer's Internet activity, as well as data stored in the computer."

Between those lines, I do not see what you see...

So who needs Microsoft's device?

[Orion+Blastar]

Here are the top four password recovery tools for Windows according to about.com's article.

Re:Really?

[malinha]

well, just another job to truecrypt.

This has already been done

[Shadow-isoHunt]

This is not something new people, I can dump your RAM from my USB key already(After a reboot!) and go through for whatever I'd like.

http://tourian.jchost.net/shadow/liveusb/boot.png
http://tourian.jchost.net/shadow/liveusb/memoryremenance.png
http://tourian.jchost.net/shadow/liveusb/memoryremenance-filecarving.png

http://citp.princeton.edu/memory/
http://mcgrewsecurity.com/projects/msramdmp/ (The MS isn't for microsoft)

Re:This has already been done

[palewook]

More Info: http://www.news.com/8301-10784_3-9930664-7.html And PDF's with details from 2 conferences: http://www.techsec.com/pdf/Tuesday/On%20Demand%20Mike%20Duren.pdf http://www.marcomattiucci.it/ieong.pdf

Re:Well, why am I not surprised?

But all hope is not lost -- running Windows on a hypervisor would be a bit more secure -- at least you can restart with the same snapshot, eliminating any attempts to embed a rootkit or snooping ware.

I've been running Windows using hardware-virtualization, under a Xen hypervisor. Currently I went the VMWare route that said (using the free [as in costing $0] 'vmplayer'). I keep a great many images/snapshots. For example now in a few days it's going to be the time to dig out an old 'pure Windows XP' install, plain fresh... To install the latest service pack (SP3). Of course as soon as SP3 shall be installed I'll make a new image/snapshot. Killing a whole system instantly is as simple as 'kill -9' (VMWare) or 'xm destroy ...' (Xen). Re-installing from an old snapshot takes less than one minute (depending on the size of your image). You can't beat that :)

Nothing really new..

[greywire]

Not sure what the big deal is.

If you are a computer forensic investigator you already have many available tools (EnCase, etc) to do the same thing, not to mention the obvious linux based free tools (Helix, etc) that let you pound away on a computer (or captured image) and get whatever you want off it.

Keeping your computer completely secure is about as practical as copyright owners keeping their data totally protected. Its always an escalating two way battle and the winner is just the one who's willing to go the farthest with it, but nothing is 100% safe.

Privacy and DRM are both doomed for the same reasons.

Get over it.

Some COFEE info from an Australian L.E. Conference

[d3ac0n]

Google .DOC-to-HTML link

Here is the original link if anyone wants it: http://scissec.scis.ecu.edu.au/wordpress/conference_proceedings/2006/forensics/Proceedings_Forensics2006.doc

If you scan down about 15% of the way down, there is a blurb about COFEE mixed in with the rest:

Computer Online Forensic Evidence Extractor (COFEE)

In year 2006, inspired by WFT, Ricci Ieong started the development of Computer Online Forensic Evidence Extractor (COFEE) (Ieong 2006) COFEE uses batch script to manage a list of existing incident response tools and IT security tools volatile data forensics acquisition system similar to WFT, IRCR and FRED. But all the scripts, programs were stored on USB storage device before data acquisition.

Instead of requesting users to key in the output directory, COFEE automatically redirect the output to the inserted USB storage device. With the automatic OS version detection and storage assignment scheme, Operating System dependent program will be automatically selected after the version detection. Investigator only needs to insert the USB storage devices to the target machine and click one to two buttons in order to start the data acquisition process.

Another difference between COFEE with other live forensics toolkits is separation of the data acquisition procedures with the data examination procedures. In WFT, the report generation processes are executed immediately after the data acquisition process on the target machine. However, performing report generation on target machine may also alter the memory content in the target machine. As report generation does not necessarily be executed on target machine, therefore, only data acquisition programs, in COFEE, would be executed on target machines. All program selection, data examination and analysis processes would be performed on investigator machine.

Besides, more forensics programs are supported by COFEE such as screen capture and password capture tools.

Interestingly, this article if from 2006. So COFEE has been around for 2 years already. Fascinating that we are just hearing about it now.

Re:Really?

[makomk]

The whole point of encryption is that it cannot be easily bypassed. The only way to get past the encryption is to decrypt the encrypted information. Now obviously Microsoft may have included back door keys or other mechanisms as "safety valves" for law enforcement, but nobody who is serious about their cryptography is going to trust the Microsoft disk encryption services. The full disk encryption services provided by TrueCrypt [truecrypt.org] (free and open source), for example, are NOT going to be easily defeated by any external technical analysis. The whole point of this is that they can use it as a tool to analyze live systems which still have the encryption key in memory from when the user opened the encrypted volume. Using Truecrypt or other third-party encryption software won't protect you - if the encrypted volume was open when the police got to you, the data can be extracted no matter what you were using.

Presumably, this has backdoors to bypass things like the Windows screen locker (which would otherwise be a major obstacle to working with live systems) built in.

Re:Flaw

[ricree]

No. That is exactly how Obstruction of Justice law is intended to be used. You destroy evidence, it's Obstruction of Justice. You don't hand over passwords, it is also. Not necessarily. In United States v. Boucher for example, a US district court ruled that the fifth amendment protections extend to encryption keys. The ruling has been appealed, of course, so we'll have to wait and see what happens there, but if it stands then there would seem that you can withhold your key in many cases.

Re:Really?

[v1]

The gorey details here are that the key to the filevault is a random number, and THAT is encrypted separately in the header using two different keys - the user's hashed password, and the filevault master. So if you know the master password, OR the user password, you can decrypt the actual image key and can get in. And changing the user password does not require reencoding all the image data, you just reencode the key in the header using the new password

There is no other back door. The only possible hack is if they have auto login turned on, which basically indicates they are a retard. Technically it's possible to recover the login password once booted and auto logged in, though I have yet to see anyone figure it out, and I do look periodically. But at that point the HD is mounted anyway so all your data is there for copying to ext HD. Just no access to passwords in the keychain, (as in to recover, but you can still use them since the keychain is probably unlocked) but as above that is technically possible but not seen it done yet.

If auto login is not on, they are not logged in, you don't know the password, and you don't know the master password, nobody can help you. Not the Apple store, not Steve, it doesn't matter who you are.

Re:Really?

[megaditto]

One could always brute-force the password. Pre-10.3, DES brute-forcing would take about a month on your desktop computer. Since then they changed it to blowfish or something similar, so it would take longer.

Certainly, NSA or some random botnet master would be able to recover your password in minutes if they needed to.