[Dataloss] (article) "We recovered the laptop!" ... so what?

[Bob Dehnhardt]

>From what I understand, BitLocker requires special hardware - either a
Trusted Platform Module on the motherboard, or a special USB device
plugged in to the system. It also requires a compliant BIOS. None of
these are particularly widespread at the moment, so I don't think
BitLocker will be in common use any time soon.

I think encryption is the second best method of protecting sensitive
info on laptops (the best is to not put it there in the first place, but
that battle was lost before it began). But if I've got your system, odds
are I also have the key (EFS stores it on the system drive, BitLocker
uses the on-board TPM or USB dongle, which would most likely be kept
with the laptop). In that case, any encryption will fail given
sufficient time.

And encryption does not prevent the taking of a bit-level backup or
image of the drive. That's a key tool for the attacker. Once that's been
done, that can freely attack the system with whatever tools they like,
knowing that they can always restore it to a pristine condition if
things get too heavily munged. And running "strings" on a drive image is
a great way of generating a system-specific word list for dictionary
password attacks....

 - Bob

-----Original Message-----
From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of Herve Roggero
Sent: Monday, February 12, 2007 5:54 AM
To: Max Hozven; sawaba; blitz
Cc: dataloss at attrition.org
Subject: Re: [Dataloss] (article) "We recovered the laptop!" ... so
what?

Hi everyone

This thead is very interesting. All techniques so far deal with reading
data at a low level. Will Windows Vista prevent techniques such as
Symantec Ghost? I understand that Vista performs bit-level encryption
with its BitLocker technology.

Thanks.

Herve Roggero
Managing Partner
Pyn Logic LLC
Visit www.pynlogic.com