Tuesday, April 2, 2013

Mac vs Windows Encryption 101

Introduction: This post will be a basic introduction to the common encryption formats used on Mac and Windows operating systems. Defeating drive encryption is an extensive struggle that should be analyzed in depth when studying Memory Forensics.

Windows

BitLocker
  • Is a full volume encryption feature from Vista to Win7, and now even Win8.
    •  A volume may or may not be the entire disk.
    • There are also server editions.
    • In Win7 you can encrypt USB drives. (Bitlocker To Go).
  • Encrypts all personal and system files on the operating system drive.
    • Unlike EFS which doesn't encrypt the entire contents of the drive.
  • Bitlocker does not depend on each user assigned to a computer to encrypt a full drive.
  • According to Microsoft sources, Bitlocker does not contain an intentionally built-in backdoor.
  • It uses a Trusted Platform Module TPM, which is a special microchip in many computers that supports these security features. Here are some modes of TPM:
    • TPM + Pin: user provides authentication to a pre-boot.
    • TPM + Pin + USB Key: must be supported by the users BIOS first.
    • **Both of these methods are vulnerable to a bootkit.
  • You must have administrative privileges in Windows, in order to turn BL on or off.
    • This can be considered a deterrent for users that may find BL difficult to use. 
  •  In order for Bitlocker to work on a Windows OS, you'll need the following:
    • Two NTFS partitions (one for the operating system, and the other from which the operating system boots.)
      • BL requires the boot volume to remain unencrypted and assigned a drive like C:
        • Win7 creates this secondary boot volume by default.
    • The BIOS configures so that the hard drive boots first before checking the CD/DVD drive.
  • When the system is booted, the integrity of the OS and hardware is verified.
Methods of encryption:
  • BL uses Advanced Encryption Standards AES that can configure to use one of four encyrption methods.
    • AES-CBC
    • AES-CBC with Elephant Diffuser
    • AES-CCM
    • The default mode is to use a 128-bit AES with the diffuser enabled. 
    • This of course goes into grand details of cryptography (which i will not be attempting to discuss in this blog.) 
Keys used in BitLocker:
  • Volume Master key VMK:  256-bit in size and is stored encrypted with either a recovery key, external key, or the TMP.
    • A malicious boot loader can decrypt its way to the VMK, which would then allow access to decrypt or modify any of the information.
  • Commands to encrypt or decrypt comes from the Full Volume Encryption Key FVEK (512 bit)
    • There are keys that are encrypted to protect even more keys.
    • These keys are located within the TMP chip, located on the motherboard of a hard drive.
    • Bitlocker keys are 64 bytes in length.
  • Recovery key: An external key in a USB. And then there is the Recovery Password that is used to determine a recovery key itself. 
  • Volume Header: Similar to an NTFS volume header, BitLocker has the signature -FVE-FS-.
    • Some differences from an NTFS header, includes BL metadata. I didn't recognize anything i could add as significant.
  • As a forensic analyst, it is imperative to recognize the level of encryption on a drive. Since without doing so Bitlocker will make drive analysis infeasible.
  • A quick look at each volumes primary volume boot sector (which is sector offset 3), can reveal whether the volume is encrypted with Bitlocker.
  • Where you will usually see the NTFS at offset 3 you'll see instead -FVE-FS- (\x2d\x46\x56\x45\x2d\x46\x53\x2d), indicating that the volume is encrypted by BL full disk encryption.
    • A script to display the status of a BL volume: Manage-bde.exe
    • This script is included in Win7. It is located in %systemdrive%\Windows\system32
    • The drive may need to be configured with a BL device tool preparation in Vista. (Creating a list of parameters to be run).
    • But if the script is issued on a live machine, and no results are received in CMD, it may be safe to say that BL is not enabled.
    • With a privileged CMD run cscript manage-bde.wsf -protectors -get c: -rp to unlock Bitlocker.
      • This script is supposed to give access to the Recovery Password.
    • This process is put into action here http://www.forensicfocus.com/Content/pid=360/page=4/ when working with a Windows Live CD you're going to want scripts to run when analyzing a machine. 
    • After which a dd command will allow you to image a drive: but still with encrypted data, since it is only the recovery password. (Logical level is decrypted, but Physical is not).
    • I myself have not tried to run a Live CD against a BL fully encrypted drive. 
  • BiLocker keys (64-bytes) are held in memory while the system is up and running.
  • There are laws in the UK that focus on making it mandatory for a systems owner to hand over keys, if suspected in a legal case. Currently know laws like this in the US.
Mac OS X 
FileVault 1

  • In Leopard and Snow Leopard: FileVault is built into the operating system, encrypts the users home directory, utilizing the login password and comes standard with every distribution of a Mac OS X.
    • Given this more convenience method of encryption, it is more likely a Mac computer will be using encryption than encryption on a Windows os.
    • Setup is easier, and similar to EFS, FV works with each of its users, instead of only have the option of a full drive encryption.
      • This means encryption applies to users "home directories", instead of the startup volume.
      • So the Users Home Folders are encrypted as one large volume file. And each user account is isolated from the other.
        • Can be 20 gb in size
      • FV creates a secure user Home Folder by creating either a sparseimage or a sparsebundle (which can function like a disk itself). These are simply a disk image or DMG used for recovery or backup.
        • When an individual has the motivation of wiping their drive, they will want to make sure this file isn't accessible anymore. 
        • Sparsebundle has AES 128 encryption to it when a new file is added to a users Home folder. (This only applies if a user activates FileVault).
  • There are a few sets of keys to be aware of in FV:
    • The Master key gives root access
    • The User password: gives access to the account. If a user password is forgotten, the master password or recovery key may be used to bypass.
    • Recovery Password.
    • A Master password is created when FV is enabled.
    • A Master password is not to be confused with a "root password". 
  • When FV is used on a Mac, it works with other utilities on the computer.
    • Such as Time Machine and the secure erase option. 
  • File sharing is disabled when FV is in use.  
  • FileVault is off by default (unlike with BitLocker).
  • It is not a full disk encryption utility. 
  • Uses AES 128-bit encryption.  
FileVault 2 
  • However,  in OS X Lion: FileVault 2 is a newer design that does encrypt the entire volume startup and typically includes encrypting the home directory, but again doesn't entire the entire volume (which includes the operating system).
    • Apple has referred to this link between the volume and the OS as the CoreStorage manager.
    • This is an idea how CoreStorage works when organizing volumes:
http://afp548.com/wordpress/wp-content/uploads/2012/06/Fig-5-CoreStorage_Conceptual.jpg 
  • When the authorized users information is encrypted, it is booted separately from a non encrypted boot volume. (Similar to BitLocker).
  • The EncryptedRoot.plist.wipekey contains all the information needed to extract the volume master key from  the users password recovery token. 
    • the encryption key is easily available in the header of the CoreStorage volume.
      • The header also contains the size of the entire volume
      • (I won't be getting into the value of plists in this blog.)   
  • Instead of using FV 2 to encrypt a users home directory, using Disk Utility (diskutil list), a user can create an encrypted disk image themselves and store any subset of their home directory in there. This encrypted image behaves similar to a FV encrypted home directory, but is under the users maintenance. 
Concluding pointers
  • When comparing Bitlocker or Filevault in terms of which one is more effective, strength from brute force attacks and encryption protection, the winner seems to be in favor of Bitlocker.
  • A rule in encryption dictates that in order to have complete security with your files, you must implement full drive encryption, instead of singular volumes and folders. If an attacker is able to gain access to your partially accessible account, it makes his job easier.
  • This can be a downfall for FV, because hackers can boot up an account with FV enabled. Even though FV is preventing them from your home directory files, they still have an upper hand when being allowed to boot up into your account. 
  • BL encrypting the entire operating system is definitely a major positive. 
  • But since FV is more convenient for the user, encrypting on the fly will deter the hackers that are constrained by time.