Tag Archives: computer forensics

Review: Full disk encryption DiskCryptor v0.7.435.90

Most of you will have heard of Truecrypt, a free an open source hard disk encryption product, there are only another free and open source software for full disk encryption in Windows that I am aware of, DiskCryptor. You can download a 32bit or 64bit version of Diskcryptor depending on your OS.

I tested DiskCryptor using it for full disk encryption of my netbook, an Asus PC901 with a 12GB HDD divided in between two solid state disks of 8GB and 4GB. DiskCryptor is an ideal alternative to encrypt a netbook because netbooks do not have a CD drive and Truecrypt will force you to burn a CD to use system encryption, which DiskCryptor does not.

DiskCryptor cascade algortyhms
DiskCryptor cascade algortyhms

The first thing that impressed me of DiskCryptor is how small it is in size, a little over 500KB, but this comes at a price since the software manual does not come along and you get a link to their website instead.

I was pleased to see DiskCryptor offering a wide choice of encryption algorythms, AES-256, Twofish or Serpent algorithms in XTS mode, all of them seem to be pretty sound algorythms to me, and they can be used on cascade mode as well, VIA Padlock hardware accelaration for encryption and hashing is supported too.

The built-in benchmark shows the top speed with which cryptographic algorithms can perform, but I have to tell you that even on a netbook with a single core Intel Atom processor, regardless of the encryption algortyhm used I noticed no perfomance difference while using the netbook.

DiskCryptor encryption of partition
DiskCryptor encryption of partition

DiskCryptor allows wipe while encrypting, with three, seven or thirty five passes (Guttman method), but wiping a solid state disk like the one Asus Eee PC901 has is not safe, since solid state disks, like thumb drives, use wear levelling technology and the wiping passes are spread evenly accross the disk and not on the same sectors. If you are using a solid state disk, make sure it does not contain any confidential data that an electrons microscope could recover(very expensive to do right now), the only way to do this is by using a new disk, wiping it may fail to sanitize de disk.

With DiskCryptor you also can encrypt an ISO file and then burn it to CD-R/DVD/BD-R , after that you  will only be able to mount the image with DiskCryptor and the correct password/keyfile.

You can also set up a hot key to cause a blue screen of death, if you need to urgently shut down your computer when someone busts into your home unexpectedly this seems the way to go, it is quicker than clicking on the power off button.

The Good Stuff

DiskCryptor works with RAID volumes, you get a wide choice of algorythms, DiskCryptor is easy to use and unlike Truecrypt, it works on netbooks out of the box. DiskCryptor is open source, you can check for backdoors if you have the skills.

The software does not cost you any money, you can customize the boot loader widely, DiskCryptor boot loader customization is far better than Truecrypt, you can choose to install the bootloader on a CD/DVD, set up timeouts, choose if you want to use a QUERTY or DVORAK keyboard, and there is also a Windows live CD BartPE plugin for DiskCryptor.

The Bad Stuff

DiskCryptor should include some basic documentation at the very least, the GUI is easy to use and intuitive but encryption products need to come with instructions, a newbie could easily feel overwhelmed. DiskCriptor is only available for Windows, and there is no choice of hashing algorythms other than the default SHA-512.

There is also no choice of burning a recovery CD in case the boot loader gets corrupted (although you can backup the headers).

DiskCryptor password enter box
DiskCryptor password box

Conclusion

DiskCryptor is an excellent free and open source full disk encryption  alternative to Truecrypt, with a wide choice of encryption algorythms and easy to use, but they need to improve their poor documentation.

Their FAQ states that they are planning to implement a hidden OS in future versions, I think Diskcryptor looks promising and Truecrypt has a worthy competitor.

http://www.diskcryptor.net

Video: Crash course in full disk encryption

This video is a talk held in December 2008 at the 25th Chaos Communication Congress, under the title Nothing to hide.

It is a crash course in full disk encryption concepts, products and implementation aspects. An overview of both commercial and open-source offerings for Windows, Linux, and MacOS X is given. A  programmer’s  look at the open-source solutions concludes the presentation.

If you are not encrypting your whole hard disk remember that opening and viewing files will leave recoverable traces in your operating system. If you care about privacy you should be using full disk encryption, Truecrypt is the way to go in Windows.

Click this link to download the crash course in full disk encryption papers.

I would say this is a video for intermediate/advanced computer users.

Video: Computer Forensic & Investigation

A computer forensics professional explains the basics of computer forensics, how data is recovered from people’s computers and what challenges they face.

This is only an introduction to what computer a forensic expert does, recommended for begginers.

Metasploit Anti-Forensic Investigation Arsenal (MAFIA)

These are high level antiforensic tools, not to be used by little girls, you will need a good understanding of computers to know what you are doing:

1- Timestomp – First ever tool that allows you to modify all four NTFS timestamp values: modified, accessed, created, and entry modified.

2- Slacker – First ever tool that allows you to hide files within the slack space of the NTFS file system.

3- Sam Juicer – A Meterpreter module that dumps the hashes from the SAM, but does it without ever hitting disk.

These are not new tools, they have been around for a couple of years already and they are still as useful as when they came out. You can download them at Metasploit website, a highly reccomended place for all those interested in antiforensics.

The next time your laptop gets seized at the border because the Customs Officer  did not get his usual bribe, or got pissed off that your wife hooters are bigger than his dwarfed and rusty piece of flesh he calls wife at home. Make sure the corrupt officers get to confiscate a full encrypted laptop and a thumbdrive UNENCRYPTED with all file timestamps changed to 20th April, 1889, a date they will be familiar with, as that is when Hitler was born.

http://www.metasploit.net/research/projects/antiforensics/

Video: Using eraser to delete files for good

This is mainly a video for begginers, just some introduction on why you should use a secure data wiper to delete files in your computer.

A computer user shows you on screen how to use Eraser to safely wipe documents and making them vanish for good.

Eraser is one of my favourite tools to destroy data, free and open source.

http://sourceforge.net/projects/eraser/

Interview with a computer forensics expert

I thought this was a cool interview, if you already know about computer forensics you may find you will not learn anyting new here, but I really reccomend to listen to the interview to begginers who have no clue what a computer forensics expert does.

One day it may be one of the bad guys who takes your computer away, you better know what they do before your private computer life becomes an open book. You may also want to look at the other posts I have tagged with computer forensics.

Video: LayerOne 2006 – Paul Henry – Anti-Forensics

Paul Henry is a VP at Secure Computing. In this video he discusses computer forensics and methods people use to circumvent forensic techniques, notice this video is near 1 hour long!