Microsoft Helps Police Crack Your Computer

IGnatius T Foobar writes "Microsoft has developed a small plug-in device that investigators can use to quickly extract forensic data from computers that "may have been used in crimes." It basically bypasses all of the Windows security (decrypting passwords, etc.) in order to eliminate all that pesky privacy when the police have physical access to your computer. Just one more reason not to run Windows on your computer."

Flaw

[Narpak (961733)]

Seems to me that if all you need to do to get full access to anyones computer (anyone running Windows that is) is a Microsoft made device; that is a serious security flaw.

Re:Flaw

[EMeta (860558)]

Ah, but since the cracking device itself is made by Microsoft, it's not likely to work most of the time anyway. Just MS doing their own part to safeguarding our liberties.

Re:Flaw

[Feyr (449684)]

look on google for ntpasswd

linux-based livecd that will reset any password on your windows partition.

if you have physical access and it's not encrypted, any data is fair game, it doesnt have anything to do with microsoft (in fact, im pretty pissed at ms for making it such a hassle to reset a password)

Re:

[SiChemist (575005)]

What you are doing is NOT password recovery-- it is RESETTING the password. Resetting a password is trivial on Linux and Windows (if you have physical access), but the article says this device can decrypt passwords on the system. That is worth worrying a little.

Re:Flaw

[SiChemist (575005)]

indeed it's a password reset, which is what i said, not a recovery. but do you trust a journalist to know the difference? i know i don't

Good thing I wasn't replying to you :-)

The article says

It also eliminates the need to seize a computer itself, which typically involves disconnecting from a network, turning off the power and potentially losing data. Instead, the investigator can scan for evidence on site.

Which implies that it can break in without cycling the power. That sounds more like password extraction rather than resetting. I can only go by what the article wrote, rather than speculating about what they might have meant.

Really?

[SatanicPuppy (611928)]

No unix using a non-encrypted file system is secure if you have physical access to the machine...Why would you assume it's any different with Windows?

I'd just boot knoppix and mount the partition. There, I have access to all the files. That goes for windows AND unix/linux.

If you really depend on the password for anything other than stopping casual or remote access, you're just fooling yourself.

Re:Really?

[ozmanjusri (601766)]

I'd just boot knoppix and mount the partition.

Police over here in WA have a special distro designed for forensics [zdnet.com.au].

Re:Really?

[MobileTatsu-NJG (946591)]

No unix using a non-encrypted file system is secure if you have physical access to the machine...Why would you assume it's any different with Windows?

I'd just boot knoppix and mount the partition. There, I have access to all the files. That goes for windows AND unix/linux.

If you really depend on the password for anything other than stopping casual or remote access, you're just fooling yourself.

I just bought a Mac laptop and one of the things I ran across while I was reading about it was the File Vault. According to the really really enthusiastic article I read about it, it'll encrypt all the data on my home folder based on my login password. In theory, it sounds like even if somebody mirrored the drive, they'd have trouble (assuming the password is good...) getting at my data. I just wanted to ask: From a practical point of view, does this offer me much more protection? Or is there still some braindead easy way (short of beating the password out of me :P) that data can be recovered? Supposing it does work as advertised, am I at risk for having a single point of failure? Is there a realistic possibility of a badly timed computer freeze causing me to lose it all?

Re:Really?

[0100010001010011 (652467)]

From what I understand, No. There are ways, but nothing this simple. Your home folder is actually one massive 128bit AES disk image. So to crackers it just looks like one big file. You could do what I do and keep stuff 'private' (Tax Returns, financial stuff) on an encrypted disk image and have the OS NOT remember the password. Plus if you forget the password you don't lose all your music and other petty stuff.

http://en.wikipedia.org/wiki/FileVault [wikipedia.org]

I was in an Apple store once when someone brought in their file vaulted laptop computer. They had 'forgotten' their password (Their actual story was that the OS changed the password on them). Apple Genius told them they were SOL. There are ways, but none of them are easy and most require something like cooling the RAM immediately after shutdown or catching the computer when it is sleeping.

Re:Really?

[v1 (525388)]

The gorey details here are that the key to the filevault is a random number, and THAT is encrypted separately in the header using two different keys - the user's hashed password, and the filevault master. So if you know the master password, OR the user password, you can decrypt the actual image key and can get in. And changing the user password does not require reencoding all the image data, you just reencode the key in the header using the new password

There is no other back door. The only possible hack is if they have auto login turned on, which basically indicates they are a retard. Technically it's possible to recover the login password once booted and auto logged in, though I have yet to see anyone figure it out, and I do look periodically. But at that point the HD is mounted anyway so all your data is there for copying to ext HD. Just no access to passwords in the keychain, (as in to recover, but you can still use them since the keychain is probably unlocked) but as above that is technically possible but not seen it done yet.

If auto login is not on, they are not logged in, you don't know the password, and you don't know the master password, nobody can help you. Not the Apple store, not Steve, it doesn't matter who you are.

Re:

[megaditto (982598)]

One could always brute-force the password. Pre-10.3, DES brute-forcing would take about a month on your desktop computer. Since then they changed it to blowfish or something similar, so it would take longer.

Certainly, NSA or some random botnet master would be able to recover your password in minutes if they needed to.

Re:

[bill_kress (99356)]

I saw a really good post that applies to this entire thread (including File Vault)

If the NSA isn't freaking out about some kind of encryption trying to get it banned, it's because they can get into it.

Also, the more secure you think your files are, the more likely you'll put stuff there that might interest them.

Re:

[TheLink (130905)]

If you have a mac laptop and firewire AND are worried about people getting at your data, then maybe you should also figure out a way to disable full firewire access to your computer.

See: http://rentzsch.com/macosx/securingFirewire [rentzsch.com]

"Firewire provides direct memory access. So I can plug in my PowerBook into an Xserve, and arbitrarily read and write to all of the Xserve's RAM, sans any logical protection."

"Paul claims enabling the Open Firmware password also automatically disables Firewire DMA, preventing trick

Re:

[Crayon Kid (700279)]

Define "bad people", please.

Re:

[sporkme (983186)]

Windows admin accounts can "take ownership" of folders and files through permissions dialogs, even encrypted files belonging to another admin account. Without Administrator access or a bootable OS, you can install a parallel OS on the machine or just mount the volume from another system, alter the permissions for folders at will, and access everything. We used this regularly to extract documents from a pooched MS OS when I worked as a bench tech--we used an unpatched WIN2K image and a USB IDE card.

http: [microsoft.com]

Re:

[makomk (752139)]

The whole point of encryption is that it cannot be easily bypassed. The only way to get past the encryption is to decrypt the encrypted information. Now obviously Microsoft may have included back door keys or other mechanisms as "safety valves" for law enforcement, but nobody who is serious about their cryptography is going to trust the Microsoft disk encryption services. The full disk encryption services provided by TrueCrypt [truecrypt.org] (free and open source), for example, are NOT going to be easily defeated by any external technical analysis.

The whole point of this is that they can use it as a tool to analyze live systems which still have the encryption key in memory from when the user opened the encrypted volume. Using Truecrypt or other third-party encryption software won't protect you - if the encrypted volume was open when the police got to you, the data can be extracted no matter what you were using.

Presumably, this has backdoors to bypass things like the Windows screen locker (which would otherwise be a major obstacle to working with

Re:Flaw

[gstoddart (321705)]

Seems to me that if all you need to do to get full access to anyones computer (anyone running Windows that is) is a Microsoft made device; that is a serious security flaw.

And, a scary precedent.

When the man kicks in your door, hooks up his thumb drive to your Linux box and doesn't get what he wants ... you will have committed a crime by not making your information available in a format accessible to law enforcement. Only terrorists would do that.

The above is a deliberately absurd example. One which I fear is less far fetched than one would have previously hoped.

Mostly, I agree with some of the other posters here ... if Microsoft can make this, that means there's a defined mechanism you can use to completely defeat any form of security in Windows. And, that's bad; someone will figure this out.

Cheers

Re:Flaw

[gstoddart (321705)]

It's hardly absurd. It's called "obstruction of justice". I've charged many people with obstruction for disobeying simple orders during a stop or arrest. It's a catch-all law that blurs the line between your civil rights and my ability to get what I want out of you, when I want it.

Wow. Just fucking wow.

So, either an AC is trolling by claiming to be a police officer who abuses due process. In which case I'm feeding trolls, and it's my bad.

Or, an actual police officer is pointing out how he can basically stomp over the intent of the law and your rights by pulling out an unsubstantiated claim of obstruction of justice.

If so, you're a perfect example of what is wrong in law enforcement, and why people have come to believe the cops are just thugs with authority. No wonder you posted anonymously. Thank you for demonstrating a new reason for increased cynicism about such things. No wonder people hate cops.

Cheers

Re:

[Jafafa Hots (580169)]

It's hardly absurd. It's called "obstruction of justice". I've charged many people with obstruction for disobeying simple orders during a stop or arrest. It's a catch-all law that blurs the line between your civil rights and my ability to get what I want out of you, when I want it.

Wow. Just fucking wow. So, either an AC is trolling by claiming to be a police officer who abuses due process. In which case I'm feeding trolls, and it's my bad. Or, an actual police officer is pointing out how he can basically stomp over the intent of the law and your rights by pulling out an unsubstantiated claim of obstruction of justice. If so, you're a perfect example of what is wrong in law enforcement, and why people have come to believe the cops are just thugs with authority. No wonder you posted anonymously. Thank you for demonstrating a new reason for increased cynicism about such things. No wonder people hate cops. Cheers

No. That is exactly how Obstruction of Justice law is intended to be used. You destroy evidence, it's Obstruction of Justice. You don't hand over passwords, it is also.

The OP is NOT abusing the system in any way shape or form - he's using the system as the system was intended.

It's the SYSTEM that is abusive. It's the law that's wrong. Want another example? Google "civil forfeiture" and "criminal forfeiture." It's a nice way to fund government - they seize your farm because your stupid nephew had a couple o

Re:

[ricree (969643)]

No. That is exactly how Obstruction of Justice law is intended to be used. You destroy evidence, it's Obstruction of Justice. You don't hand over passwords, it is also.

Not necessarily. In United States v. Boucher [wikipedia.org] for example, a US district court ruled that the fifth amendment protections extend to encryption keys. The ruling has been appealed, of course, so we'll have to wait and see what happens there, but if it stands then there would seem that you can withhold your key in many cases.

Re:

[esocid (946821)]

Don't worry, it's Certified for Windows Vista!

Re:

[lattyware (934246)]

Well done for saying what was clearly stated in the article, pointing out the bloody obvious, +insightful to you sir!

What could possibly go wrong?

[mrbah (844007)]

Reverse engineering and (more) malicious usage in 3... 2... 1.

Re:What could possibly go wrong?

[nawcom (941663)]

Reverse engineering and (more) malicious usage in 3... 2... 1.

Link to torrent of the COFEE thumb drive image on TPB in 3... 2... 1.

Re:

[tokul (682258)]

Reverse engineering and ...

Why do you have to reverse engineer it when tools already exist?

This works!

[towelie-ban (1234530)]

They're already selling these online. Just check the box next to "I certify I'm a cop. Seriously, I am." and it's all yours for $19.95.

Here it comes...

[NewbieProgrammerMan (558327)]

Cue the "if you have nothing to hide..." responses (and possibly some Hans Reiser jokes).

Do not pass "go", do not collect...

[by Anonymous Coward]

"Where do you want to go today?"
Jail?

To save your time

[trifish (826353)]

The summary and article in one word:

FUD

How the -

[Fynd (1132303)]

...bypasses all of the Windows security...

All of the Windows security - I can't even fathom how complex that device must be, that sure is a lot of security to bypass.

Re:How the -

[pilgrim23 (716938)]

Did anyone else notice that the Microsoft spokesman's name is...Mr. (Agent?) Smith?

Interesting thought

[Oxy the moron (770724)]

This article poses a question I've always wondered about. Do most criminal investigations of the computer-related nature have experts that are well-versed in multiple operating systems? Seeing as to how this is government, I would guess the answer is "no," and that is partly why we have this... uhh... "benefit" from Microsoft to aid our investigators.

Makes me curious as to what would happen if, for some reason, my computer were seized and the police booted up to an Ubuntu welcome screen... heh...

Re:

[AltGrendel (175092)]

Makes me curious as to what would happen if, for some reason, my computer were seized and the police booted up to an Ubuntu welcome screen... heh...

They would probably post questions to "Ask Slashdot".

Re:

[EasyTarget (43516)]

No.
They'll get my FreeBSD box, fail to understand it, probably reformat the RAID drives trying to run a 'disk checker' on them. Then use this as evidence of my wrongoing.

"He had a 'so called' open computer, that no 'normal' person can understand, breaking all Microsoft's standards and patents. It's made of Demons! burn the TERRORIST!!!"

Re:Interesting thought

[blueg3 (192743)]

Yes. Most criminal investigations have experts well-versed in many operating systems. More regional departments may not have Macintosh or Unix experts, though almost all computer forensic investigators have familiarity with Unix, and would send the computer to another office. There are a lot of experts working in law enforcement, so if their case is important enough, your hardware will be shipped to an office that has an expert.

They wouldn't boot your machine, though. They'd remove the drive, duplicate it, and then look at the duplicate through a hardware write blocker. Software would probably indicate that the majority of the disk was ext2/whatever Unix format you use partitions, and the layout of the root partition would make it fairly clear you were using a Unix variant. If they really wanted to "boot" your machine, they'd boot an image of your drive using a VM.

I dunno...

[Otter (3800)]

It basically bypasses all of the Windows security...

The article is extremely vague, but I don't see where this assertion came from. It sounds like they're distributing USB drives with a collection of cracking and monitoring tools; like what any self-respecting 1337 h4x0r carries around with him. If that's correct, there's no reason to think the same thing couldn't be done for Linux.

This is very smart on Microsoft's part...

[ConceptJunkie (24823)]

...it's just one more nail in the coffin of being "allowed" to use OSS. After all, if you have nothing to hide then you have nothing to fear, and only criminals would use OSS that would allow them to evade government snooping.

I'm sure some lobbyist is sitting with a Congressional staffer right now, explaining how requiring Windows on every computer is essential to the War on Terrorism.

Physical access equals ownage under any OS

[Mashiara (5631)]

unless the hardware itself is secured and tamper-resistant enough (ie cost of successfull tampering is higher than value of data).

This has always been true.

Not new

[The MAZZTer (911996)]

Anyone can boot from a Knoppix live CD and mount NTFS drives in Linux and poke around. NTFS security is not applied under Linux so you can have a look at anything you want. I don't see how this is a big deal.

The only thing that might be a problem is browsing the registry, but I wonder if wine's regedit can load native Windows registry hives. If so, then all Microsoft has done is taken existing Linux functionality and made it user friendly for the police.

Speaking of which, anyone wanna place bets as to how long it takes for this tool to spread across p2p and torrent sites?

It basically bypasses all of the Windows security

[Cro Magnon (467622)]

And was one of the easiest things that Microsoft has ever done.

So who needs Microsoft's device?

[Orion Blastar (457579)]

Here are the top four password recovery tools for Windows [about.com] according to about.com's article.

Nothing to Hide...

[SilentBob0727 (974090)]

In unrelated news, it is now a felony not to run Windows on your machine, and Linus Torvalds has gone into hiding.

Could set crooks free easier too

[JustASlashDotGuy (905444)]

FTA:

It also eliminates the need to seize a computer itself, which typically involves disconnecting from a network, turning off the power and potentially losing data. Instead, the investigator can scan for evidence on site.

The second you plug one of these into the suspect's machine while it's running, you just set the criminal free. Reason being, you potentially just altered the original source of data and could have injected you own "evidence". Any lawyer would get you off in a heart beat.

You'd always have to shut it down, image the drive, and then run your test against the image. If you ever so much as boot the image and use the device at that point, you've still just changed a shit load of files during the boot up process and a lawyer may still be able to get you off.

This device is only helpful if it contains a standalone script that can be pointed to a set of files on a write-blocked drive. Blindly letting it have full read/write access to any drive would be instant not-guilty result.

Unless this device gets some hefty certs, I'd be surprised if any law enforcement agency that reports to the public courts would ever use this device as reported.

This has already been done

[Shadow-isoHunt (1014539)]

This is not something new people, I can dump your RAM from my USB key already(After a reboot!) and go through for whatever I'd like.

http://tourian.jchost.net/shadow/liveusb/boot.png [jchost.net]
http://tourian.jchost.net/shadow/liveusb/memoryremenance.png [jchost.net]
http://tourian.jchost.net/shadow/liveusb/memoryremenance-filecarving.png [jchost.net]

http://citp.princeton.edu/memory/ [princeton.edu]
http://mcgrewsecurity.com/projects/msramdmp/ [mcgrewsecurity.com] (The MS isn't for microsoft)

Re:

[palewook (1101845)]

More Info: http://www.news.com/8301-10784_3-9930664-7.html [news.com] And PDF's with details from 2 conferences: http://www.techsec.com/pdf/Tuesday/On%20Demand%20Mike%20Duren.pdf [techsec.com] http://www.marcomattiucci.it/ieong.pdf [marcomattiucci.it]

Nothing really new..

[greywire (78262)]

Not sure what the big deal is.

If you are a computer forensic investigator you already have many available tools (EnCase, etc) to do the same thing, not to mention the obvious linux based free tools (Helix, etc) that let you pound away on a computer (or captured image) and get whatever you want off it.

Keeping your computer completely secure is about as practical as copyright owners keeping their data totally protected. Its always an escalating two way battle and the winner is just the one who's willing to go the farthest with it, but nothing is 100% safe.

Privacy and DRM are both doomed for the same reasons.

Get over it.

Re:If It's Possible...

[vux984 (928602)]

So, the sheer fact that there is a device that can do this also means that anybody can do this because the methods are in place for bypassing security. It's only a matter of time before someone spends enough energy to develop a device that can do this (outside of Microsoft).

No. The ONLY question that is of any interest is whether or not this device actually has a back door to Windows encryption. Somehow I seriously doubt that it does. Its probably little more than a bootable drive with NTFS support, and some tools. If you've got a password on your login, it doesn't mean you are using encryption. And this tool probably just lets you get straight to searching the -unencrypted- disk without cracking the login, or without pulling the drive and installing it somewhere else to scan through.

The implications of a device like this are scary to say the least. Although I'm not a Microsoft hater, this alone is more than enough to make me take a second look at options other than Microsoft Windows.

I suspect your average Linux LiveCD Recovery Disk has all the same tools on it. MS is just getting on board with their own version, to remove another area, where, right now, you have to use Linux. If that's the case the implications aren't scary at all.

And this whole are article is pure FUD.

Unless they've provided a back door to the encryption. That is the -only- question. But I really doubt they have.

Re:If It's Possible...

[SatanicPuppy (611928)]

Yea, look at linux...No way would it be possible to reset the root password [linuxgazette.net] if you had physical access to the machine.

I can't believe all the people who are freaking out about this. This isn't a remote exploit. This isn't a massive security hole. This is trivial stuff that anyone who is reasonably computer savvy should be able to do.

Some COFEE info from an Australian L.E. Conference

[d3ac0n (715594)]

Google .DOC-to-HTML link [209.85.165.104]

Here is the original link if anyone wants it: http://scissec.scis.ecu.edu.au/wordpress/conference_proceedings/2006/forensics/Proceedings_Forensics2006.doc [ecu.edu.au]

If you scan down about 15% of the way down, there is a blurb about COFEE mixed in with the rest:

Computer Online Forensic Evidence Extractor (COFEE)

In year 2006, inspired by WFT, Ricci Ieong started the development of Computer Online Forensic Evidence Extractor (COFEE) (Ieong 2006) COFEE uses batch script to manage a list of existing incident response tools and IT security tools volatile data forensics acquisition system similar to WFT, IRCR and FRED. But all the scripts, programs were stored on USB storage device before data acquisition.

Instead of requesting users to key in the output directory, COFEE automatically redirect the output to the inserted USB storage device. With the automatic OS version detection and storage assignment scheme, Operating System dependent program will be automatically selected after the version detection. Investigator only needs to insert the USB storage devices to the target machine and click one to two buttons in order to start the data acquisition process.

Another difference between COFEE with other live forensics toolkits is separation of the data acquisition procedures with the data examination procedures. In WFT, the report generation processes are executed immediately after the data acquisition process on the target machine. However, performing report generation on target machine may also alter the memory content in the target machine. As report generation does not necessarily be executed on target machine, therefore, only data acquisition programs, in COFEE, would be executed on target machines. All program selection, data examination and analysis processes would be performed on investigator machine.

Besides, more forensics programs are supported by COFEE such as screen capture and password capture tools.

Interestingly, this article if from 2006. So COFEE has been around for 2 years already. Fascinating that we are just hearing about it now.

Re:Customs

[Ioldanach (88584)]

Unless there's a huge public backlash before then, I predict that Customs will roll these out to every major airport within the year.

I hope so, because then the first slashdotter that has to go through customs can have his laptop automatically dd the entire contents of whatever usb drive gets attached to it, before they even realize it can't figure out what his laptop is running.