So you thought it was enough just to encrypt your hardrive? You might have been thinking that there were probably way's that people can access an encrypted hardrive. I will explain ways an adversary might use to gain access to an encrypted hardrive.
Bootkit's:
Peter Kleissner created a bootkit that is able to log a user's password even before their operating system is loaded, similar to how a keylogger logs what you type. He demonstrated this at a Black hat convention in 2009. He originally used code that was created in 1987 called the Stoned Bootkit.
This is probably the first type of bootkit that came to light which posed a threat to encrypted hardrive's, after it's creation many other bootkit's followed such as the Evil Maid. The Evil Made, created by Alex Tereshkin and Joanna Rutkowska allowed an adversary to infect a person's computer without the need for the operating system to be running, you simply plug in a usb and boot up the computer.
How do you check if your computer contains a bootkit?
I have released a script that will check the integrity of your MBR (master boot record). One thing that bootkits seem to have in common is that they alter the MBR. What this script does is create a SHA512 checksum of the MBR and compare's it to the checksum of the MBR that you created when you first executed the script. If the checksum's do not match then there is a high probability that your computer may be infected with a bootkit.
Truecrypt and Discryptor both have a Rescue Cd which will allow you to place the original MBR that was created when you first encrypted your hardrive. However these Rescue Cd's will not tell you if your MBR has been altered, the script's I have created will.
You can download these script's here:
Script 1 (init.sh)
Script 2 (csum.sh)
Place these scripts into the root directory of a storage medium such as a usb flash drive.
You will also need the System Rescue Cd software to run these scripts.
You can download the System Rescue Cd from here:
Click Here
How to copy System Rescue Cd Image to a Cd?
1. Open up Magic ISO, click on try it.
2. Browse and select the System Rescue CD image
3. Insert a Cd into the CD drive
4. Click on Burn it!
How to copy System Rescue Cd to a usb?
Click Here
How to use these script's?
1.
Insert the System Rescue CD into your Cd drive and reboot.
2.
Press enter when prompted to boot the disk, press enter again to select default keyboard.
(Note: You may have to change your boot priority in order to boot from a CD, through the bios)
3.
Type in startx and press enter, you will see a Linux desktop, it may take time to load.
(Note: This step is not really needed unless you want to get the hardrive location from Gparted)
4.
Mount the drive that contains the script's. To determine which drive contains the script's, open up Gparted (found on the taskbar) or type fdisk -l. What you are looking for is the location of the estimated size that matches your storage medium. Replace /dev/sdb with the location of your storage medium that contains the script's.
If the partition is ntfs, type:
ntfs-3g /dev/sdb /mnt/windows
If the partition is fat, type:
mount /dev/sdb /mnt/windows
To get into the root directory of your storage medium type:
cd /mnt/windows
5.
You may want to edit the option's found in the script's by typing:
nano init.sh
and
nano csum.sh
For csum.sh you will need to edit this option with the encrypted hardrive location:
hdcheck="/dev/sda"
(Again you can find this with Gparted or by typing fdisk -l)
Press ctrl+x when your done editing, then type y and press enter to save changes.
6.
For extra security the script will place the checksum file of the MBR in an encrypted file. To create the encrypted file, type:
./init.sh -c
Follow the prompts.
7.
Now whenever you want to check the integrity of your MBR, type:
./init.sh
You will be prompted for the password you entered when you first created the encrypted file.
Note:
Once you setup the encrypted file, the file csum.sh will be located in the encrypted file, in order to edit this file, type:
./init.sh -e
Press ctrl+x when your done editing, then type y and press enter to save changes.
Its a good idea to delete csum.sh (in the directory where you placed init.sh) as it is no longer needed unless you want to create another encrypted file.
Memory Dumps
Windows likes to create memory dump's when your system crash's and send it back to their headquarters's where they will sell it on the black market to the highest bidder who will use it to extract your password. All jokes aside, its a good idea to disable windows from creating memory dump's or at LEAST turn off Windows error report so they won't have a copy of your memory dump's.
How to disable Windows from creating memory dumps:
1.
Click on Start
2.
Click on Run
(This can be found in: All Programs => Accessories or just type in run in the search field)
3.
Type regedit and press enter
4.
Navigate to:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlCrashControl
Change the value CrashDumpEnabled to 0
Software updates and protecting against Virus's
The best way to protect your encrypted hardrive is by protecting your computer from malware such as virus's and trojan's. You can do this by regularly updating your operating system and application's you use frequently, such as your web browser. If you have Firefox installed I highly recommend installing the Adblock Plus plugin, believe me this plugin does wonder's. I advice only to use Internet Explorer if its completely necessary, I am not being biased but facts speak louder then my opinion, Internet Explorer is just not secure. Most importantly always update your anti-virus definition's for all your anti-virus software.
I leave you with this article from the Discryptor website which goes over way's people can access your encrypted hardrive, this is a MUST read for anyone who has encrypted their hardrive or are considering it.:
Discryptor Cryptographic Attacks link
