Microsoft Helps Police Crack Your Computer

IGnatius T Foobar writes "Microsoft has developed a small plug-in device that investigators can use to quickly extract forensic data from computers that "may have been used in crimes." It basically bypasses all of the Windows security (decrypting passwords, etc.) in order to eliminate all that pesky privacy when the police have physical access to your computer. Just one more reason not to run Windows on your computer."

Not new

[The+MAZZTer]

Anyone can boot from a Knoppix live CD and mount NTFS drives in Linux and poke around. NTFS security is not applied under Linux so you can have a look at anything you want. I don't see how this is a big deal.

The only thing that might be a problem is browsing the registry, but I wonder if wine's regedit can load native Windows registry hives. If so, then all Microsoft has done is taken existing Linux functionality and made it user friendly for the police.

Speaking of which, anyone wanna place bets as to how long it takes for this tool to spread across p2p and torrent sites?

My laptop was stolen a few weeks ago ...

The cops busted the thieves as they were still on my property and with the loot. Although the thieves did not have enough time to crack my laptop, the police kept it for forensic analysis instead of returning it immediately.

Lesson for anyone reading this post: Use secure wipe when buying a used laptop and encrypt if you value your privacy. It is probably standard police procedure to snoop in people's files whenever the opportunity presents itself. I am grateful for recovering my laptop but its feel like a second violation with such intrusive methods.

Re:Flaw

[squallbsr]

So, this must be what that hidden NSAKEY/KEY2 encryption key is for...

_NSAKEY

Re:Really?

[ozmanjusri]

I'd just boot knoppix and mount the partition.

Police over here in WA have a special distro designed for forensics.

Re:Really?

[MobileTatsu-NJG]

No unix using a non-encrypted file system is secure if you have physical access to the machine...Why would you assume it's any different with Windows?

I'd just boot knoppix and mount the partition. There, I have access to all the files. That goes for windows AND unix/linux.

If you really depend on the password for anything other than stopping casual or remote access, you're just fooling yourself. I just bought a Mac laptop and one of the things I ran across while I was reading about it was the File Vault. According to the really really enthusiastic article I read about it, it'll encrypt all the data on my home folder based on my login password. In theory, it sounds like even if somebody mirrored the drive, they'd have trouble (assuming the password is good...) getting at my data. I just wanted to ask: From a practical point of view, does this offer me much more protection? Or is there still some braindead easy way (short of beating the password out of me :P) that data can be recovered? Supposing it does work as advertised, am I at risk for having a single point of failure? Is there a realistic possibility of a badly timed computer freeze causing me to lose it all?

Re:Really?

But this also means that microsoft may have some master key to decrypt filesystems, etc.

Also, this is probably fully automated, like plugging in a flash drive. Just wait until a few of these get lost.....

Re:Really?

[sporkme]

Windows admin accounts can "take ownership" of folders and files through permissions dialogs, even encrypted files belonging to another admin account. Without Administrator access or a bootable OS, you can install a parallel OS on the machine or just mount the volume from another system, alter the permissions for folders at will, and access everything. We used this regularly to extract documents from a pooched MS OS when I worked as a bench tech--we used an unpatched WIN2K image and a USB IDE card.

http://support.microsoft.com/kb/268019/en-us
http://support.microsoft.com/kb/308421/en-us

Re:Really?

[0100010001010011]

From what I understand, No. There are ways, but nothing this simple. Your home folder is actually one massive 128bit AES disk image. So to crackers it just looks like one big file. You could do what I do and keep stuff 'private' (Tax Returns, financial stuff) on an encrypted disk image and have the OS NOT remember the password. Plus if you forget the password you don't lose all your music and other petty stuff.

http://en.wikipedia.org/wiki/FileVault

I was in an Apple store once when someone brought in their file vaulted laptop computer. They had 'forgotten' their password (Their actual story was that the OS changed the password on them). Apple Genius told them they were SOL. There are ways, but none of them are easy and most require something like cooling the RAM immediately after shutdown or catching the computer when it is sleeping.

Re:Flaw

Benefits on using a natural monopoly ....I hear this backdoor before. Someone once told me that certain microsoft staff have some sort of CD that will unlock any microsoft product. Apparently as the story goes an IT group lost the ability to login, (crtical data server), they called up microsoft and a microsoft official walked into the server room put the cd in the cd tray and unlocked the system.

Re:Flaw

[gstoddart]

It's hardly absurd. It's called "obstruction of justice". I've charged many people with obstruction for disobeying simple orders during a stop or arrest. It's a catch-all law that blurs the line between your civil rights and my ability to get what I want out of you, when I want it.

Wow. Just fucking wow.

So, either an AC is trolling by claiming to be a police officer who abuses due process. In which case I'm feeding trolls, and it's my bad.

Or, an actual police officer is pointing out how he can basically stomp over the intent of the law and your rights by pulling out an unsubstantiated claim of obstruction of justice.

If so, you're a perfect example of what is wrong in law enforcement, and why people have come to believe the cops are just thugs with authority. No wonder you posted anonymously. Thank you for demonstrating a new reason for increased cynicism about such things. No wonder people hate cops.

Cheers

Re:Customs

[Ioldanach]

Unless there's a huge public backlash before then, I predict that Customs will roll these out to every major airport within the year.

I hope so, because then the first slashdotter that has to go through customs can have his laptop automatically dd the entire contents of whatever usb drive gets attached to it, before they even realize it can't figure out what his laptop is running.

Re:Flaw

[Jafafa+Hots]

It's hardly absurd. It's called "obstruction of justice". I've charged many people with obstruction for disobeying simple orders during a stop or arrest. It's a catch-all law that blurs the line between your civil rights and my ability to get what I want out of you, when I want it.

Wow. Just fucking wow. So, either an AC is trolling by claiming to be a police officer who abuses due process. In which case I'm feeding trolls, and it's my bad. Or, an actual police officer is pointing out how he can basically stomp over the intent of the law and your rights by pulling out an unsubstantiated claim of obstruction of justice. If so, you're a perfect example of what is wrong in law enforcement, and why people have come to believe the cops are just thugs with authority. No wonder you posted anonymously. Thank you for demonstrating a new reason for increased cynicism about such things. No wonder people hate cops. Cheers No. That is exactly how Obstruction of Justice law is intended to be used. You destroy evidence, it's Obstruction of Justice. You don't hand over passwords, it is also.

The OP is NOT abusing the system in any way shape or form - he's using the system as the system was intended.

It's the SYSTEM that is abusive. It's the law that's wrong. Want another example? Google "civil forfeiture" and "criminal forfeiture." It's a nice way to fund government - they seize your farm because your stupid nephew had a couple of pot plants growing in your back 40.

Re:Really?

[TheLink]

If you have a mac laptop and firewire AND are worried about people getting at your data, then maybe you should also figure out a way to disable full firewire access to your computer.

See: http://rentzsch.com/macosx/securingFirewire

"Firewire provides direct memory access. So I can plug in my PowerBook into an Xserve, and arbitrarily read and write to all of the Xserve's RAM, sans any logical protection."

"Paul claims enabling the Open Firmware password also automatically disables Firewire DMA, preventing tricks like Quinn's."

Go figure :).

As for your question. I'm not familiar with File Vault.

But with all such tech, it's very dependent on the details. A lot of cases the encryption is done with a "secret", and your passphrase is used to unlock that secret. If the secret is destroyed and there are no copies, even if you have your passphrase you won't be able to access the data.

With some tech, there is a way for you to create multiple keys with access to the data. So you use one key, and you store another key somewhere else safe, so if you screw up you can still go dig it out (if you can still get it ;) ). Naturally that also means someone else probably could get that...

Another issue: if you or someone else ever makes a copy of the encrypted partition or container file, and stores it somewhere, then an attacker might be able to compare the two versions.

Thus if the attacker can sneak in and make copies of your drives, you may have a problem. The attacker could do a "chosen plaintext attack" on you. For example the attacker could send you contrived spam emails, and compare the changes in the drive images.

Now the other problem is backups, what do you do with backups. If you don't encrypt the backups then you have an obvious problem.

If you make copies of the encrypted containers - see the above "chosen plaintext" thing.

So you need to use backup software that does things correctly, and which can actually restore stuff ;).

Crypto and security isn't easy to do right. You have to consider the costs and impact.

Re:Flaw

[Impy+the+Impiuos+Imp]

> Microsoft has developed a small plug-in device that investigators can use to quickly
> extract forensic data from computers that "may have been used in crimes." It basically
> bypasses all of the Windows security (decrypting passwords, etc.)

Two days later:

"Here's a list of 347 web sites where you can download this.

Thirty seven days later:

"Microsoft has issued a security alert because of a hack that will allow anyone to remotely access and take control of your computer."

Six months later:

"Microsoft has issued a patch via their patch update system. Also, there is no more backdoor utility."

Three days later:

"Here are 4,277 web sites where you can download the new government backdoor spying Microsoft utility."

etc.

Actually, I wondered a long time ago if the government didn't get all up in Microsoft's face about monopoly violations so they could induce them to secretly give up ways to invade computers remotely. A few show trials and penalties, and then the government decides it's done.

Re:Flaw

[SiChemist]

indeed it's a password reset, which is what i said, not a recovery. but do you trust a journalist to know the difference? i know i don't Good thing I wasn't replying to you :-)

The article says

It also eliminates the need to seize a computer itself, which typically involves disconnecting from a network, turning off the power and potentially losing data. Instead, the investigator can scan for evidence on site. Which implies that it can break in without cycling the power. That sounds more like password extraction rather than resetting. I can only go by what the article wrote, rather than speculating about what they might have meant.