The short summary is that a Federal judge ruled that a defendant could not  be forced to reveal his encryption password due to 5th Amendment protection.

This is good news for privacy lovers out there, but I’m sure that the Govt’ will try to get this one overturned. We’ll see how it pans out.

If Window’s autorun “feature” is turned on it will still operate even if you have locked your screen. In other words it is very easy to install trojans etc. unless you turn it off.

In most cases it it best to turn your computer off when you can’t be physically present, but I admit to leaving for a while and just relying on my screen lock only.

So the moral of the story is: “Turn off autorun!” and test it to make sure it is really off.

In previous versions of DCPP, the only unencrypted data was in the boot sector: if you searched your HD for the string “DCPP” the only place you would see it would be in the boot sector. However, with the current version the boot sector code has been replaced with a “stub” that points to sections of the disk that are unencrypted and contain more boot code. Where do these come from? Well, when you install BootAuth, DCPP creates some “bootauth.sys” files in the root of C drive. The sectors that hold these files are apparently *not* encrypted. So any modifications to these files inside the OS are visible to someone examining the encrypted drive forensically and vice-versa. In practice I don’t think this is any more of a security problem than just having the boot sector unencrypted as has always been the case. However, it might be possible for an attacker to use these files to load trojans into the system. Before, someone wanting to do this had to work only with the boot sector code which doesn’t give you a lot of extra space. Now, entire files are exposed unencrypted. We’ll see how it all pans out. Incidentally, the procedure I give below for “fully hidden” DCPP installations still works fine with this version. In fact, it gets rid of the exposed files on disk since they reside in the “outer” OS.

• Actual, non password protected, bootable OS
• No trace of encryption software on the HD, including boot sectors
• Bootable only through rescue floppy/CD

Now, you can have an outer OS that can be scanned freely and should not turn up any “red flags” except random data in freespace. But, like I said, a disk wiping program can cause that. Many companies and savvy individuals are routinely wiping their HDs before getting rid of them, so this shouldn’t be that unusual.
To do this, I have used two drives: the one I am preparing and another one that contains the tools I use to prepare the first. This way, sensitive tools (Encase, WinHex, DCPP) are never present in the “fake” OS. Also, I am using DCPP 3.0. There are newer versions of DCPP, and when I get a hold of them I will try to test this procedure out and make sure it still works right.. Ready? Here goes:

1. Get your target drive and wipe it. I used Darik’s Boot and Nuke (DBAN). I had two problems with DBAN: It zeroed out the drive on it’s final pass, I wanted it to leave random-ish data. And second, it didn’t get the boot sector of the HD (first 63 sectors). The drive I used was used previously for DCPP and so, had the special boot sector. I finally just copied the boot sector from a non-encrypted computer and used that. Verify all of this with EnCase or WinHex
2. Format with FAT32 (<- Very important and we can change this for your real OS) and install Windows and all programs that you might use and that wouldn’t be suspicious. No encryption software, no security stuff, nothing like that. Just a basic Windows installation. If you want to make it look even more realistic then use the system for a couple of weeks. This will be the system that people will see when inspecting your HD.
3. Install this drive as a secondary and run a defrag. program from another drive on this one. I used O&O Defrag and was very impressed. You have to make sure that *no* data gets positioned too far down the disk: everything needs to be at the top of the drive to make the largest amount on contiguous free space possible.
4. Copy your clean boot sector with DD like this (Google “forensics acquisition tools”):
   dd ibs=512 count=63 if=\\.\\physicaldrive1 of=winbs.bin
   That reads in the first 63 blocks of 512 bytes on your hard drive and saves it in the file winbs.bin. This should be your boot sector. Verify this with Encase or WinHex. Note that you will have to do this operation as a user with Administrative access since accessing the raw disc is a protected operation on Windows.
5. On your defragmented HD find the last sector that has data on it. For a regular XP installation this should be around the 2 to 3 Gig mark. Note the sector number in Encase (If you are using WinHex make sure you don’t get this number in HEX). Add a little to it and then copy your entire “fake” os with a command like this.
   dd ibs=512 count=YOURCOUNT if=\\.\\physicaldrive1 of=origos.bin
   Where YOURCOUNT is the last block you want to copy. Don’t be afraid to give your self a little extra room when you copy. Note that this is the command line for a secondary HD, your primary should be physicaldrive0.
6. Now reboot with the drive you are preparing and install DCPP as a Hidden OS. Give yourself lots of extra space when starting your hidden OS, I did 800Megs. This way, if your real OS takes up 2.5Gigs, then your hidden OS will start at approx. the 3.3Gig point on your disk. Read DCPP’s docs on hidden OS creation but here it is in broad strokes:
   • Install DCPP on a FAT32 installation of Windows.
   • Create 2 key stores in two different files with two different keys and different passwords (real and fake)
   • Install BootAuth (the DCPP bootsector) and encrypt the drive with your fake keystore/key
   • Reboot, log into your fake keystore with DCPP and select the FAT32 drive. You will see the Hidden OS button enable, click it:
   • Give it the path to your real keystore and your real password. As I said before give yourself lots of space before the real OS start point. Also, you can tell it to use NTFS and the file system for the real OS. Click “Create Hidden OS”
   • It will create a hidden OS. After it finished reboot using your real password
   • In DCPP, log into your real keystore and select your current drive. You will have to re-encrypt at this point as the hidden OS is created unencrypted
   • Reboot and if it works, make yourself a few rescue disks as this is how you will have to boot your system when we are finished
7. Make sure you have a few good boot disks. This is how you will always have to start your real OS.
8. Reboot, using the drive used to copy the boot sectors and OS. Copy your boot sector on your DCPP drive again. You will want to save a copy of this boot sector in case you ever need it. For instance, you will have to re-install it to make more DCPP boot disks, and then re-install your “clean” boot sector.
9. Copy your clean OS back onto your DCPP drive with:
   dd ibs=512 count=YOURCOUNT of=\\.\\physicaldrive1 if=origos.bin
   Make sure YOURCOUNT is the same as before
10. Done! That was easy huh >;->

Boot your fake OS (without your boot disk) to make sure it works. However, you should try to not use it much at this point. You should have a good bit of space before you would start stomping on your hidden OS’s data but it is something you shouldn’t risk too often.
So at this point you should have what looks like normal HD, free from encryption tools or anything that would arouse suspicion, that boots without a password and can be freely inspected (though I would use a BIOS password to prevent curious people from starting your fake OS up and mucking around in it). Double check your boot sector with Encase or WinHex to make sure it contains only the Windows default boot sector. If you see the string “DCPPBOOT” or “DCPP” you aren’t completely clean. Enjoy!

EnCase, all I can say is: learn how to use this software! EnCase is probably the most popular forensics software for govt’ snoops. Knowing how to use it is knowing how the “enemy” works and thinks. Also, it will allow you to verify that the security procedures (file over-writing, free-space wiping, temp file deleting) you are taking are actually working. I’ve been surprised a couple of times when I thought that I had removed all relevant evidence from my computer only to have EnCase turn up something that I had either overlooked or did not know existed. EnCase supports FAT12, FAT16, FAT32, NTFS, HFS, HFS+, CDFS, EXT2, UFS, RAID drives, Palm PDA’s and *all* file system types in RAW mode! Still think the fact that you run NetBSD is going to throw off the snoops? Encase will let you create a boot disk that lets you do a full disk capture of a target machine over parallel or network cable without ever having to boot the hard drive. One of the things that learning to use EnCase will show you is what really comprises good security: For instance, if you’re like me you would think that renaming a file will serve to hide it’s true contents. Who would think that Metallica.wav would really be just a renamed copy of Terrorist Bomb Plans.doc? Nobody right? Wrong! EnCase has a little feature known as Signature Analysis. Basically SA will search all the files on a file system and flag every file that has an extension that doesn’t match what EnCase believes the content to be from looking at the actual file.