So you got your harddisks encrypted and feel totally secure? Think again.
Investigators have got some nifty devices which are capable of moving your pc without disconnecting it. Effectively bypassing FDE/WDE encryption if you are not used to lock your computer. Although locking doesn’t seem to be the answer nowadays with all those firewire hacks. So what’s left to do?
First of all disable firewire and make sure you always lock your pc. In the strange case that you do not lock your pc I made some easy yet (this hasn’t been tested in a real life situation) effective code to frustrate the investigator. This is just some quick POC (forgive me the messy code) I wrote. In a lab environment this works, so don’t blaim me if this doesn’t work in a real life situation.
You could improve this code by replacing the locking mechanism with a instant shutdown mechanism. Like we all know this code does NOT protect against the cold boot attack. But then again…how fast will a investigator react when a computer shuddenly shuts down?
#include <winsock.h> #include <windows.> #include <stdlib.h> /* Author: DiabloHorn co-founder of KD-Team Purpose: defeat http://www.youtube.com/watch?v=-G8sEYCOv-o & http://www.youtube.com/watch?v=erq4TO_a3z8 This will lock the computer when it is not able to connect to google. If your computer is full disk encrypted then a simple lock(assuming you have a strong password) is almost as good as a physical harddisk destruction. */ #pragma comment(lib,"ws2_32") #pragma comment(lib,"user32") int (__stdcall * MyLockWorkStation)(); void checkCon(); BOOL isLocked; BOOL isDiscon; WSADATA wsaData; int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow){ HANDLE hinstLib = LoadLibrary("USER32.DLL"); isLocked = FALSE; isDiscon = FALSE; if(WSAStartup(MAKEWORD(2,0),&wsaData) != 0){ isDiscon = TRUE; return 0; } if (hinstLib){ MyLockWorkStation = (int (__stdcall *)()) GetProcAddress(hinstLib, "LockWorkStation"); }else{ MessageBox(NULL,"LoadLibrary() failed on user32.dll","Error LoadLibrary()",MB_OK); } if(MyLockWorkStation == NULL){ MessageBox(NULL,"GetProcAddress() failed on user32.dll","Error GetProcAddress()",MB_OK); } while(1){ checkCon(); if(isDiscon){ isLocked = MyLockWorkStation(); while(!isLocked){ isLocked = MyLockWorkStation(); } } Sleep(60*1000); } } void checkCon(){ struct sockaddr_in sin; SOCKET sockout; sockout = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if(sockout == INVALID_SOCKET){ isDiscon = TRUE; return; } memset(&sin,0,sizeof(sin)); sin.sin_family = AF_INET; sin.sin_port = htons(80); sin.sin_addr.s_addr = inet_addr("64.233.183.147"); //google ip 64.233.183.147 if ((connect(sockout, (struct sockaddr *)&sin, sizeof(sin))) == SOCKET_ERROR) { isDiscon = TRUE; closesocket(sockout); return; } closesocket(sockout); isDiscon = FALSE; return; }
One thought on “FDE / WDE spiced up”