Coastal Pet Products, Inc., profile picture
Uploaded byCoastal Pet Products, Inc.
PPT, PDF5,170 views

Attacking and Defending Full Disk Encryption

One of your company's laptops was just stolen.  You know that there was sensitive information on the machine.  You also know that full disk encryption was deployed.  Is your data safe?  Can you prove it? Many organizations are flocking to full disk encryption as a solution to their data security requirements.  Unfortunately, many of these installations view the deployment of full disk encryption as a panacea for any and all security concerns for their laptop fleets.  All too often, these systems are neither properly configured nor adequately tested. In this talk, Tom will analyze the challenges associated with both attacking and defending systems protected with full disk encryption.  Many of the examples provided will draw from Tom's personal experience, including a case where a fully encrypted and powered down system was able to be fully compromised as part of a penetration test.

Embed presentation

Downloaded 29 times
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption

More Related Content

PDF
Attacking Windows Authentication and BitLocker Full Disk Encryption
byIan Haken
 
PPT
Competitive Cyber Security
byCoastal Pet Products, Inc.
 
PDF
Defense in Depth – Your Security Castle
byCoastal Pet Products, Inc.
 
PPT
IT Security in 2014
byCoastal Pet Products, Inc.
 
PPT
Printer Security
byCoastal Pet Products, Inc.
 
PPT
Domain Name System
byCoastal Pet Products, Inc.
 
PPT
Using Big Data for Security Alerting
byCoastal Pet Products, Inc.
 
PPT
SNMP & The Dark Side of the Force
byCoastal Pet Products, Inc.
 
Attacking Windows Authentication and BitLocker Full Disk Encryption
byIan Haken
 
Competitive Cyber Security
byCoastal Pet Products, Inc.
 
Defense in Depth – Your Security Castle
byCoastal Pet Products, Inc.
 
IT Security in 2014
byCoastal Pet Products, Inc.
 
Printer Security
byCoastal Pet Products, Inc.
 
Domain Name System
byCoastal Pet Products, Inc.
 
Using Big Data for Security Alerting
byCoastal Pet Products, Inc.
 
SNMP & The Dark Side of the Force
byCoastal Pet Products, Inc.
 

More from Coastal Pet Products, Inc.

PPT
Sounds of Security
byCoastal Pet Products, Inc.
 
PPTX
Beyond The Splunk App for Enterprise Security
byCoastal Pet Products, Inc.
 
PPT
Encryption for Everyone
byCoastal Pet Products, Inc.
 
PPT
Forensics for the Defense
byCoastal Pet Products, Inc.
 
PPT
Big Data, Security Intelligence, (And Why I Hate This Title)
byCoastal Pet Products, Inc.
 
KEY
Cloud Security: Ten Things
byCoastal Pet Products, Inc.
 
Sounds of Security
byCoastal Pet Products, Inc.
 
Beyond The Splunk App for Enterprise Security
byCoastal Pet Products, Inc.
 
Encryption for Everyone
byCoastal Pet Products, Inc.
 
Forensics for the Defense
byCoastal Pet Products, Inc.
 
Big Data, Security Intelligence, (And Why I Hate This Title)
byCoastal Pet Products, Inc.
 
Cloud Security: Ten Things
byCoastal Pet Products, Inc.
 

Recently uploaded

PDF
UiPath Automation Developer Associate Training Series 2026 - Session 1
byDianaGray10
 
PDF
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
PPTX
Retrieval Augmented Generation- The Synergistic Power of Prompt Engineering
bySemantic SEO BD
 
PPTX
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
PDF
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
PDF
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
PPTX
WEEK 1-introduction of industrial arts grade 7.pptx
byrosierufinomaliongan
 
PDF
GenerationAI Paris 2025 | City of Light (COL)
byapidays
 
PDF
Designing a Blog Using Wordpress
bymarkzubi50
 
PDF
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
PDF
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
PDF
BEP-20 Token on BNB Chain: From Concept to Deployment.pdf
byimoliviabennett
 
PDF
Understanding Foldable 3-Wheel Electric Scooters for Everyday Use
byTopmate
 
PDF
TravelTech Paris 2025 | The EU Digital Identity Wallet and it’s impact on Tra...
byapidays
 
PDF
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
PDF
Self-Correction Failure Diagnostic: Detecting Drift in Complex Systems
bySystems Research Group
 
PDF
Mount File Systems using UUID and Label - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations
byapidays
 
PDF
Track Phone Location via Number (2026)_ What Actually Works, What’s a Scam, a...
byEmily Woods
 
UiPath Automation Developer Associate Training Series 2026 - Session 1
byDianaGray10
 
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
Retrieval Augmented Generation- The Synergistic Power of Prompt Engineering
bySemantic SEO BD
 
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
WEEK 1-introduction of industrial arts grade 7.pptx
byrosierufinomaliongan
 
GenerationAI Paris 2025 | City of Light (COL)
byapidays
 
Designing a Blog Using Wordpress
bymarkzubi50
 
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
BEP-20 Token on BNB Chain: From Concept to Deployment.pdf
byimoliviabennett
 
Understanding Foldable 3-Wheel Electric Scooters for Everyday Use
byTopmate
 
TravelTech Paris 2025 | The EU Digital Identity Wallet and it’s impact on Tra...
byapidays
 
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
Self-Correction Failure Diagnostic: Detecting Drift in Complex Systems
bySystems Research Group
 
Mount File Systems using UUID and Label - RHCSA (RH134).pdf
byLinuxCert Guru
 
GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations
byapidays
 
Track Phone Location via Number (2026)_ What Actually Works, What’s a Scam, a...
byEmily Woods
 

Editor's Notes

  • #4 Questions: How many of you use laptops? FDE on Company Machines (laptops/desktops) FDE on personal laptops FDE on Desktops? Servers? (would expect less)
  • #8 Adds another layer of complexity for investigators, can often foil attempts
  • #9 "Dead" analysis: Drive image, Searching for deleted and hidden files, Evidence must never change New technologies making this more challenging - Full disk encryption/hardware encryption, Solid State Drives
  • #10 Memory analysis - becoming increasingly important Capturing this evidence often requires modifying evidence - capture tools need to access/write to memory Some evidence may only exist in memory
  • #11 -Checkbox - trust but verify -Simulate an actual attack - Zero-knowledge attacks -Identify shortcomings before they become problems
  • #12 -Checkbox - trust but verify -Simulate an actual attack - Zero-knowledge attacks -Identify shortcomings before they become problems If system was stolen, can you say with confidence that the data is safe?
  • #14 -XKCD comic: million-dollar supercomputer cluster to break encryption or $5 wrench to convince someone to give up their password
  • #15 Example of actual forensic penetration test for client Next slide --- Setting the scene: Company laptop is stolen, full disk encryption employed. Is your data safe? How do you know?
  • #16 Setting the scene: Company laptop is stolen, full disk encryption employed. Is your data safe? How do you know?
  • #17 Zero knowledge attack - identical to a real attack Authenticated testing - allows for testing specific scenarios
  • #18 Laptop was fully encrypted Administrator confident no information could be retrieved or leaked
  • #19 Full disk images - physical and digital Write blocker used, system never booted using original disk (critical step!) - Scratch disk could be restored, no evidence of attack Initial reconnaissance: laptop, standard interfaces, Symantec Endpoint Encryption Solution
  • #20 Grace period - window of time where system was allowed to boot normally -passphrase was required after timeout. Images/repeated imaging allowed us to work indefinitely System booted to Windows during grace period - no need to attack encryption directly, memory analysis techniques
  • #21 -Downgrade system memory -Leverage DMA to dump memory - firewire -Exploit operating system structure in memory (Inception tool) -Result - full admin access
  • #22 We didn’t need to break the encryption -leveraged configuration oversights, key may still be in memory -Convenience vs. Security, resulted in total failure -Zero Knowledge - both ways - company would not be able to determine information was stolen
  • #26 As seen in the pentest, if there’s even a small window where pre-boot authentication is not necessary, encryption can be completely worked around
  • #27 On most laptops, this can be done in the BIOS Not just firewire, but ExpressCard and PCMCIA also provide this functionality Consider usability - are these really needed? Often no.
  • #28 Standby allows machine to be taken/stolen with operating system in memory - can allow encryption to be bypassed Hibernation often loads running state of machine into memory without any authentication If hibernation is required, consider ATA drive password combined with power on password. If you have to pick one, ATA is a better option.
  • #29 Different methods for handling lockouts - master password, challenge/response, etc Helpdesk social engineering
  • #30 A locked laptop, unattended, could still be compromised using these techniques Some laptops (eg, Toughbooks) have option to have hard drive removed when leaving machine
  • #31 Forensic penetration test for encryption verification