Federal ruling on compelling passwords from defendants

More detail here: http://www.news.com/8301-13578_3-9834495-38.html?tag=nefd.blgs

The short summary is that a Federal judge ruled that a defendant could not  be forced to reveal his encryption password due to 5th Amendment protection.

This is good news for privacy lovers out there, but I’m sure that the Govt’ will try to get this one overturned. We’ll see how it pans out.

“Full” disk encryption in Ubuntu 7.10

With the 7.10 release, Ubuntu now lets you setup “full” drive encryption right from the install disk. Granted, it is the “alternate” install disk that is for power-users and doesn’t feature a graphical installer. What it does is make a small boot only partition, with the kernel and loader files, and partitions the rest of the disk with one encrypted volume that contains the root and swap partitions. Keep in mind that it won’t encrypt every sector in the partition at install time; only encrypted sectors that contain files. So you should really wipe your drive with DBAN or something before installing this.
The only problem I had was with my graphics: when it asks for your password it changes display mode (apparently) and my on-board graphics chipset wasn’t quite up to the task. Plugging in an actual video card fixed the problem.
I’ve only been using it for a few days and it seems pretty slick. Like DCPP, it doesn’t seem to slow down drive access noticeably. The only thing that I’m not too happy with is the fact that not only the boot loader, but the entire Linux kernel, exist in an unencrypted state on the boot partition. It would seem to be a pretty easy thing to install a trojaned kernel configured to log keystrokes or whatever (I’ll do a little testing to see how difficult it would be to switch from a boot partition to a boot CD; something that would be a little harder to modify). Also, the encrypted partition is pretty obviously encrypted. If you created some type of boot cd and overwrote the boot partition, installed FreeDOS or something, you would still be out of luck since the encrypted partition announces its encrypted nature with header data. So you can’t do the “totally hidden OS” trick with this like you can with DCPP.

EnCase Computer Forensics Demo

Here is a small video I worked up showing EnCase in action. It is pretty brief since EnCase is a pretty complicated application. However, I think it illustrates how effective forensic software is at analyzing data. Sorry the YouTube video is hard to see. It got resized, but I think it is still pretty obvious what is happening.

Window’s Autorun

This will probably be a “well duh” statement for many people but the implications are pretty severe.

If Window’s autorun “feature” is turned on it will still operate even if you have locked your screen. In other words it is very easy to install trojans etc. unless you turn it off.

In most cases it it best to turn your computer off when you can’t be physically present, but I admit to leaving for a while and just relying on my screen lock only.

So the moral of the story is: “Turn off autorun!” and test it to make sure it is really off.

DriveCrypt Plus Pack 3.9

I finally got around to looking at DCPP 3.9 and had a few observations that might be interesting to those who are interested in that sort of thing .

In previous versions of DCPP, the only unencrypted data was in the boot sector: if you searched your HD for the string “DCPP” the only place you would see it would be in the boot sector. However, with the current version the boot sector code has been replaced with a “stub” that points to sections of the disk that are unencrypted and contain more boot code. Where do these come from? Well, when you install BootAuth, DCPP creates some “bootauth.sys” files in the root of C drive. The sectors that hold these files are apparently *not* encrypted. So any modifications to these files inside the OS are visible to someone examining the encrypted drive forensically and vice-versa. In practice I don’t think this is any more of a security problem than just having the boot sector unencrypted as has always been the case. However, it might be possible for an attacker to use these files to load trojans into the system. Before, someone wanting to do this had to work only with the boot sector code which doesn’t give you a lot of extra space. Now, entire files are exposed unencrypted. We’ll see how it all pans out. Incidentally, the procedure I give below for “fully hidden” DCPP installations still works fine with this version. In fact, it gets rid of the exposed files on disk since they reside in the “outer” OS.

Fully Hidden Drive Crypt Plus Pack Installation

DCPP, which lets you encrypt your entire HD (except for the boot sector of course), also has the ability to install a second “hidden” OS in the free space of another, “outer”, DCPP installation. How this is supposed to work is that you keep all sensitive data off of the outer installation and only use your inner, “hidden” installation for sensitive work. The theory is that if you are forced to reveal your password, you can give them the outer, fake, password and they shouldn’t be able to tell you have a second hidden OS since encrypted data in freespace should appear to be random. You could have random data from using a disk wiping program for instance.
The problem I have with this is that even though you have a “safe” password to give out, any govt’ investigator worth their salt will know about DCPP’s hidden OS function. If they think that this is what is happening, I wouldn’t put it past them to try to muscle/intimidate/trick you into revealing this is the case or giving out your real password.
After working with it a while, I now have a method to have an actual DCPP hidden OS in freespace with these features

• Actual, non password protected, bootable OS
• No trace of encryption software on the HD, including boot sectors
• Bootable only through rescue floppy/CD

Now, you can have an outer OS that can be scanned freely and should not turn up any “red flags” except random data in freespace. But, like I said, a disk wiping program can cause that. Many companies and savvy individuals are routinely wiping their HDs before getting rid of them, so this shouldn’t be that unusual.
To do this, I have used two drives: the one I am preparing and another one that contains the tools I use to prepare the first. This way, sensitive tools (Encase, WinHex, DCPP) are never present in the “fake” OS. Also, I am using DCPP 3.0. There are newer versions of DCPP, and when I get a hold of them I will try to test this procedure out and make sure it still works right.. Ready? Here goes:

1. Get your target drive and wipe it. I used Darik’s Boot and Nuke (DBAN). I had two problems with DBAN: It zeroed out the drive on it’s final pass, I wanted it to leave random-ish data. And second, it didn’t get the boot sector of the HD (first 63 sectors). The drive I used was used previously for DCPP and so, had the special boot sector. I finally just copied the boot sector from a non-encrypted computer and used that. Verify all of this with EnCase or WinHex
2. Format with FAT32 (<- Very important and we can change this for your real OS) and install Windows and all programs that you might use and that wouldn’t be suspicious. No encryption software, no security stuff, nothing like that. Just a basic Windows installation. If you want to make it look even more realistic then use the system for a couple of weeks. This will be the system that people will see when inspecting your HD.
3. Install this drive as a secondary and run a defrag. program from another drive on this one. I used O&O Defrag and was very impressed. You have to make sure that *no* data gets positioned too far down the disk: everything needs to be at the top of the drive to make the largest amount on contiguous free space possible.
4. Copy your clean boot sector with DD like this (Google “forensics acquisition tools”):
   dd ibs=512 count=63 if=\\.\\physicaldrive1 of=winbs.bin
   That reads in the first 63 blocks of 512 bytes on your hard drive and saves it in the file winbs.bin. This should be your boot sector. Verify this with Encase or WinHex. Note that you will have to do this operation as a user with Administrative access since accessing the raw disc is a protected operation on Windows.
5. On your defragmented HD find the last sector that has data on it. For a regular XP installation this should be around the 2 to 3 Gig mark. Note the sector number in Encase (If you are using WinHex make sure you don’t get this number in HEX). Add a little to it and then copy your entire “fake” os with a command like this.
   dd ibs=512 count=YOURCOUNT if=\\.\\physicaldrive1 of=origos.bin
   Where YOURCOUNT is the last block you want to copy. Don’t be afraid to give your self a little extra room when you copy. Note that this is the command line for a secondary HD, your primary should be physicaldrive0.
6. Now reboot with the drive you are preparing and install DCPP as a Hidden OS. Give yourself lots of extra space when starting your hidden OS, I did 800Megs. This way, if your real OS takes up 2.5Gigs, then your hidden OS will start at approx. the 3.3Gig point on your disk. Read DCPP’s docs on hidden OS creation but here it is in broad strokes:
   • Install DCPP on a FAT32 installation of Windows.
   • Create 2 key stores in two different files with two different keys and different passwords (real and fake)
   • Install BootAuth (the DCPP bootsector) and encrypt the drive with your fake keystore/key
   • Reboot, log into your fake keystore with DCPP and select the FAT32 drive. You will see the Hidden OS button enable, click it:
   • Give it the path to your real keystore and your real password. As I said before give yourself lots of space before the real OS start point. Also, you can tell it to use NTFS and the file system for the real OS. Click “Create Hidden OS”
   • It will create a hidden OS. After it finished reboot using your real password
   • In DCPP, log into your real keystore and select your current drive. You will have to re-encrypt at this point as the hidden OS is created unencrypted
   • Reboot and if it works, make yourself a few rescue disks as this is how you will have to boot your system when we are finished
7. Make sure you have a few good boot disks. This is how you will always have to start your real OS.
8. Reboot, using the drive used to copy the boot sectors and OS. Copy your boot sector on your DCPP drive again. You will want to save a copy of this boot sector in case you ever need it. For instance, you will have to re-install it to make more DCPP boot disks, and then re-install your “clean” boot sector.
9. Copy your clean OS back onto your DCPP drive with:
   dd ibs=512 count=YOURCOUNT of=\\.\\physicaldrive1 if=origos.bin
   Make sure YOURCOUNT is the same as before
10. Done! That was easy huh >;->

Boot your fake OS (without your boot disk) to make sure it works. However, you should try to not use it much at this point. You should have a good bit of space before you would start stomping on your hidden OS’s data but it is something you shouldn’t risk too often.
So at this point you should have what looks like normal HD, free from encryption tools or anything that would arouse suspicion, that boots without a password and can be freely inspected (though I would use a BIOS password to prevent curious people from starting your fake OS up and mucking around in it). Double check your boot sector with Encase or WinHex to make sure it contains only the Windows default boot sector. If you see the string “DCPPBOOT” or “DCPP” you aren’t completely clean. Enjoy!

EnCase by Guidance Software

We have all heard the horror stories of government agents seizing people’s computers and through their hi-tech govt’ software, finding all the CP and Warez that the owner supposedly had on the system; even though they tried their best to hide them. Well, this is pretty much true. Government quality computer forensics software is pretty bad-ass. It has perfected screwing people over to a fine art. EnCase is such a tool.

EnCase, all I can say is: learn how to use this software! EnCase is probably the most popular forensics software for govt’ snoops. Knowing how to use it is knowing how the “enemy” works and thinks. Also, it will allow you to verify that the security procedures (file over-writing, free-space wiping, temp file deleting) you are taking are actually working. I’ve been surprised a couple of times when I thought that I had removed all relevant evidence from my computer only to have EnCase turn up something that I had either overlooked or did not know existed. EnCase supports FAT12, FAT16, FAT32, NTFS, HFS, HFS+, CDFS, EXT2, UFS, RAID drives, Palm PDA’s and *all* file system types in RAW mode! Still think the fact that you run NetBSD is going to throw off the snoops? Encase will let you create a boot disk that lets you do a full disk capture of a target machine over parallel or network cable without ever having to boot the hard drive. One of the things that learning to use EnCase will show you is what really comprises good security: For instance, if you’re like me you would think that renaming a file will serve to hide it’s true contents. Who would think that Metallica.wav would really be just a renamed copy of Terrorist Bomb Plans.doc? Nobody right? Wrong! EnCase has a little feature known as Signature Analysis. Basically SA will search all the files on a file system and flag every file that has an extension that doesn’t match what EnCase believes the content to be from looking at the actual file.

Welcome to Stealth!

The government(s) is(are) freaking out. They make up new computer laws and then vigorously pursue and prosecute anyone who violates them. Even if someone uses your computer for something illegal and gets caught, it still reflects badly on you. If someone wanted to do you some harm and planted a bunch of CP on your HD and then tipped off the cops, what would happen? You’d be screwed. Why? Because computer technology and the Internet have snuck up on governments and industry, and they realize that their bizarre laws are going to be much harder to enforce than they originally thought. That translates into stiff penalties for the people they catch (or believe that they have caught).
Why on Earth would someone make computer data illegal? It’s stupid. It’s data folks, ones and zeroes. It’s not going to kill anybody (directly anyway), it’s not going to molest kids, it’s not going to steal valid products that people have worked hard to produce. The only thing that it’s going to do is cut into the bottom lines of companies who develop software and “content” (not necessarily a bad thing I’d argue) and make it harder for governments to enforce their random codes of civil (not moral) ethics.
So what do you do? Aside from running Freenet, cover your tracks. That’s what I hope that this site will help you do. I don’t know everything about computer security, but I know a little bit that should help people be better equipped to conceal what they do on their systems, and better understand how government snoops work and collect “evidence”. I mainly work on the Windows platform so not all of this information will be helpful to the Unix folks out there. But I’d guess that most Unix people use Windows more than they would like to admit. Even I have an OpenBSD machine sitting beside me, but it doesn’t run everything that I need……..