Research team finds disk encryption foils law enforcement efforts
November 21, 2011 by Bob Yirka 
(PhysOrg.com) -- A joint U.S./UK research team has found that common encryption techniques are so good that law enforcement, from local to highly resourceful federal agencies, are unable to get at data on a computer hard disk that could be used to prove the guilt of people using the computer to perpetuate crimes. In looking at the current technology, the team, as they describe in their paper published in Digital Investigation, find that if criminals use commonly available hard drive encryption software, law enforcement very often is unable find anything that can be used against them.
Contrary to what we all see in the movies and on television, cracking an encrypted drive is not a simple thing; in fact, it’s so difficult that if someone has encrypted their hard drive, there is apparently little law enforcement (or anyone else) can do read the data on the drive. Adding to the frustration, at least on the part of law enforcement, is the fact that they can’t force people to give up their passwords.
The authors of the report suggest there are some things law enforcement can do, but they all must happen prior to a drive being buttoned up by encryption. Specifically, they say that law enforcement should stop turning computers off to bring them to another location for study, doing so only causes the need for a password to be entered to read the encrypted data. Also, in some cases, doing so causes the data to be automatically destroyed. Fortunately, there are some tools forensics experts can use to gather data if it sits untouched, such as copying everything in memory to a separate disk. The team also suggests that law enforcement look first to see if the drive has been encrypted before scanning it with their own software, as doing so will likely result in a lot of wasted time.
The unfortunate bottom line though, is that the authors openly admit that once the drive is encrypted, there is little to nothing to be done, which a lot of criminals are surely going to be really pleased to hear. The team suggests that the government embark on a research mission of its own to figure out a way to subvert encrypted drives or it will find itself with little reason to bother confiscating computers used by criminals to commit crimes in the future.
More information: The growing impact of full disk encryption on digital forensics, Digital Investigation, In Press. doi:10.1016/j.diin.2011.09.005
Abstract
The increasing use of full disk encryption (FDE) can significantly hamper digital investigations, potentially preventing access to all digital evidence in a case. The practice of shutting down an evidential computer is not an acceptable technique when dealing with FDE or even volume encryption because it may result in all data on the device being rendered inaccessible for forensic examination. To address this challenge, there is a pressing need for more effective on-scene capabilities to detect and preserve encryption prior to pulling the plug. In addition, to give digital investigators the best chance of obtaining decrypted data in the field, prosecutors need to prepare search warrants with FDE in mind. This paper describes how FDE has hampered past investigations, and how circumventing FDE has benefited certain cases. This paper goes on to provide guidance for gathering items at the crime scene that may be useful for accessing encrypted data, and for performing on-scene forensic acquisitions of live computer systems. These measures increase the chances of acquiring digital evidence in an unencrypted state or capturing an encryption key or passphrase. Some implications for drafting and executing search warrants to dealing with FDE are discussed.
© 2011 PhysOrg.com
-
From lemons to lemonade: Reaction uses carbon dioxide to make carbon-based semiconductor,
32 comments
-
Thioridazine kills cancer stem cells in human while avoiding toxic side-effects of conventional cancer treatments,
3 comments
-
SpaceX private rocket blasts off for space station (Update),
42 comments
-
Climate scientists say they have solved riddle of rising sea,
31 comments
-
SpaceX capsule has 'new car' smell, astronauts say (Update),
4 comments
-
Need a rigid insulation material???
20 hours ago
-
magnets or EMF in car bumpers to protect from fender bender
May 26, 2012
-
length of wire in a coil of known dimensions?
May 25, 2012
-
India Engineering Powerhouse
May 25, 2012
-
electromagnet core dereference between hard and soft iron
May 25, 2012
-
Measuring water pressure in an open tank
May 24, 2012
- More from Physics Forums - General Engineering
More news stories
Nvidia trumpets Tegra 3 phone design wins for 2012
(Phys.org) -- Nvidia’s competitive war paint has a name, Tegra 3. On the heels of Nvidia announcements about lowering costs of its Tegra 3 processors and Nvidia-enabled tablets running Android Ice Cream ...
12 hours ago |
5 / 5 (2) |
1
|
Dell tablet leak: 10.1-inch display, two-battery choice
(Phys.org) -- Headline after headline talks about vendors’ tablets in the wings as likely number-one contenders for the iPad. Such claims have justifiably been taken with a grain of salt, considering ...
Electronics / Consumer & Gadgets
May 26, 2012 |
5 / 5 (3) |
9
|
Nvidia says Kai platform will turn price tide for tablets
(Phys.org) -- In March, Nvidia gave some signs that they were working to lower the cost of their Tegra 3 processors and they suggested consumers might see prices for Android tablets as low as $199. Connect ...
May 24, 2012 |
4.3 / 5 (4) |
3
|
OmniVision tops up sensors for cameras, phones
(Phys.org) -- OmniVision has announced two high-resolution image sensors for the digital still and digital video camera market (DS/DVC) and higher end smartphones. In end-user language, it is a claim for superior ...
May 25, 2012 |
5 / 5 (6) |
3
|
MIT researchers devise new means to synchronize a group of robots (w/ Video)
(Phys.org) -- For several years, roboticists have been working out ways to get a group of robots to perform synchronized activities as demonstrated most often in dance routines. It’s not just about trying ...
May 25, 2012 |
5 / 5 (1) |
1
|
'Unzipped' carbon nanotubes could help energize fuel cells, batteries
Multi-walled carbon nanotubes riddled with defects and impurities on the outside could replace some of the expensive platinum catalysts used in fuel cells and metal-air batteries, according to scientists at ...
T cells 'hunt' parasites like animal predators seek prey, study shows
By pairing an intimate knowledge of immune-system function with a deep understanding of statistical physics, a cross-disciplinary team at the University of Pennsylvania has arrived at a surprising finding: T cells use a movement ...
Computer model used to pinpoint prime materials for efficient carbon capture
When power plants begin capturing their carbon emissions to reduce greenhouse gases – and to most in the electric power industry, it's a question of when, not if – it will be an expensive undertaking.
Change in developmental timing was crucial in the evolutionary shift from dinosaurs to birds: study
At first glance, it's hard to see how a common house sparrow and a Tyrannosaurus Rex might have anything in common. After all, one is a bird that weighs less than an ounce, and the other is a dinosaur that ...
Land and sea species differ in climate change response: study
(Phys.org) -- Marine and terrestrial species will likely differ in their responses to climate warming, new research by Simon Fraser University and Australia’s University of Tasmania has found.
Scientist: Evolution debate will soon be history
(AP) -- Richard Leakey predicts skepticism over evolution will soon be history. Not that the avowed atheist has any doubts himself.
Nov 21, 2011
Rank: 5 / 5 (2)
Nov 21, 2011
Rank: 5 / 5 (17)
Ridiculous. Everyone should be using encryption. Always.
Nov 21, 2011
Rank: 5 / 5 (19)
Good.
Because if the government can't read encrypted disks of criminals this conversely means that criminals* can't read my disk, either, if I encrypt it properly.
*Note that in some cases the words 'criminal' and 'government' can be used interchangeably.
Nov 21, 2011
Rank: 1.9 / 5 (8)
ur taxpayer money hard at work
lol
Nov 21, 2011
Rank: 2 / 5 (4)
Nov 21, 2011
Rank: 4.8 / 5 (4)
Your misinformed. Officials must be able to present enough evidence that a crime has occurred in order to hold them more than a few days. I agree that the threshold for holding people is low, but unless the crimes are very serious (murder, etc.) almost everyone can be bail bonded out.
Nov 21, 2011
Rank: 3 / 5 (6)
I wonder when Intel will do that. . .
Nov 21, 2011
Rank: 4 / 5 (1)
I suspect a pun...
Nov 21, 2011
Rank: 5 / 5 (8)
Nov 21, 2011
Rank: 5 / 5 (2)
Furthermore, if they do ask, you can just accidentally give them the wrong one enough times to trigger the destruction of the protected data.
Finally, truecrypt is your friend, full hard drive encryption with a 64 character random password.
I could care less if we are "helping" criminals by discussing legal ways to keep the government out of my personal files. Should we stop investing in the stock market because criminals do too?
Nov 22, 2011
Rank: 5 / 5 (4)
One of the enduring lessons from Star Trek (first season episode #18, "Arena") is that the difference between good and evil lies not in their methods but their motives. To protect my personal identity data from cybercriminals I must also protect it simultaneously against the 'authorities'.
Nov 22, 2011
Rank: 5 / 5 (2)
You can always say you don't remember.
That wouldn't help. They could make a bitwise copy of the data first (something they should be doing as a standard procedure - if they're not doing it then they are really stupid). So you'd just be destroying the copy.
Unless you're celever enough to combine your password with the hardware specific ID (i.e. even the correct password wouldn't work on a copied drive)...but that can be spoofed. So no ultimate security from that quarter.
Nov 22, 2011
Rank: 4 / 5 (4)
Right on :-) From gun ownership to Iranian nukes, this is the heart of the matter. We don't want bad people to have this technology, while at the same time we don't want to limit the freedoms of those people whom it can benefit for good.
Nov 22, 2011
Rank: 5 / 5 (3)
Life is a bit more complex than this. You always have to factor in
- how much damage one deranged individual can cause
- how many people benefit from legitimate use
If the legitimate use is marginal (as in the case of nukes...or guns for that matter) then one can argue that it's better to not allow Iran (or the US or Russia, or anyone else) to have nukes.
Disk encryption as a safety measure has plenty of legitimate uses with very little damage that can be done with it. So here one can argue that it's all good.
Nov 22, 2011
Rank: 2.3 / 5 (3)
Agreed!! However, it is within these complexities in which we may disagree. At least we can agree that we don't want bad people to have the tools to do bad things. I know it's a simple and mundane statement to make, but if conversation isn't grounded to this fact, we'd be just spinning our wheels in disagreement!
Nov 22, 2011
Rank: 3.7 / 5 (3)
Nov 22, 2011
Rank: 5 / 5 (2)
Nov 23, 2011
Rank: 3.7 / 5 (3)
Certainly. That's why I said the beneficial uses must outweigh the costs (one reason why I think that guns should be banned while calling for a ban on kitchen knives is ludicrous)
Nov 25, 2011
Rank: not rated yet
Not so. All you have to do is cross a national border and Customs inspectors can--and often do--confiscate computers, external and thumb drives, and cell phones, based on nothing more than whim. They have also compelled people to give up their passwords upon threat of arrest for failing to cooperate.
Nov 25, 2011
Rank: not rated yet
Nov 27, 2011
Rank: not rated yet
Actually, they can't. Only the DA and those above him have that sort of power, and they don't have to abide by such word at all. Even if you got the DA to sign a legal document stating that he will give you immunity and had it all notarized, he doesn't have to abide by it because it was signed under duress (the duress being that you forced him to sign before you would talk).
Now, police will lie and say they will give you immunity (or give you a good word) to try to get a confession/information, along with all sorts of other tricks they have in their toolbox. I even saw something once where an officer would carry a big old tape recorder into the interrogation room with him and have it recording just so he could turn it off and ask a question "off the record" to get them to respond, and of course there is no such thing as off the record (there are cameras watching).
Nov 28, 2011
Rank: 1 / 5 (1)
For that reason alone disk encryption alone is a necessary issue.
Nov 30, 2011
Rank: 1 / 5 (1)
Use Truecrypt and encrypt your systems now. Use every means to defy the powers that are exploiting our vulnerabilities to empower themselves and cheat us of our liberties.
We need to realistically examine the nature of the current powers to understand the need for the security of our private communications. Our patterns of life and behaviors need to be protected from exploitation by a criminal state.
Dec 02, 2011
Rank: not rated yet
1 - Use True Crypt
2 - Create a hidden volume
3 - Use a complicated password (that you cannot remember) and hide it in plain sight (on my desktop)
4 - But this password will only open the "normal" volume of True Crypt.
5 - To open the hidden volume, you need to add a 5-digit code which is easy to remember but not written anywhere.
There is, I think, no way to get access to the hidden volume since no one knows if it is there or not and I do not know the full password.
My only frustration is that I cannot use Chinese characters for my passwords. This would add a layer of complexity difficult to pass outside Asia.
Dec 15, 2011
Rank: not rated yet
Dec 15, 2011
Rank: not rated yet
Are you certain the makers of truecrypt haven't been obligated to add a back door?
Ya think having a lot of seemingly empty harddisk space won't give people a clue that there still might be something encrypted there? Secret service IT guys may be stupid - but they are not THAT stupid.
Especially if you're using an SSD instead of a HDD the usage patterns make it blindingly obvious.
since rainbow table attacks work on the entire character set it's no real advantage to use any one character over another - whether arab, chinese or latin.
Dec 17, 2011
Rank: not rated yet
Q-1 - Backdoors. People making hardware are large companies which can easily be "bullied" and you can therefore expect a backdoor on most hardware. This is not the case for software.
Q-2 - Empty space. Most HDD today are huge and 99% of the people use only a fraction of the space. The beauty of a Hidden volume is that it is not a file and appears as completely random 0 and 1. Even if there is doubt, there is no proof.
Q-3 - The value of non Latin characters is the double-biting (coding the characters on 2 bites instead of one.) You will need a supercomputer to crack this!
Dec 17, 2011
Rank: not rated yet
Part III of the Regulation of Investigatory Powers Act 2000 (applies to whole of UK, including Scotland, which has its own legal systems) was activated in 2007, and relates to "Investigation of electronic data protected by encryption etc."
Section 49 and Schedule 2 of the Act provide for "Notices requiring disclosure" - in short, if you don't hand over the encryption key or keys, or the original material in unencrypted form, game over - up to two years imprisonment (five in terrorism cases) if you fail to comply!
Dec 17, 2011
Rank: not rated yet
The problem is that the encryption software itself cannot be encrypted (or you couldn't start it). So the presence of such software is blindingly obvious and a dead giveaway where the encrypter files are. (SSDs make it even easier because you can see the usage patterns)
Brute force is not the only way. Hashtables/rainbow attacks are much simplet. Keylogging your password maybe simplest. There are many ways to get a a protected file - encryption software only protects against the most obvious one.
Dec 17, 2011
Rank: not rated yet
I am not Julian Assange and I only have personal data to protect. So I do not expect some secret service guys to pop up into my bedroom at night. Now, I do cross borders a lot and the chance to be checked is real. This is the one thing against which I care.
For this, not having your data on your computer but on a "half empty" drive is good enough (The half are business Docs). I also use drives with a hardware code (which I can give to anyone who ask since there must be a back door anyway) Truecrypt for which I only have half the code (the rest is available at destination) my HDD needs a special USB cable which I do not have with me!
So the data is, I think, far more difficult to access than it is worth. That's all... and it's good enough for my purpose.