Full Disk Encryption Hard For Law Enforcement To Crack

If you'd rather keep your data private, take heart: disk encryption is a lot harder to break than techno-thriller movies and TV shows make it out to be, to the chagrin of some branches of law enforcement. MrSeb writes with word of a paper titled "The growing impact of full disk encryption on digital forensics" [abstract here to paywalled article] that illustrates just how difficult it is. According to the paper, co-authored by a member of US-CERT, "[T]here are three main problems with full disk encryption (FDE): First, evidence-gathering goons can turn off the computer (for transportation) without realizing it's encrypted, and thus can't get back at the data (unless the arrestee gives up his password, which he doesn't have to do); second, if the analysis team doesn't know that the disk is encrypted, it can waste hours trying to read something that's ultimately unreadable; and finally, in the case of hardware-level disk encryption, tampering with the device can trigger self-destruction of the data. The paper does go on to suggest some ways to ameliorate these issues, but ultimately the researchers aren't hopeful: 'Research is needed to develop new techniques and technology for breaking or bypassing full disk encryption.'"

I wish this was the case in the UK

I wish this was the case in the UK, any encryption keys have to be handed over when asked by the police or .Gov

Re:I wish this was the case in the UK

[mSparks43]

From the actual paper (worth reading if you have academic access):

Challenges can also arise when a defendant appears to be cooperative. For instance, the defendant may provide incorrect decryption details but the defense may claim that the encrypted container was damaged in some manner, which was why it would not open.

They also list several court cases where truecrypt FDE rendered the machines inaccessible many years after the fact.

Re:I wish this was the case in the UK

[MagicM]

You sound like someone who hasn't seen this yet, but would enjoy it.

Re:I wish this was the case in the UK

[DamnStupidElf]

It's obviously foolish to use public text verbatim as a key. Common Crawl has a 40 TB dataset that costs approximately $150 to MapReduce on EC2. Any key that happens to be a (reasonably short, say under 1KB) substring of that data costs $150 to break. Any key within a short hamming distance of a substring in that database costs roughly 2^hamming_distance more to break; two changed bytes is only worth $600. I imagine that large organizations who care have much larger databases including the text of most published books. It's such an obvious idea and until you realize that attackers have access to all the public source data that you do it sounds like a good idea to just pick a random string from a book to use as a passphrase. Don't kid yourself; no matter how obscure or unpopular a song is there will be lyrics for it somewhere on the Internet, not to mention in published books.

You can take a published string and make it a reasonably secure passphrase by adding enough entropy to it, but you still have to remember the entropy that you've added. Why not just start with a diceware passphrase and memorize the entropy directly?

Giving up passwords

[earthloop]

(unless the arrestee gives up his password, which he doesn't have to do);

In the UK he does. And people have been punished for not handing it over.

Re:"more research?"

[TheGratefulNet]

want to see a lawyer's head explode?

(we all do. read on...)

tell them you support jury nullification.

its almost like telling an electrical repairman that there ARE user-repairable parts inside and that that label is pure hogwash.

lawyers and judges are so smug sure that 'judging guilt' is a hard job, to be left only to those 'qualified'.

the thing is, the so-called pros have done such a bad job over the last few decades, I can't believe that even a random roll of dice would be worse for carrying out justice. perhaps that would even be an upgrade. getting 50/50 would probably BE an upgrade over what we have now.

the fact that regular people are taken out of the loop is actually a safeguard that they are bypassing.

but dare talk to a friendly lawyer about this and they'll likely bite your head off. and if you are in voire dire and dare tell anyone that you are even aware of what JN means, you are immediately dismissed as a juror. worse: if you don't let on during VD and then vote your concience, you can be jailed for contempt!

all for following a legally allowed american principle; but one that has an unspoken 'do not admit to its existence' rule about nullification.

see fija.org for more info. people should all know about this. its one of the best parts of our system, in fact!

Re:Minor issues

[DavidTC]

Except modern drive recovery can restore the blanked out sector.

Uh, no.

It has never, despite it being 'common wisdom', been possible to recover overwritten sectors on a hard drive.

No one has ever demonstrated it in the entire history of hard drives.

It was a theoretical attack a long time ago, on pre-IDE 'MFM' hard drives.But we moved off that sort of drive in 1986.

And even then, it didn't work. It was a theory that said with a very poorly build hard drive, it might be possible to recover some data. Like I said, no one's ever actually shown this.

And with IDE, we moved to RLL encoding which means, statistically, you couldn't get anything. With an MFM encoded drives, if you got 50% of the data with 50% accuracy, you had 25% of the data and might possibly come up with something, although, like I said, no one ever has managed this.

But with RLL encoded drives, if you got 50% of the data with 50% accuracy, you have nothing. It is not really possible to get a partial byte.

No that anyone has ever demonstrated reading anything from a ' The idea that you need to do anything more than overwrite a sector to make it unreadable is one of those zombie lies that simply cannot die.

The only way to recover a lost sector is if it was going bad at some point, so the hard drive made a copy of it and remapped that sector to the copy. Which means the original might still be there. (OTOH, the original was going bad, so who knows if it's still readable.) The odds of this happening are astronomical.