PGP Encryption - is it worth the gamble? [Archive]

View Full Version : PGP Encryption - is it worth the gamble?

Disklabs

10-01-2007, 01:13 PM

Is it worth pulling the plug? With PGP encryption, is it worth pulling the plug on a computer/laptop if there may be PGP encryption on it?

Discuss here.

Simon

redlennox

04-06-2007, 10:53 AM

I suppose it depends on what is encrypted. If they just have a volume, and haven't encrypted the entire disk you will most likely find traces of whatever they have been doing. Whole disk would be annoying though.

It also depends on how good the user is with passwords.

Anyone experienced this?

kern

04-06-2007, 11:25 AM

i'd much prefer no pull plug in any scenario. it seems a catch all for police who haven't got an experienced forensic guy in at the scene of capture.

wrt pgp full disk, as you mentioned , i have no experience, but certainly a user profiled dictionary made from other material could prove useful. got me an 11 char password (not pgp) which would have taken days to crack.
This sort of dictionary could possibly be picked up if a live capture was taken or the system examined in situ.

can't automate experience.

kern

16-07-2007, 10:27 PM

Follow up for first responders

ZeroView
"Ever worry that the system you are seizing uses whole disk encryption? Use ZeroViewTM freeware to find out." Burn ZeroView to a CD then pop it into the CD drive of the suspect machine and it will load into memory only and display the contents of Sector 0 allowing you to determine if whole disk encryption is employed on the suspect system. Once you know, then you can take the appropriate steps to capture and preserve the data you need.

www. techpathways.com/DesktopDefault.aspx?tabindex=8&tabid=14

purposely de-linked (no-click)

Peter H

21-08-2007, 12:55 PM

One method that is worth looking into is firewire memory acquisition. Adam Boileau gave an excellent presentation on firewire based attacks at ruxcon 2006. Link (http://www.security-assessment.com/files/presentations/ab_firewire_rux2k6-final.pdf)

If PGP or any other software based disk encryption is in use then encryption keys can be pulled out of the dumped memory and be used to gain access to the encrypted volumes. This however is not a task to be taken lightly but there is potential for it.

If I get time I plan to write a proof of concept software and a paper explaining the forensic significance of fire wire based acquisition. At this stage however the use of firewire aquisition for forensic purposes is purely academic, but these things have to start somewhere :)

kern

21-08-2007, 03:41 PM

that'l be metlstorm then :)

www (dot) storm.net.nz/projects/16