Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Helps Police Crack Your Computer

Posted by timothy on from the not-linux-enabled dept.

IGnatius T Foobar writes "Microsoft has developed a small plug-in device that investigators can use to quickly extract forensic data from computers that "may have been used in crimes." It basically bypasses all of the Windows security (decrypting passwords, etc.) in order to eliminate all that pesky privacy when the police have physical access to your computer. Just one more reason not to run Windows on your computer."

13 of 558 comments (clear)

  1. I dunno... by Otter · · Score: 2, Informative
    It basically bypasses all of the Windows security...

    The article is extremely vague, but I don't see where this assertion came from. It sounds like they're distributing USB drives with a collection of cracking and monitoring tools; like what any self-respecting 1337 h4x0r carries around with him. If that's correct, there's no reason to think the same thing couldn't be done for Linux.

    --
    What I'm listening to now on Pandora...
  2. Re:What could possibly go wrong? by tokul · · Score: 3, Informative

    Reverse engineering and ...

    Why do you have to reverse engineer it when tools already exist?

  3. TrueCrypt ! by unrealmp3 · · Score: 2, Informative

    For local data privacy, I would use TrueCrypt, not Windows EFS. Use Full Disk Encryption on TrueCrypt, and their COFEE thumbdrive won't be of any help.

  4. So who needs Microsoft's device? by Orion+Blastar · · Score: 2, Informative

    Here are the top four password recovery tools for Windows according to about.com's article.

    --
    Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
  5. Re:Really? by malinha · · Score: 2, Informative

    well, just another job to truecrypt.

  6. This has already been done by Shadow-isoHunt · · Score: 2, Informative

    This is not something new people, I can dump your RAM from my USB key already(After a reboot!) and go through for whatever I'd like.

    http://tourian.jchost.net/shadow/liveusb/boot.png
    http://tourian.jchost.net/shadow/liveusb/memoryremenance.png
    http://tourian.jchost.net/shadow/liveusb/memoryremenance-filecarving.png

    http://citp.princeton.edu/memory/
    http://mcgrewsecurity.com/projects/msramdmp/ (The MS isn't for microsoft)

    --
    www.isoHunt.com
    1. Re:This has already been done by palewook · · Score: 2, Informative

      More Info: http://www.news.com/8301-10784_3-9930664-7.html And PDF's with details from 2 conferences: http://www.techsec.com/pdf/Tuesday/On%20Demand%20Mike%20Duren.pdf http://www.marcomattiucci.it/ieong.pdf

  7. Nothing really new.. by greywire · · Score: 2, Informative

    Not sure what the big deal is.

    If you are a computer forensic investigator you already have many available tools (EnCase, etc) to do the same thing, not to mention the obvious linux based free tools (Helix, etc) that let you pound away on a computer (or captured image) and get whatever you want off it.

    Keeping your computer completely secure is about as practical as copyright owners keeping their data totally protected. Its always an escalating two way battle and the winner is just the one who's willing to go the farthest with it, but nothing is 100% safe.

    Privacy and DRM are both doomed for the same reasons.

    Get over it.

    --
    -- Senior Software Engineer, Attorney appearance services, locallawyerapp.com.
  8. Some COFEE info from an Australian L.E. Conference by d3ac0n · · Score: 3, Informative
    Google .DOC-to-HTML link

    Here is the original link if anyone wants it: http://scissec.scis.ecu.edu.au/wordpress/conference_proceedings/2006/forensics/Proceedings_Forensics2006.doc

    If you scan down about 15% of the way down, there is a blurb about COFEE mixed in with the rest:

    Computer Online Forensic Evidence Extractor (COFEE)

    In year 2006, inspired by WFT, Ricci Ieong started the development of Computer Online Forensic Evidence Extractor (COFEE) (Ieong 2006) COFEE uses batch script to manage a list of existing incident response tools and IT security tools volatile data forensics acquisition system similar to WFT, IRCR and FRED. But all the scripts, programs were stored on USB storage device before data acquisition.

    Instead of requesting users to key in the output directory, COFEE automatically redirect the output to the inserted USB storage device. With the automatic OS version detection and storage assignment scheme, Operating System dependent program will be automatically selected after the version detection. Investigator only needs to insert the USB storage devices to the target machine and click one to two buttons in order to start the data acquisition process.

    Another difference between COFEE with other live forensics toolkits is separation of the data acquisition procedures with the data examination procedures. In WFT, the report generation processes are executed immediately after the data acquisition process on the target machine. However, performing report generation on target machine may also alter the memory content in the target machine. As report generation does not necessarily be executed on target machine, therefore, only data acquisition programs, in COFEE, would be executed on target machines. All program selection, data examination and analysis processes would be performed on investigator machine.

    Besides, more forensics programs are supported by COFEE such as screen capture and password capture tools.


    Interestingly, this article if from 2006. So COFEE has been around for 2 years already. Fascinating that we are just hearing about it now.
    --
    Official Heretic from the "Church of Global Warming". Proven right thanks to whistle blowers. AGW = Flat Earth Theory
  9. Re:Really? by makomk · · Score: 2, Informative

    The whole point of encryption is that it cannot be easily bypassed. The only way to get past the encryption is to decrypt the encrypted information. Now obviously Microsoft may have included back door keys or other mechanisms as "safety valves" for law enforcement, but nobody who is serious about their cryptography is going to trust the Microsoft disk encryption services. The full disk encryption services provided by TrueCrypt [truecrypt.org] (free and open source), for example, are NOT going to be easily defeated by any external technical analysis. The whole point of this is that they can use it as a tool to analyze live systems which still have the encryption key in memory from when the user opened the encrypted volume. Using Truecrypt or other third-party encryption software won't protect you - if the encrypted volume was open when the police got to you, the data can be extracted no matter what you were using.

    Presumably, this has backdoors to bypass things like the Windows screen locker (which would otherwise be a major obstacle to working with live systems) built in.
  10. Re:Flaw by ricree · · Score: 2, Informative

    No. That is exactly how Obstruction of Justice law is intended to be used. You destroy evidence, it's Obstruction of Justice. You don't hand over passwords, it is also. Not necessarily. In United States v. Boucher for example, a US district court ruled that the fifth amendment protections extend to encryption keys. The ruling has been appealed, of course, so we'll have to wait and see what happens there, but if it stands then there would seem that you can withhold your key in many cases.
  11. Re:Really? by v1 · · Score: 3, Informative

    The gorey details here are that the key to the filevault is a random number, and THAT is encrypted separately in the header using two different keys - the user's hashed password, and the filevault master. So if you know the master password, OR the user password, you can decrypt the actual image key and can get in. And changing the user password does not require reencoding all the image data, you just reencode the key in the header using the new password

    There is no other back door. The only possible hack is if they have auto login turned on, which basically indicates they are a retard. Technically it's possible to recover the login password once booted and auto logged in, though I have yet to see anyone figure it out, and I do look periodically. But at that point the HD is mounted anyway so all your data is there for copying to ext HD. Just no access to passwords in the keychain, (as in to recover, but you can still use them since the keychain is probably unlocked) but as above that is technically possible but not seen it done yet.

    If auto login is not on, they are not logged in, you don't know the password, and you don't know the master password, nobody can help you. Not the Apple store, not Steve, it doesn't matter who you are.

    --
    I work for the Department of Redundancy Department.
  12. Re:Really? by megaditto · · Score: 2, Informative

    One could always brute-force the password. Pre-10.3, DES brute-forcing would take about a month on your desktop computer. Since then they changed it to blowfish or something similar, so it would take longer.

    Certainly, NSA or some random botnet master would be able to recover your password in minutes if they needed to.

    --
    Obama likes poor people so much, he wants to make more of them.