Posted on 05/02/2008 5:02:14 PM PDT by Dawnsblood
Last Summer, Microsoft Corporation quietly introduced a powerful tool for getting past security on laptops and PCs running the Windows operations system (which about 90 percent do). The device is a USB thumb drive called COFEE (Computer Online Forensic Evidence Extractor). When you capture an enemy computer, you plug in COFEE and then use over a hundred software to quickly get whatever information is on the machine. COFEE can quickly reveal passwords, decrypt files, reveal recent Internet activity and much more. A lot of this can be done without COFEE, but with the Microsoft device, intelligence collection is a lot faster.
Microsoft has distributed thousands of COFEE devices to police and military intelligence personnel in the United States, and some foreign countries. COFEE was developed mainly to assist the investigation of Internet based crime. But military intelligence operators find it very useful in uncovering enemy plans. Islamic terrorists love their laptops, and never go killing without them.
I can only assume, but I'm most certain they boot from this device and it can target the local hard drives while the host OS is offline. Just like accessing files with a 'live CD'.
It is really quite easy to disable USB drives on a Windows machine. It’s just a few registry entries, and then this device would be useless without an admin account on the target machine.Except that the registry entries you mention are only relevant if you've booted into the OS on the machine. Devices like this, and other approaches like bootable CDs, have their own OS on them.
A necessary, but not sufficient, condition to security is to control physical access to the machine.
My corporate laptop has an encrypted C: drive and has the USB port disabled.
If you got my laptop when it was booted, and put a USB stick in the port, the filesystem wouldn’t mount. You would have to type in a valid ID and password to get access through the keyboard. You get three tries before the account is locked.
If you got my laptop when it was not booted, you might be able to boot from the USB port, but then how would you read the encrypted C: drive?
“you plug in COFEE and then use over a hundred software”
I guess English isn’t this person’s first language.
This is an official corporate secure laptop.
I have no idea how secure it really is, I haven’t tried to crack it myself. I think you can get a backdoor to the encryption from the vendor.
If you got my laptop when it was not booted, you might be able to boot from the USB port, but then how would you read the encrypted C: drive?
There was a technique discovered that that involves freezing the memory chips of a computer with an encrypted HD, and moving them to another computer to be analyzed. I believe they were able to recover the encryption keys stored in memory from computers that had been powered off for as long as 20 minutes.
When you encrypt the HD, the operating system has to decrypt it. In order to do that it needs the keys in working memory. RAM is technically volatile memory, but it does exhibit some persistence. Freezing the chips seems to extend that period of persistence considerably.
I believe that's where this tool from MS could be stopped.
How easy is it to break True Crypt encryption?
How easy is it to break the Dell - IBM/Hitachi full drive encryption without remounting the platters?
If I’m the NSA, I’d read your encrypted C drive :)
Heck, the vendor can do that. This is corporate encryption. No corporation would want to buy a product with no backdoors.
and then this device would be useless without an admin account on the target machine.
Like that's hard to get.
Well, that, and the fact that your hard drive ISN'T paper. So, you know, obviously 4A shouldn't apply. ;-)
I got to get one of those!
I don't need the USB drive to mount. I also don't need keyboard access. The tools and scripts will install the hidden Administrator accounts and backdoors in non-standard file locations without creating system log entries or otherwise alerting an Intrusion Detection System (IDS) or Systems Administrator.
The really sophisticated hacks will use pseudo-random number generators to hide the Admin accounts and backdoors in the disk free space. Of course, if you regularly wipe disk free space, you could undo my work.
If you got my laptop when it was not booted, you might be able to boot from the USB port, but then how would you read the encrypted C: drive?
Again, I don't need the machine to boot into Windows. I don't even need Windows to be running. Everything happen at the BIOS and below. I just get complete access to Windows when it is running.
You read an encrypted hard drive the same way you do forensics on any hard drive. Make an image of the disk, take it offline and use one of the many cracking programs available on the hash file.
Alternatively, leave a hidden Administrator account, a keystroke logger and a backdoor. Wait until you log in again to record and recover the password.
Your faith in commercial encryption is touching but naive. Not that encrypting data at rest is a bad idea, but there is no silver bullet solution for computer and network security.
Properly securing a network takes a combination of people, processes, and technology. When you do it, the bottom line doesn't contain too many zeros for most organizations, but too many commas.
However, to a sophisticated enough threat, if you only partially pay the bill, it's as if your network is still wide open.
I’d be interested in both of your assessments of Truecrypt.
Much ado about nothing, but y’all can feel free to enjoy the knot in your panties.
Well, it's good to know that all passwords and everything else is wide open to anyone who logs into a Windows box, even without administrator privs. Kinda puts the "security" on said computers into perspective doesn't it?
It’s been obvious for a long time that nothing can stop the police from reading anything they please. Unless there is a real life Cryptonomicron store house somewhere.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.