JF's log

I found an article on http://www.networkworld.com/columnists/2008/072208antonopoulos.html?fsrc=netflash-rss:

Every year, more than 5,000 laptops are lost in taxis in London, New York, Chicago and other large cities. According to our
research, in 2008 companies' topmost security investment was laptop encryption. Laptop hard drives are getting bigger and now can hold hundreds of thousand to hundreds of millions of sensitive records.

As a CSO, one of your top priorities is probably to keep your company off the front page of the news. Is it inexcusable to
have laptops in the field with unencrypted hard drives? With such new open source solutions as TrueCrypt, there are few excuses left: All laptops must be fully encrypted.

Unfortunately for the writer, he apparently wasn't aware that full harddisk encryption can be hacked now. There's just one requirement: The laptop has to be turned on when the attacker gets access to it.

The "coldboot" method of data recovery is one of the ways to do this. While not practical in the normal sense of the word, it is rather painful for the previous owner that a hacker is able to read out memory from the stolen laptop (if it was on when the laptop was stolen) as all the keys used to encrypt the disk are also stored in memory to allow decryption.

A more practical (and stealthy) way to steal the data is by using the "firewire hack" to get access to the memory in combination with some quick copying: Find a laptop, plug a pcmcia firewire card in, connect your own laptop using firewire to the victim-laptop and make a memory dump. Then turn the laptop off, take the disk out, plug it into a firewire harddisk enclosure (irony?) and make a disk image. Then plug the disk back in and take the powercord out of the socket. The user will think (s)he accidentally pulled the plug and you have ample time to decrypt the disk without people calling the police because their laptop was stolen.

I tried getting the keys from the memory dump of an encrypted harddisk and behold, over 20 RSA PRIVATE keys and several AES keys. I have not tried to decrypt the harddisk, but with the keys it (theorhetically) shouldn't be too hard.