Microsoft Helps Police Crack Your Computer

IGnatius T Foobar writes "Microsoft has developed a small plug-in device that investigators can use to quickly extract forensic data from computers that "may have been used in crimes." It basically bypasses all of the Windows security (decrypting passwords, etc.) in order to eliminate all that pesky privacy when the police have physical access to your computer. Just one more reason not to run Windows on your computer."

Flaw

[Narpak]

Seems to me that if all you need to do to get full access to anyones computer (anyone running Windows that is) is a Microsoft made device; that is a serious security flaw.

Re:Flaw

[EMeta]

Ah, but since the cracking device itself is made by Microsoft, it's not likely to work most of the time anyway. Just MS doing their own part to safeguarding our liberties.

Re:Flaw

[gstoddart]

Seems to me that if all you need to do to get full access to anyones computer (anyone running Windows that is) is a Microsoft made device; that is a serious security flaw.

And, a scary precedent.

When the man kicks in your door, hooks up his thumb drive to your Linux box and doesn't get what he wants ... you will have committed a crime by not making your information available in a format accessible to law enforcement. Only terrorists would do that.

The above is a deliberately absurd example. One which I fear is less far fetched than one would have previously hoped.

Mostly, I agree with some of the other posters here ... if Microsoft can make this, that means there's a defined mechanism you can use to completely defeat any form of security in Windows. And, that's bad; someone will figure this out.

Cheers

Re:Flaw

[esocid]

Don't worry, it's Certified for Windows Vista!

Re:Flaw

[squallbsr]

So, this must be what that hidden NSAKEY/KEY2 encryption key is for...

_NSAKEY

Re:Flaw

[lattyware]

Well done for saying what was clearly stated in the article, pointing out the bloody obvious, +insightful to you sir!

Re:Flaw

Benefits on using a natural monopoly ....I hear this backdoor before. Someone once told me that certain microsoft staff have some sort of CD that will unlock any microsoft product. Apparently as the story goes an IT group lost the ability to login, (crtical data server), they called up microsoft and a microsoft official walked into the server room put the cd in the cd tray and unlocked the system.

Re:Flaw

[gstoddart]

It's hardly absurd. It's called "obstruction of justice". I've charged many people with obstruction for disobeying simple orders during a stop or arrest. It's a catch-all law that blurs the line between your civil rights and my ability to get what I want out of you, when I want it.

Wow. Just fucking wow.

So, either an AC is trolling by claiming to be a police officer who abuses due process. In which case I'm feeding trolls, and it's my bad.

Or, an actual police officer is pointing out how he can basically stomp over the intent of the law and your rights by pulling out an unsubstantiated claim of obstruction of justice.

If so, you're a perfect example of what is wrong in law enforcement, and why people have come to believe the cops are just thugs with authority. No wonder you posted anonymously. Thank you for demonstrating a new reason for increased cynicism about such things. No wonder people hate cops.

Cheers

Re:Flaw

[Jafafa+Hots]

It's hardly absurd. It's called "obstruction of justice". I've charged many people with obstruction for disobeying simple orders during a stop or arrest. It's a catch-all law that blurs the line between your civil rights and my ability to get what I want out of you, when I want it.

Wow. Just fucking wow. So, either an AC is trolling by claiming to be a police officer who abuses due process. In which case I'm feeding trolls, and it's my bad. Or, an actual police officer is pointing out how he can basically stomp over the intent of the law and your rights by pulling out an unsubstantiated claim of obstruction of justice. If so, you're a perfect example of what is wrong in law enforcement, and why people have come to believe the cops are just thugs with authority. No wonder you posted anonymously. Thank you for demonstrating a new reason for increased cynicism about such things. No wonder people hate cops. Cheers No. That is exactly how Obstruction of Justice law is intended to be used. You destroy evidence, it's Obstruction of Justice. You don't hand over passwords, it is also.

The OP is NOT abusing the system in any way shape or form - he's using the system as the system was intended.

It's the SYSTEM that is abusive. It's the law that's wrong. Want another example? Google "civil forfeiture" and "criminal forfeiture." It's a nice way to fund government - they seize your farm because your stupid nephew had a couple of pot plants growing in your back 40.

Re:Flaw

[Feyr]

look on google for ntpasswd

linux-based livecd that will reset any password on your windows partition.

if you have physical access and it's not encrypted, any data is fair game, it doesnt have anything to do with microsoft (in fact, im pretty pissed at ms for making it such a hassle to reset a password)

Re:Flaw

[ricree]

No. That is exactly how Obstruction of Justice law is intended to be used. You destroy evidence, it's Obstruction of Justice. You don't hand over passwords, it is also. Not necessarily. In United States v. Boucher for example, a US district court ruled that the fifth amendment protections extend to encryption keys. The ruling has been appealed, of course, so we'll have to wait and see what happens there, but if it stands then there would seem that you can withhold your key in many cases.

Re:Flaw

[Impy+the+Impiuos+Imp]

> Microsoft has developed a small plug-in device that investigators can use to quickly
> extract forensic data from computers that "may have been used in crimes." It basically
> bypasses all of the Windows security (decrypting passwords, etc.)

Two days later:

"Here's a list of 347 web sites where you can download this.

Thirty seven days later:

"Microsoft has issued a security alert because of a hack that will allow anyone to remotely access and take control of your computer."

Six months later:

"Microsoft has issued a patch via their patch update system. Also, there is no more backdoor utility."

Three days later:

"Here are 4,277 web sites where you can download the new government backdoor spying Microsoft utility."

etc.

Actually, I wondered a long time ago if the government didn't get all up in Microsoft's face about monopoly violations so they could induce them to secretly give up ways to invade computers remotely. A few show trials and penalties, and then the government decides it's done.

Re:Flaw

[SiChemist]

What you are doing is NOT password recovery-- it is RESETTING the password. Resetting a password is trivial on Linux and Windows (if you have physical access), but the article says this device can decrypt passwords on the system. That is worth worrying a little.

Re:Flaw

[SiChemist]

indeed it's a password reset, which is what i said, not a recovery. but do you trust a journalist to know the difference? i know i don't Good thing I wasn't replying to you :-)

The article says

It also eliminates the need to seize a computer itself, which typically involves disconnecting from a network, turning off the power and potentially losing data. Instead, the investigator can scan for evidence on site. Which implies that it can break in without cycling the power. That sounds more like password extraction rather than resetting. I can only go by what the article wrote, rather than speculating about what they might have meant.

What could possibly go wrong?

[mrbah]

Reverse engineering and (more) malicious usage in 3... 2... 1.

Re:What could possibly go wrong?

[nawcom]

Reverse engineering and (more) malicious usage in 3... 2... 1. Link to torrent of the COFEE thumb drive image on TPB in 3... 2... 1.

Re:What could possibly go wrong?

[tokul]

Reverse engineering and ...

Why do you have to reverse engineer it when tools already exist?

This works!

[towelie-ban]

They're already selling these online. Just check the box next to "I certify I'm a cop. Seriously, I am." and it's all yours for $19.95.

Here it comes...

[NewbieProgrammerMan]

Cue the "if you have nothing to hide..." responses (and possibly some Hans Reiser jokes).

How the -

[Fynd]

...bypasses all of the Windows security... All of the Windows security - I can't even fathom how complex that device must be, that sure is a lot of security to bypass.

Re:How the -

[pilgrim23]

Did anyone else notice that the Microsoft spokesman's name is...Mr. (Agent?) Smith?

I dunno...

[Otter]

It basically bypasses all of the Windows security...

The article is extremely vague, but I don't see where this assertion came from. It sounds like they're distributing USB drives with a collection of cracking and monitoring tools; like what any self-respecting 1337 h4x0r carries around with him. If that's correct, there's no reason to think the same thing couldn't be done for Linux.

This is very smart on Microsoft's part...

[ConceptJunkie]

...it's just one more nail in the coffin of being "allowed" to use OSS. After all, if you have nothing to hide then you have nothing to fear, and only criminals would use OSS that would allow them to evade government snooping.

I'm sure some lobbyist is sitting with a Congressional staffer right now, explaining how requiring Windows on every computer is essential to the War on Terrorism.

Re:Interesting thought

[AltGrendel]

Makes me curious as to what would happen if, for some reason, my computer were seized and the police booted up to an Ubuntu welcome screen... heh...

They would probably post questions to "Ask Slashdot".

Physical access equals ownage under any OS

[Mashiara]

unless the hardware itself is secured and tamper-resistant enough (ie cost of successfull tampering is higher than value of data).

This has always been true.

Not new

[The+MAZZTer]

Anyone can boot from a Knoppix live CD and mount NTFS drives in Linux and poke around. NTFS security is not applied under Linux so you can have a look at anything you want. I don't see how this is a big deal.

The only thing that might be a problem is browsing the registry, but I wonder if wine's regedit can load native Windows registry hives. If so, then all Microsoft has done is taken existing Linux functionality and made it user friendly for the police.

Speaking of which, anyone wanna place bets as to how long it takes for this tool to spread across p2p and torrent sites?

Do not pass "go", do not collect...

"Where do you want to go today?"
Jail?

Re:Interesting thought

[EasyTarget]

No.
They'll get my FreeBSD box, fail to understand it, probably reformat the RAID drives trying to run a 'disk checker' on them. Then use this as evidence of my wrongoing.

"He had a 'so called' open computer, that no 'normal' person can understand, breaking all Microsoft's standards and patents. It's made of Demons! burn the TERRORIST!!!"

TrueCrypt !

[unrealmp3]

For local data privacy, I would use TrueCrypt, not Windows EFS. Use Full Disk Encryption on TrueCrypt, and their COFEE thumbdrive won't be of any help.

Really?

[SatanicPuppy]

No unix using a non-encrypted file system is secure if you have physical access to the machine...Why would you assume it's any different with Windows?

I'd just boot knoppix and mount the partition. There, I have access to all the files. That goes for windows AND unix/linux.

If you really depend on the password for anything other than stopping casual or remote access, you're just fooling yourself.

Re:Really?

[ozmanjusri]

I'd just boot knoppix and mount the partition.

Police over here in WA have a special distro designed for forensics.

Re:Really?

[malinha]

well, just another job to truecrypt.

Re:Really?

[SnapShot]

It would be really funny / ironic if this "plug-in" device WAS just knoppix on a thumb drive.

Re:Really?

[MobileTatsu-NJG]

No unix using a non-encrypted file system is secure if you have physical access to the machine...Why would you assume it's any different with Windows?

I'd just boot knoppix and mount the partition. There, I have access to all the files. That goes for windows AND unix/linux.

If you really depend on the password for anything other than stopping casual or remote access, you're just fooling yourself. I just bought a Mac laptop and one of the things I ran across while I was reading about it was the File Vault. According to the really really enthusiastic article I read about it, it'll encrypt all the data on my home folder based on my login password. In theory, it sounds like even if somebody mirrored the drive, they'd have trouble (assuming the password is good...) getting at my data. I just wanted to ask: From a practical point of view, does this offer me much more protection? Or is there still some braindead easy way (short of beating the password out of me :P) that data can be recovered? Supposing it does work as advertised, am I at risk for having a single point of failure? Is there a realistic possibility of a badly timed computer freeze causing me to lose it all?

Re:Really?

[Crayon+Kid]

Define "bad people", please.

Re:Really?

[RMB2]

Ummm, did you RTFA? Microsoft is intentionally putting it right into the hands of the police. THEY already have it.

Re:Really?

[Ron_Fitzgerald]

Government officials...

Re:Really?

[sporkme]

Windows admin accounts can "take ownership" of folders and files through permissions dialogs, even encrypted files belonging to another admin account. Without Administrator access or a bootable OS, you can install a parallel OS on the machine or just mount the volume from another system, alter the permissions for folders at will, and access everything. We used this regularly to extract documents from a pooched MS OS when I worked as a bench tech--we used an unpatched WIN2K image and a USB IDE card.

http://support.microsoft.com/kb/268019/en-us
http://support.microsoft.com/kb/308421/en-us

Re:Really?

[0100010001010011]

From what I understand, No. There are ways, but nothing this simple. Your home folder is actually one massive 128bit AES disk image. So to crackers it just looks like one big file. You could do what I do and keep stuff 'private' (Tax Returns, financial stuff) on an encrypted disk image and have the OS NOT remember the password. Plus if you forget the password you don't lose all your music and other petty stuff.

http://en.wikipedia.org/wiki/FileVault

I was in an Apple store once when someone brought in their file vaulted laptop computer. They had 'forgotten' their password (Their actual story was that the OS changed the password on them). Apple Genius told them they were SOL. There are ways, but none of them are easy and most require something like cooling the RAM immediately after shutdown or catching the computer when it is sleeping.

Re:Really?

[HeronBlademaster]

Obviously you didn't read the article. The whole benefit of the device is that it can plug in to a machine and gather evidence without having to unplug the machine from the network or a power source (to move it). The article also specifically describes the device as a USB thumb drive.

The device contains 150 commands that can dramatically cut the time it takes to gather digital evidence [...] It can decrypt passwords and analyze a computer's Internet activity, as well as data stored in the computer. I assume these 150 commands are specific to Windows' internal undocumented APIs that only Microsoft would be aware of.

Re:Really?

[bill_kress]

I saw a really good post that applies to this entire thread (including File Vault)

If the NSA isn't freaking out about some kind of encryption trying to get it banned, it's because they can get into it.

Also, the more secure you think your files are, the more likely you'll put stuff there that might interest them.

Re:Really?

[TheLink]

If you have a mac laptop and firewire AND are worried about people getting at your data, then maybe you should also figure out a way to disable full firewire access to your computer.

See: http://rentzsch.com/macosx/securingFirewire

"Firewire provides direct memory access. So I can plug in my PowerBook into an Xserve, and arbitrarily read and write to all of the Xserve's RAM, sans any logical protection."

"Paul claims enabling the Open Firmware password also automatically disables Firewire DMA, preventing tricks like Quinn's."

Go figure :).

As for your question. I'm not familiar with File Vault.

But with all such tech, it's very dependent on the details. A lot of cases the encryption is done with a "secret", and your passphrase is used to unlock that secret. If the secret is destroyed and there are no copies, even if you have your passphrase you won't be able to access the data.

With some tech, there is a way for you to create multiple keys with access to the data. So you use one key, and you store another key somewhere else safe, so if you screw up you can still go dig it out (if you can still get it ;) ). Naturally that also means someone else probably could get that...

Another issue: if you or someone else ever makes a copy of the encrypted partition or container file, and stores it somewhere, then an attacker might be able to compare the two versions.

Thus if the attacker can sneak in and make copies of your drives, you may have a problem. The attacker could do a "chosen plaintext attack" on you. For example the attacker could send you contrived spam emails, and compare the changes in the drive images.

Now the other problem is backups, what do you do with backups. If you don't encrypt the backups then you have an obvious problem.

If you make copies of the encrypted containers - see the above "chosen plaintext" thing.

So you need to use backup software that does things correctly, and which can actually restore stuff ;).

Crypto and security isn't easy to do right. You have to consider the costs and impact.

Re:Really?

[makomk]

The whole point of encryption is that it cannot be easily bypassed. The only way to get past the encryption is to decrypt the encrypted information. Now obviously Microsoft may have included back door keys or other mechanisms as "safety valves" for law enforcement, but nobody who is serious about their cryptography is going to trust the Microsoft disk encryption services. The full disk encryption services provided by TrueCrypt [truecrypt.org] (free and open source), for example, are NOT going to be easily defeated by any external technical analysis. The whole point of this is that they can use it as a tool to analyze live systems which still have the encryption key in memory from when the user opened the encrypted volume. Using Truecrypt or other third-party encryption software won't protect you - if the encrypted volume was open when the police got to you, the data can be extracted no matter what you were using.

Presumably, this has backdoors to bypass things like the Windows screen locker (which would otherwise be a major obstacle to working with live systems) built in.

Re:Really?

[v1]

The gorey details here are that the key to the filevault is a random number, and THAT is encrypted separately in the header using two different keys - the user's hashed password, and the filevault master. So if you know the master password, OR the user password, you can decrypt the actual image key and can get in. And changing the user password does not require reencoding all the image data, you just reencode the key in the header using the new password

There is no other back door. The only possible hack is if they have auto login turned on, which basically indicates they are a retard. Technically it's possible to recover the login password once booted and auto logged in, though I have yet to see anyone figure it out, and I do look periodically. But at that point the HD is mounted anyway so all your data is there for copying to ext HD. Just no access to passwords in the keychain, (as in to recover, but you can still use them since the keychain is probably unlocked) but as above that is technically possible but not seen it done yet.

If auto login is not on, they are not logged in, you don't know the password, and you don't know the master password, nobody can help you. Not the Apple store, not Steve, it doesn't matter who you are.

Re:Really?

[megaditto]

One could always brute-force the password. Pre-10.3, DES brute-forcing would take about a month on your desktop computer. Since then they changed it to blowfish or something similar, so it would take longer.

Certainly, NSA or some random botnet master would be able to recover your password in minutes if they needed to.

Re:Really?

[mrv20]

or catching the computer when it is sleeping That conjures up the wonderful image of a 'Genius' trying to sneak up on a MacBook on tiptoe to avoid waking it.

Re:If It's Possible...

[vux984]

So, the sheer fact that there is a device that can do this also means that anybody can do this because the methods are in place for bypassing security. It's only a matter of time before someone spends enough energy to develop a device that can do this (outside of Microsoft).

No. The ONLY question that is of any interest is whether or not this device actually has a back door to Windows encryption. Somehow I seriously doubt that it does. Its probably little more than a bootable drive with NTFS support, and some tools. If you've got a password on your login, it doesn't mean you are using encryption. And this tool probably just lets you get straight to searching the -unencrypted- disk without cracking the login, or without pulling the drive and installing it somewhere else to scan through.

The implications of a device like this are scary to say the least. Although I'm not a Microsoft hater, this alone is more than enough to make me take a second look at options other than Microsoft Windows.

I suspect your average Linux LiveCD Recovery Disk has all the same tools on it. MS is just getting on board with their own version, to remove another area, where, right now, you have to use Linux. If that's the case the implications aren't scary at all.

And this whole are article is pure FUD.

Unless they've provided a back door to the encryption. That is the -only- question. But I really doubt they have.

FUD

[idlemind]

Since when has physical access to a machine ever been safe for any operating system? Also, it's not like Microsoft programmed in back doors for law enforcement; they are just bundling their version of script kiddie hacks.

Re:If It's Possible...

[SatanicPuppy]

Yea, look at linux...No way would it be possible to reset the root password if you had physical access to the machine.

I can't believe all the people who are freaking out about this. This isn't a remote exploit. This isn't a massive security hole. This is trivial stuff that anyone who is reasonably computer savvy should be able to do.

It basically bypasses all of the Windows security

[Cro+Magnon]

And was one of the easiest things that Microsoft has ever done.

So who needs Microsoft's device?

[Orion+Blastar]

Here are the top four password recovery tools for Windows according to about.com's article.

Nothing to Hide...

[SilentBob0727]

In unrelated news, it is now a felony not to run Windows on your machine, and Linus Torvalds has gone into hiding.

Could set crooks free easier too

[JustASlashDotGuy]

FTA:

It also eliminates the need to seize a computer itself, which typically involves disconnecting from a network, turning off the power and potentially losing data. Instead, the investigator can scan for evidence on site. The second you plug one of these into the suspect's machine while it's running, you just set the criminal free. Reason being, you potentially just altered the original source of data and could have injected you own "evidence". Any lawyer would get you off in a heart beat.

You'd always have to shut it down, image the drive, and then run your test against the image. If you ever so much as boot the image and use the device at that point, you've still just changed a shit load of files during the boot up process and a lawyer may still be able to get you off.

This device is only helpful if it contains a standalone script that can be pointed to a set of files on a write-blocked drive. Blindly letting it have full read/write access to any drive would be instant not-guilty result.

Unless this device gets some hefty certs, I'd be surprised if any law enforcement agency that reports to the public courts would ever use this device as reported.

This has already been done

[Shadow-isoHunt]

This is not something new people, I can dump your RAM from my USB key already(After a reboot!) and go through for whatever I'd like.

http://tourian.jchost.net/shadow/liveusb/boot.png
http://tourian.jchost.net/shadow/liveusb/memoryremenance.png
http://tourian.jchost.net/shadow/liveusb/memoryremenance-filecarving.png

http://citp.princeton.edu/memory/
http://mcgrewsecurity.com/projects/msramdmp/ (The MS isn't for microsoft)

Re:This has already been done

[palewook]

More Info: http://www.news.com/8301-10784_3-9930664-7.html And PDF's with details from 2 conferences: http://www.techsec.com/pdf/Tuesday/On%20Demand%20Mike%20Duren.pdf http://www.marcomattiucci.it/ieong.pdf

Nothing really new..

[greywire]

Not sure what the big deal is.

If you are a computer forensic investigator you already have many available tools (EnCase, etc) to do the same thing, not to mention the obvious linux based free tools (Helix, etc) that let you pound away on a computer (or captured image) and get whatever you want off it.

Keeping your computer completely secure is about as practical as copyright owners keeping their data totally protected. Its always an escalating two way battle and the winner is just the one who's willing to go the farthest with it, but nothing is 100% safe.

Privacy and DRM are both doomed for the same reasons.

Get over it.

Some COFEE info from an Australian L.E. Conference

[d3ac0n]

Google .DOC-to-HTML link

Here is the original link if anyone wants it: http://scissec.scis.ecu.edu.au/wordpress/conference_proceedings/2006/forensics/Proceedings_Forensics2006.doc

If you scan down about 15% of the way down, there is a blurb about COFEE mixed in with the rest:

Computer Online Forensic Evidence Extractor (COFEE)

In year 2006, inspired by WFT, Ricci Ieong started the development of Computer Online Forensic Evidence Extractor (COFEE) (Ieong 2006) COFEE uses batch script to manage a list of existing incident response tools and IT security tools volatile data forensics acquisition system similar to WFT, IRCR and FRED. But all the scripts, programs were stored on USB storage device before data acquisition.

Instead of requesting users to key in the output directory, COFEE automatically redirect the output to the inserted USB storage device. With the automatic OS version detection and storage assignment scheme, Operating System dependent program will be automatically selected after the version detection. Investigator only needs to insert the USB storage devices to the target machine and click one to two buttons in order to start the data acquisition process.

Another difference between COFEE with other live forensics toolkits is separation of the data acquisition procedures with the data examination procedures. In WFT, the report generation processes are executed immediately after the data acquisition process on the target machine. However, performing report generation on target machine may also alter the memory content in the target machine. As report generation does not necessarily be executed on target machine, therefore, only data acquisition programs, in COFEE, would be executed on target machines. All program selection, data examination and analysis processes would be performed on investigator machine.

Besides, more forensics programs are supported by COFEE such as screen capture and password capture tools.

Interestingly, this article if from 2006. So COFEE has been around for 2 years already. Fascinating that we are just hearing about it now.

Re:Customs

[Ioldanach]

Unless there's a huge public backlash before then, I predict that Customs will roll these out to every major airport within the year.

I hope so, because then the first slashdotter that has to go through customs can have his laptop automatically dd the entire contents of whatever usb drive gets attached to it, before they even realize it can't figure out what his laptop is running.

Re:Interesting thought

[blueg3]

Yes. Most criminal investigations have experts well-versed in many operating systems. More regional departments may not have Macintosh or Unix experts, though almost all computer forensic investigators have familiarity with Unix, and would send the computer to another office. There are a lot of experts working in law enforcement, so if their case is important enough, your hardware will be shipped to an office that has an expert.

They wouldn't boot your machine, though. They'd remove the drive, duplicate it, and then look at the duplicate through a hardware write blocker. Software would probably indicate that the majority of the disk was ext2/whatever Unix format you use partitions, and the layout of the root partition would make it fairly clear you were using a Unix variant. If they really wanted to "boot" your machine, they'd boot an image of your drive using a VM.

Re:Some COFEE info from an Australian L.E. Confere

[Chosen+Reject]

I would hate an edit feature. That is what proofreading is for. Once you commit your post that should be it. I can't tell you how many times I've been in forums that allow editing of posts and suddenly I don't know what anyone is talking about simply because I showed up late. One person makes a comment, other people discuss, then that person edits his post to something else.

Not only that, it would be horrible for avoiding the trolls. All they would need to do is get a +5 informative on a post then edit it to be a link to a virus filled site or something else.