FDE / WDE spiced up

Posted: October 29, 2008 in (anti)Forensics
Tags: , , , , ,
1

So you got your harddisks encrypted and feel totally secure? Think again.

Investigators have got some nifty devices which are capable of moving your pc without disconnecting it. Effectively bypassing FDE/WDE encryption if you are not used to lock your computer. Although locking doesn’t seem to be the answer nowadays with all those firewire hacks. So what’s left to do?

First of all disable firewire and make sure you always lock your pc. In the strange case that you do not lock your pc I made some easy yet (this hasn’t been tested in a real life situation) effective code to frustrate the investigator. This is just some quick POC (forgive me the messy code) I wrote. In a lab environment this works, so don’t blaim me if this doesn’t work in a real life situation.

You could improve this code by replacing the locking mechanism with a instant shutdown mechanism. Like we all know this code does NOT protect against the cold boot attack. But then again…how fast will a investigator react when a computer shuddenly shuts down?

#include <winsock.h>
#include <windows.>
#include <stdlib.h>
/*
	Author: DiabloHorn co-founder of KD-Team
	Purpose: defeat http://www.youtube.com/watch?v=-G8sEYCOv-o &amp; http://www.youtube.com/watch?v=erq4TO_a3z8
	This will lock the computer when it is not able to connect to google.
	If your computer is full disk encrypted then a simple lock(assuming you have a strong password)
	is almost as good as a physical harddisk destruction.
*/
#pragma comment(lib,"ws2_32")
#pragma comment(lib,"user32")

int (__stdcall * MyLockWorkStation)();
void checkCon();

BOOL isLocked;
BOOL isDiscon;
WSADATA wsaData;

int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow){
	HANDLE hinstLib = LoadLibrary("USER32.DLL");
	isLocked = FALSE;
	isDiscon = FALSE;

	if(WSAStartup(MAKEWORD(2,0),&amp;wsaData) != 0){
		isDiscon = TRUE;
        return 0;
    }

	if (hinstLib){
            MyLockWorkStation = (int (__stdcall *)()) GetProcAddress(hinstLib, "LockWorkStation");
	}else{
		MessageBox(NULL,"LoadLibrary() failed on user32.dll","Error LoadLibrary()",MB_OK);
	}

	if(MyLockWorkStation == NULL){
		MessageBox(NULL,"GetProcAddress() failed on user32.dll","Error GetProcAddress()",MB_OK);
	}

	while(1){
		checkCon();
		if(isDiscon){
			isLocked = MyLockWorkStation();
			while(!isLocked){
				isLocked = MyLockWorkStation();
			}
		}
		Sleep(60*1000);
	}
}

void checkCon(){
	struct sockaddr_in sin;
	SOCKET sockout;

	sockout = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
	if(sockout == INVALID_SOCKET){
		isDiscon = TRUE;
		return;
	}
	memset(&amp;sin,0,sizeof(sin));
	sin.sin_family = AF_INET;
	sin.sin_port = htons(80);
	sin.sin_addr.s_addr = inet_addr("64.233.183.147"); //google ip 64.233.183.147

	if ((connect(sockout, (struct sockaddr *)&amp;sin, sizeof(sin))) == SOCKET_ERROR) {
		isDiscon = TRUE;
		closesocket(sockout);
		return;
	}
	
	closesocket(sockout);
	isDiscon = FALSE;
	return;
}
Comments
  1. anti-live-forensic toolkit « DiabloHorn says:
    December 28, 2008 at 21:12

    […] finished, mainly because I’ve got little time to spare for coding.  Previously I wrote about using somekind of ping to see if your computer is still connected to the net. The solution is […]

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w
Cancel

Connecting to %s