Re: Stolen laptops and the Windows encrypted file system?

[Ron <iago () valhallalegends com>]

When using Encase (at least, version 5), you have to provide it with the 
user's password or the administrator password to decrypt EFS.

What Encase can do is pull the password files from Windows.  The 
password files can then be loaded into Rainbow Tables or l0phtcrack or 
your favorite cracker).

To crack a NT5 password, the system key file is required.  Normally, 
it's stored in the same folder as the password file.  However, the 
system key file CAN be stored on a floppy or USB drive and removed when 
the computer/laptop is not in use.  Then, I assume, nobody can log in 
and it is far more difficult to decrypt the files.

I'm sure if you looked it up, you could find information on doing that. 
 But it's a lot of work.  I've had to fight against Utimaco's harddrive 
encryptor before, and we couldn't find a way around it.  It's just lucky 
that we managed to get Utimaco's password, or we never would have been 
able to work on the laptop.

Ron


Richard M. Smith wrote:
> Another solution would be to allow people to store their EFS encryption 
> keys on a separate device such as a USB flash drive.
>  
> I also believe that an encrypted folder on a portable hard drive would 
> be safe if it is carried separatly from a laptop which holds the EFS 
> encryption keys.
>  
> Richard
>
> ------------------------------------------------------------------------
> *From:* ahmad.elkhatib () gmail com [mailto:ahmad.elkhatib () gmail com] *On 
> Behalf Of *Ahmad Elkhatib
> *Sent:* Wednesday, March 29, 2006 5:14 AM  
> *To:* Valdis.Kletnieks () vt edu
> *Cc:* Richard M. Smith; funsec () linuxbox org
> *Subject:* Re: [funsec] Stolen laptops and the Windows encrypted file 
> system?
>
> EFS is very easily breakable since its tied to the operating system. 
> What you will need is a pre-boot authentication and full disk 
> encryption. Many companies have that such as Pointsec, Safeboot, and 
> Utimaco.
>
> Windows Vista has a beefed up version of EFS called BitLocker which i 
> beleive will be part of the enterprise edition. However from comments 
> that have been made from MS officials it seems like there will be some 
> sort of master key or backdoor to break it.
>
> -Ahmad
>
> On 3/28/06, *Valdis.Kletnieks () vt edu <mailto:Valdis.Kletnieks () vt edu>* 
> <Valdis.Kletnieks () vt edu <mailto:Valdis.Kletnieks () vt edu>> wrote:
>
>     On Tue, 28 Mar 2006 13:23:03 EST, "Richard M. Smith" said:
>      > The EnCase product description is silent on how it gets
>     encryption keys.
>      > It's possible that it must be supplied with keys to do the decrypt.
>
>     It's tied to the user's login password - which is known to be easily
>     guessable
>     or crackable a lot of the time.  Remember, if you're at the point
>     where you're
>     using EnCase on a box, it's assumed you have access to all the
>     password hashes too.
>
>     So it's a very short detour to Rainbow, and then it's Game Over....
>
>
>     _______________________________________________
>     Fun and Misc security discussion for OT posts.
>     https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
>     <https://linuxbox.org/cgi-bin/mailman/listinfo/funsec>
>     Note: funsec is a public and open mailing list.
>
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.