Research team finds disk encryption foils law enforcement efforts

Nov 21, 2011 by Bob Yirka report

(PhysOrg.com) -- A joint U.S./UK research team has found that common encryption techniques are so good that law enforcement, from local to highly resourceful federal agencies, are unable to get at data on a computer hard disk that could be used to prove the guilt of people using the computer to perpetuate crimes. In looking at the current technology, the team, as they describe in their paper published in Digital Investigation, find that if criminals use commonly available hard drive encryption software, law enforcement very often is unable find anything that can be used against them.

Contrary to what we all see in the movies and on television, cracking an encrypted drive is not a simple thing; in fact, it’s so difficult that if someone has encrypted their , there is apparently little law enforcement (or anyone else) can do read the data on the drive. Adding to the frustration, at least on the part of law enforcement, is the fact that they can’t force people to give up their passwords.

The authors of the report suggest there are some things law enforcement can do, but they all must happen prior to a drive being buttoned up by encryption. Specifically, they say that law enforcement should stop turning computers off to bring them to another location for study, doing so only causes the need for a password to be entered to read the encrypted data. Also, in some cases, doing so causes the data to be automatically destroyed. Fortunately, there are some tools forensics experts can use to gather data if it sits untouched, such as copying everything in memory to a separate disk. The team also suggests that look first to see if the drive has been encrypted before scanning it with their own software, as doing so will likely result in a lot of wasted time.

The unfortunate bottom line though, is that the authors openly admit that once the drive is encrypted, there is little to nothing to be done, which a lot of criminals are surely going to be really pleased to hear. The team suggests that the government embark on a research mission of its own to figure out a way to subvert encrypted drives or it will find itself with little reason to bother confiscating computers used by to commit crimes in the future.

Explore further: Successful read/write of digital data in fused silica glass with high recording density

More information: The growing impact of full disk encryption on digital forensics, Digital Investigation, In Press. doi:10.1016/j.diin.2011.09.005

Abstract
The increasing use of full disk encryption (FDE) can significantly hamper digital investigations, potentially preventing access to all digital evidence in a case. The practice of shutting down an evidential computer is not an acceptable technique when dealing with FDE or even volume encryption because it may result in all data on the device being rendered inaccessible for forensic examination. To address this challenge, there is a pressing need for more effective on-scene capabilities to detect and preserve encryption prior to pulling the plug. In addition, to give digital investigators the best chance of obtaining decrypted data in the field, prosecutors need to prepare search warrants with FDE in mind. This paper describes how FDE has hampered past investigations, and how circumventing FDE has benefited certain cases. This paper goes on to provide guidance for gathering items at the crime scene that may be useful for accessing encrypted data, and for performing on-scene forensic acquisitions of live computer systems. These measures increase the chances of acquiring digital evidence in an unencrypted state or capturing an encryption key or passphrase. Some implications for drafting and executing search warrants to dealing with FDE are discussed.

Related Stories

ElcomSoft undoes Apple's location security fix

May 25, 2011

(PhysOrg.com) -- ElcomSoft, a Russian computer forensics company that first came to the attention of the public in 2002 when it was sued and cleared of violations of the Digital Millennium Copyright Act for ...

Embedding spy secrets in the hard drive fragments

Apr 26, 2011

(PhysOrg.com) -- A new way to hide your secrets has been created, which is good news for both the spies and the generally duplicitous regular people of the world. This new system, instead of relying on traditional methods ...

How to identify dirty money

Nov 09, 2010

Global standards for preventing money laundering and terrorism financing have come under heat after substantial evidence has shown they do not work.

Recommended for you

Microsoft beefs up security protection in Windows 10

15 hours ago

What Microsoft users in business care deeply about—-a system architecture that supports efforts to get their work done efficiently; a work-centric menu to quickly access projects rather than weather readings ...

US official: Auto safety agency under review

Oct 24, 2014

Transportation officials are reviewing the "safety culture" of the U.S. agency that oversees auto recalls, a senior Obama administration official said Friday. The National Highway Traffic Safety Administration has been criticized ...

Out-of-patience investors sell off Amazon

Oct 24, 2014

Amazon has long acted like an ideal customer on its own website: a freewheeling big spender with no worries about balancing a checkbook. Investors confident in founder and CEO Jeff Bezos' invest-and-expand ...

Ebola.com domain sold for big payout

Oct 24, 2014

The owners of the website Ebola.com have scored a big payday with the outbreak of the epidemic, selling the domain for more than $200,000 in cash and stock.

Hacker gets prison for cyberattack stealing $9.4M

Oct 24, 2014

An Estonian man who pleaded guilty to orchestrating a 2008 cyberattack on a credit card processing company that enabled hackers to steal $9.4 million has been sentenced to 11 years in prison by a federal judge in Atlanta.

Magic Leap moves beyond older lines of VR

Oct 24, 2014

Two messages from Magic Leap: Most of us know that a world with dragons and unicorns, elves and fairies is just a better world. The other message: Technology can be mindboggingly awesome. When the two ...

User comments : 30

Adjust slider to filter visible comments by rank

Display comments: newest first

Pattern_chaser
5 / 5 (2) Nov 21, 2011
If existing encryption software is configured as PCs often are, to timeout, and require the password before access can continue, then encryption will continue to frustrate law enforcement.
HurfDurf
5 / 5 (17) Nov 21, 2011
Yeah because only criminals have any reason to want to protect their computer with encryption. If you're a good citizen with nothing to hide, you should have no problem opening your entire digital life to any and all government agencies at any time on demand. /sarcasm

Ridiculous. Everyone should be using encryption. Always.
antialias_physorg
5 / 5 (19) Nov 21, 2011
Research team finds disk encryption foils law enforcement efforts

Good.

Because if the government can't read encrypted disks of criminals this conversely means that criminals* can't read my disk, either, if I encrypt it properly.

*Note that in some cases the words 'criminal' and 'government' can be used interchangeably.

ABSOLUTEKNOWLEDGE
1.8 / 5 (9) Nov 21, 2011
study is also very usefull for reminding anybody with criminal activities to encrypt there drives if they didnt do so already

ur taxpayer money hard at work

lol
kochevnik
1.8 / 5 (5) Nov 21, 2011
I thought that part of enforcement's job is to respect and abide by the 4th amendment, instead of drawing inspiration from Hitler's stormtroopers. Besides cops can grant immunity to a key witness, provided he spill all the beans. Moreover there are often five charges for the same crime in USA, so a suspect can be held in arraignment for years without evidence while prosecutors go on a fishing expedition.
SemiNerd
4.8 / 5 (4) Nov 21, 2011
I thought that part of enforcement's job is to respect and abide by the 4th amendment, instead of drawing inspiration from Hitler's stormtroopers. Besides cops can grant immunity to a key witness, provided he spill all the beans. Moreover there are often five charges for the same crime in USA, so a suspect can be held in arraignment for years without evidence while prosecutors go on a fishing expedition.

Your misinformed. Officials must be able to present enough evidence that a crime has occurred in order to hold them more than a few days. I agree that the threshold for holding people is low, but unless the crimes are very serious (murder, etc.) almost everyone can be bail bonded out.
Arkaleus
2.7 / 5 (7) Nov 21, 2011
The solution to this "threat" is for governments to exploit the fascist relationships it has with hardware manufacturers. Intel could easily redesign its CPUs to offer an amazingly fast "accelerated" AES processing chip that promises to speed up all encryption processes, but at the same time cache the passwords for use by "authorized agents" of whatever government they operate under.

I wonder when Intel will do that. . .
Nik_2213
4 / 5 (1) Nov 21, 2011
'perpetuate crimes' ??

I suspect a pun...
ekim
5 / 5 (8) Nov 21, 2011
Not all governments are created equal. Encryption is a valuable tool against corrupt and repressive regimes. If a non-corrupt government could access encrypted files to thwart criminals, it would only be a matter of time before a corrupt government, and/or criminals, would use this knowledge against law abiding citizens.
MorituriMax
5 / 5 (2) Nov 21, 2011
Can't you just use your right to self-incrimination to refuse to reveal your password no matter what law they try and pass?

Furthermore, if they do ask, you can just accidentally give them the wrong one enough times to trigger the destruction of the protected data.

Finally, truecrypt is your friend, full hard drive encryption with a 64 character random password.

study is also very usefull for reminding anybody with criminal activities to encrypt there drives if they didnt do so already

ur taxpayer money hard at work

lol

I could care less if we are "helping" criminals by discussing legal ways to keep the government out of my personal files. Should we stop investing in the stock market because criminals do too?
tadchem
5 / 5 (4) Nov 22, 2011
...and the ancient tug-of-war between offensive and defensive strategies finds a new venue - cyberspace.
One of the enduring lessons from Star Trek (first season episode #18, "Arena") is that the difference between good and evil lies not in their methods but their motives. To protect my personal identity data from cybercriminals I must also protect it simultaneously against the 'authorities'.
antialias_physorg
5 / 5 (2) Nov 22, 2011
Can't you just use your right to self-incrimination to refuse to reveal your password no matter what law they try and pass?

You can always say you don't remember.

Furthermore, if they do ask, you can just accidentally give them the wrong one enough times to trigger the destruction of the protected data.

That wouldn't help. They could make a bitwise copy of the data first (something they should be doing as a standard procedure - if they're not doing it then they are really stupid). So you'd just be destroying the copy.

Unless you're celever enough to combine your password with the hardware specific ID (i.e. even the correct password wouldn't work on a copied drive)...but that can be spoofed. So no ultimate security from that quarter.
jakack
4 / 5 (4) Nov 22, 2011
...the difference between good and evil lies not in their methods but their motives.


Right on :-) From gun ownership to Iranian nukes, this is the heart of the matter. We don't want bad people to have this technology, while at the same time we don't want to limit the freedoms of those people whom it can benefit for good.
antialias_physorg
5 / 5 (3) Nov 22, 2011
We don't want bad people to have this technology, while at the same time we don't want to limit the freedoms of those people whom it can benefit for good.

Life is a bit more complex than this. You always have to factor in
- how much damage one deranged individual can cause
- how many people benefit from legitimate use

If the legitimate use is marginal (as in the case of nukes...or guns for that matter) then one can argue that it's better to not allow Iran (or the US or Russia, or anyone else) to have nukes.

Disk encryption as a safety measure has plenty of legitimate uses with very little damage that can be done with it. So here one can argue that it's all good.
jakack
2.3 / 5 (3) Nov 22, 2011
Life is a bit more complex than this.


Agreed!! However, it is within these complexities in which we may disagree. At least we can agree that we don't want bad people to have the tools to do bad things. I know it's a simple and mundane statement to make, but if conversation isn't grounded to this fact, we'd be just spinning our wheels in disagreement!
jakack
3.7 / 5 (3) Nov 22, 2011
@Antialias - I do think encryption could be used for covering up crime just as a meat-grinder could. But, to your point, since it really is used mostly for good reasons, I see no need for the attempt to regulate it. It's just another hurdle for investigators at this point when there is a crime to dig into.
Ricochet
5 / 5 (2) Nov 22, 2011
Yes, always stay away from meat pie vendors that have a barber located upstairs...
antialias_physorg
3.7 / 5 (3) Nov 23, 2011
I do think encryption could be used for covering up crime just as a meat-grinder could.

Certainly. That's why I said the beneficial uses must outweigh the costs (one reason why I think that guns should be banned while calling for a ban on kitchen knives is ludicrous)
Technowitch
not rated yet Nov 25, 2011
Your misinformed. Officials must be able to present enough evidence that a crime has occurred in order to hold them more than a few days. I agree that the threshold for holding people is low, but unless the crimes are very serious (murder, etc.) almost everyone can be bail bonded out.

Not so. All you have to do is cross a national border and Customs inspectors can--and often do--confiscate computers, external and thumb drives, and cell phones, based on nothing more than whim. They have also compelled people to give up their passwords upon threat of arrest for failing to cooperate.
BillFox
not rated yet Nov 25, 2011
This isn't news... Any computer science major could have told you this...
Phoe
not rated yet Nov 27, 2011
Besides cops can grant immunity to a key witness, provided he spill all the beans.


Actually, they can't. Only the DA and those above him have that sort of power, and they don't have to abide by such word at all. Even if you got the DA to sign a legal document stating that he will give you immunity and had it all notarized, he doesn't have to abide by it because it was signed under duress (the duress being that you forced him to sign before you would talk).

Now, police will lie and say they will give you immunity (or give you a good word) to try to get a confession/information, along with all sorts of other tricks they have in their toolbox. I even saw something once where an officer would carry a big old tape recorder into the interrogation room with him and have it recording just so he could turn it off and ask a question "off the record" to get them to respond, and of course there is no such thing as off the record (there are cameras watching).
Humpty
1 / 5 (2) Nov 28, 2011
Forget the cops - what about keeping thieving, snooping pricks out of your data.

For that reason alone disk encryption alone is a necessary issue.
Arkaleus
1 / 5 (2) Nov 30, 2011
Currently US citizens can't be compelled to reveal passwords because of protections the 5th amendment. The rest of the enslaved west does not enjoy this protection. Citizens crossing a boarder may be exposed to illegal searches and confiscations without due process because of DHS thuggery, but the federal courts have already ruled against the DHS on this matter. Non citizens and those the DHS deems terrorists will probably not be afforded any due process and possibly tortured until they reveal their passwords. It's the reality we face under the new order.

Use Truecrypt and encrypt your systems now. Use every means to defy the powers that are exploiting our vulnerabilities to empower themselves and cheat us of our liberties.

We need to realistically examine the nature of the current powers to understand the need for the security of our private communications. Our patterns of life and behaviors need to be protected from exploitation by a criminal state.
Ken2
not rated yet Dec 02, 2011
Here's the solution I found for a perfect protection of data.

1 - Use True Crypt
2 - Create a hidden volume
3 - Use a complicated password (that you cannot remember) and hide it in plain sight (on my desktop)
4 - But this password will only open the "normal" volume of True Crypt.
5 - To open the hidden volume, you need to add a 5-digit code which is easy to remember but not written anywhere.

There is, I think, no way to get access to the hidden volume since no one knows if it is there or not and I do not know the full password.

My only frustration is that I cannot use Chinese characters for my passwords. This would add a layer of complexity difficult to pass outside Asia.
gowen
not rated yet Dec 15, 2011
"of people using the computer to perpetuate crimes" - the problem with computers is that the spell checkers often perpetrate not-quite-the-word-you-meant-to-use errors.
antialias_physorg
not rated yet Dec 15, 2011
There is, I think, no way to get access to the hidden volume

Are you certain the makers of truecrypt haven't been obligated to add a back door?

since no one knows if it is there

Ya think having a lot of seemingly empty harddisk space won't give people a clue that there still might be something encrypted there? Secret service IT guys may be stupid - but they are not THAT stupid.

Especially if you're using an SSD instead of a HDD the usage patterns make it blindingly obvious.

My only frustration is that I cannot use Chinese characters

since rainbow table attacks work on the entire character set it's no real advantage to use any one character over another - whether arab, chinese or latin.
Ken2
not rated yet Dec 17, 2011
The fact of the matter is that currently there is no way to guaranty 100% security. That much is true. So, short of that there is only one yardstick; How much money will people invest to get to the data? It of course depends on the value of the data. So the answer to the question is that your password must be more expensive to crack than the value of the information encrypted. This makes the goal easier to achieve.
Q-1 - Backdoors. People making hardware are large companies which can easily be "bullied" and you can therefore expect a backdoor on most hardware. This is not the case for software.
Q-2 - Empty space. Most HDD today are huge and 99% of the people use only a fraction of the space. The beauty of a Hidden volume is that it is not a file and appears as completely random 0 and 1. Even if there is doubt, there is no proof.
Q-3 - The value of non Latin characters is the double-biting (coding the characters on 2 bites instead of one.) You will need a supercomputer to crack this!
OldWilliam
not rated yet Dec 17, 2011
You folks have it easy!

Part III of the Regulation of Investigatory Powers Act 2000 (applies to whole of UK, including Scotland, which has its own legal systems) was activated in 2007, and relates to "Investigation of electronic data protected by encryption etc."

Section 49 and Schedule 2 of the Act provide for "Notices requiring disclosure" - in short, if you don't hand over the encryption key or keys, or the original material in unencrypted form, game over - up to two years imprisonment (five in terrorism cases) if you fail to comply!
antialias_physorg
not rated yet Dec 17, 2011
This is not the case for software.
Why exactly not? Companies are open to the same sort of pressure - whether hardware or software (and smaller ones certainly more so than larger ones)
Empty space. Most HDD today are huge and 99% of the people use only a fraction of the space. The beauty of a Hidden volume is that it is not a file and appears as completely random 0 and 1.

The problem is that the encryption software itself cannot be encrypted (or you couldn't start it). So the presence of such software is blindingly obvious and a dead giveaway where the encrypter files are. (SSDs make it even easier because you can see the usage patterns)

You will need a supercomputer to crack this!

Brute force is not the only way. Hashtables/rainbow attacks are much simplet. Keylogging your password maybe simplest. There are many ways to get a a protected file - encryption software only protects against the most obvious one.
Ken2
not rated yet Dec 17, 2011
Agreed, all your points are valid and every solution must be adapted to your particular circumstances.
I am not Julian Assange and I only have personal data to protect. So I do not expect some secret service guys to pop up into my bedroom at night. Now, I do cross borders a lot and the chance to be checked is real. This is the one thing against which I care.
For this, not having your data on your computer but on a "half empty" drive is good enough (The half are business Docs). I also use drives with a hardware code (which I can give to anyone who ask since there must be a back door anyway) Truecrypt for which I only have half the code (the rest is available at destination) my HDD needs a special USB cable which I do not have with me!
So the data is, I think, far more difficult to access than it is worth. That's all... and it's good enough for my purpose.