Microsoft Helps Police Crack Your Computer

IGnatius T Foobar writes "Microsoft has developed a small plug-in device that investigators can use to quickly extract forensic data from computers that "may have been used in crimes." It basically bypasses all of the Windows security (decrypting passwords, etc.) in order to eliminate all that pesky privacy when the police have physical access to your computer. Just one more reason not to run Windows on your computer."

Flaw

[Narpak]

Seems to me that if all you need to do to get full access to anyones computer (anyone running Windows that is) is a Microsoft made device; that is a serious security flaw.

Re:Flaw

[EMeta]

Ah, but since the cracking device itself is made by Microsoft, it's not likely to work most of the time anyway. Just MS doing their own part to safeguarding our liberties.

Re:Flaw

[Feyr]

look on google for ntpasswd

linux-based livecd that will reset any password on your windows partition.

if you have physical access and it's not encrypted, any data is fair game, it doesnt have anything to do with microsoft (in fact, im pretty pissed at ms for making it such a hassle to reset a password)

Re:

[SiChemist]

What you are doing is NOT password recovery-- it is RESETTING the password. Resetting a password is trivial on Linux and Windows (if you have physical access), but the article says this device can decrypt passwords on the system. That is worth worrying a little.

Re:Flaw

[SiChemist]

indeed it's a password reset, which is what i said, not a recovery. but do you trust a journalist to know the difference? i know i don't

Good thing I wasn't replying to you :-)

The article says

It also eliminates the need to seize a computer itself, which typically involves disconnecting from a network, turning off the power and potentially losing data. Instead, the investigator can scan for evidence on site.

Which implies that it can break in without cycling the power. That sounds more like password extraction rather than resetting. I can only go by what the article wrote, rather than speculating about what they might have meant.

Really?

[SatanicPuppy]

No unix using a non-encrypted file system is secure if you have physical access to the machine...Why would you assume it's any different with Windows?

I'd just boot knoppix and mount the partition. There, I have access to all the files. That goes for windows AND unix/linux.

If you really depend on the password for anything other than stopping casual or remote access, you're just fooling yourself.

Re:Really?

[ozmanjusri]

I'd just boot knoppix and mount the partition.

Police over here in WA have a special distro designed for forensics [zdnet.com.au].

Re:

[malinha]

well, just another job to truecrypt.

Re:

[SnapShot]

It would be really funny / ironic if this "plug-in" device WAS just knoppix on a thumb drive.

Re:Really?

[MobileTatsu-NJG]

No unix using a non-encrypted file system is secure if you have physical access to the machine...Why would you assume it's any different with Windows?

I'd just boot knoppix and mount the partition. There, I have access to all the files. That goes for windows AND unix/linux.

If you really depend on the password for anything other than stopping casual or remote access, you're just fooling yourself.

I just bought a Mac laptop and one of the things I ran across while I was reading about it was the File Vault. According to the really really enthusiastic article I read about it, it'll encrypt all the data on my home folder based on my login password. In theory, it sounds like even if somebody mirrored the drive, they'd have trouble (assuming the password is good...) getting at my data. I just wanted to ask: From a practical point of view, does this offer me much more protection? Or is there still some braindead easy way (short of beating the password out of me :P) that data can be recovered? Supposing it does work as advertised, am I at risk for having a single point of failure? Is there a realistic possibility of a badly timed computer freeze causing me to lose it all?

Re:Really?

[0100010001010011]

From what I understand, No. There are ways, but nothing this simple. Your home folder is actually one massive 128bit AES disk image. So to crackers it just looks like one big file. You could do what I do and keep stuff 'private' (Tax Returns, financial stuff) on an encrypted disk image and have the OS NOT remember the password. Plus if you forget the password you don't lose all your music and other petty stuff.

http://en.wikipedia.org/wiki/FileVault [wikipedia.org]

I was in an Apple store once when someone brought in their file vaulted laptop computer. They had 'forgotten' their password (Their actual story was that the OS changed the password on them). Apple Genius told them they were SOL. There are ways, but none of them are easy and most require something like cooling the RAM immediately after shutdown or catching the computer when it is sleeping.

Re:Really?

[v1]

The gorey details here are that the key to the filevault is a random number, and THAT is encrypted separately in the header using two different keys - the user's hashed password, and the filevault master. So if you know the master password, OR the user password, you can decrypt the actual image key and can get in. And changing the user password does not require reencoding all the image data, you just reencode the key in the header using the new password

There is no other back door. The only possible hack is if they have auto login turned on, which basically indicates they are a retard. Technically it's possible to recover the login password once booted and auto logged in, though I have yet to see anyone figure it out, and I do look periodically. But at that point the HD is mounted anyway so all your data is there for copying to ext HD. Just no access to passwords in the keychain, (as in to recover, but you can still use them since the keychain is probably unlocked) but as above that is technically possible but not seen it done yet.

If auto login is not on, they are not logged in, you don't know the password, and you don't know the master password, nobody can help you. Not the Apple store, not Steve, it doesn't matter who you are.

Re:

[megaditto]

One could always brute-force the password. Pre-10.3, DES brute-forcing would take about a month on your desktop computer. Since then they changed it to blowfish or something similar, so it would take longer.

Certainly, NSA or some random botnet master would be able to recover your password in minutes if they needed to.

Re:

[bill_kress]

I saw a really good post that applies to this entire thread (including File Vault)

If the NSA isn't freaking out about some kind of encryption trying to get it banned, it's because they can get into it.

Also, the more secure you think your files are, the more likely you'll put stuff there that might interest them.

Re:

[TheLink]

If you have a mac laptop and firewire AND are worried about people getting at your data, then maybe you should also figure out a way to disable full firewire access to your computer.

See: http://rentzsch.com/macosx/securingFirewire [rentzsch.com]

"Firewire provides direct memory access. So I can plug in my PowerBook into an Xserve, and arbitrarily read and write to all of the Xserve's RAM, sans any logical protection."

"Paul claims enabling the Open Firmware password also automatically disables Firewire DMA, preventing trick

Re:

[SatanicPuppy]

Physical access is always a killer. Your only safeguard at that point is encryption.

I can't think it would take all that long anyway. I reset the admin password on my windows laptop the other day, and it was fairly trivial.

Re:

[Crayon Kid]

Define "bad people", please.

Re:

[sporkme]

Windows admin accounts can "take ownership" of folders and files through permissions dialogs, even encrypted files belonging to another admin account. Without Administrator access or a bootable OS, you can install a parallel OS on the machine or just mount the volume from another system, alter the permissions for folders at will, and access everything. We used this regularly to extract documents from a pooched MS OS when I worked as a bench tech--we used an unpatched WIN2K image and a USB IDE card.

http: [microsoft.com]

Re:

[makomk]

The whole point of encryption is that it cannot be easily bypassed. The only way to get past the encryption is to decrypt the encrypted information. Now obviously Microsoft may have included back door keys or other mechanisms as "safety valves" for law enforcement, but nobody who is serious about their cryptography is going to trust the Microsoft disk encryption services. The full disk encryption services provided by TrueCrypt [truecrypt.org] (free and open source), for example, are NOT going to be easily defeated by any external technical analysis.

The whole point of this is that they can use it as a tool to analyze live systems which still have the encryption key in memory from when the user opened the encrypted volume. Using Truecrypt or other third-party encryption software won't protect you - if the encrypted volume was open when the police got to you, the data can be extracted no matter what you were using.

Presumably, this has backdoors to bypass things like the Windows screen locker (which would otherwise be a major obstacle to working with

Re:Flaw

[gstoddart]

Seems to me that if all you need to do to get full access to anyones computer (anyone running Windows that is) is a Microsoft made device; that is a serious security flaw.

And, a scary precedent.

When the man kicks in your door, hooks up his thumb drive to your Linux box and doesn't get what he wants ... you will have committed a crime by not making your information available in a format accessible to law enforcement. Only terrorists would do that.

The above is a deliberately absurd example. One which I fear is less far fetched than one would have previously hoped.

Mostly, I agree with some of the other posters here ... if Microsoft can make this, that means there's a defined mechanism you can use to completely defeat any form of security in Windows. And, that's bad; someone will figure this out.

Cheers

Re:

[ozmanjusri]

someone will figure this out.

Someone HAS figured this out.

At least, that's the only safe assumption you can make about any Windows box now.

Re:

[plague3106]

Well, I'm sure Linux is safe. After all, it's not like you can replace parts of the kernel while the system is running or anything [slashdot.org].

Re:

[gstoddart]

Well, I'm sure Linux is safe. After all, it's not like you can replace parts of the kernel while the system is running or anything

No, I'm not naively claiming Linux (or anything else is more inherently safe).

But, given that someone will likely put this into an ActiveX control and convince people to download it like they do all of the other windows malware out there -- it will be a fairly widespread problem if/when it does become known.

You want to hack into my FreeBSD box? You need to punch through my firew

Re:Flaw

[gstoddart]

It's hardly absurd. It's called "obstruction of justice". I've charged many people with obstruction for disobeying simple orders during a stop or arrest. It's a catch-all law that blurs the line between your civil rights and my ability to get what I want out of you, when I want it.

Wow. Just fucking wow.

So, either an AC is trolling by claiming to be a police officer who abuses due process. In which case I'm feeding trolls, and it's my bad.

Or, an actual police officer is pointing out how he can basically stomp over the intent of the law and your rights by pulling out an unsubstantiated claim of obstruction of justice.

If so, you're a perfect example of what is wrong in law enforcement, and why people have come to believe the cops are just thugs with authority. No wonder you posted anonymously. Thank you for demonstrating a new reason for increased cynicism about such things. No wonder people hate cops.

Cheers

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[ricree]

No. That is exactly how Obstruction of Justice law is intended to be used. You destroy evidence, it's Obstruction of Justice. You don't hand over passwords, it is also.

Not necessarily. In United States v. Boucher [wikipedia.org] for example, a US district court ruled that the fifth amendment protections extend to encryption keys. The ruling has been appealed, of course, so we'll have to wait and see what happens there, but if it stands then there would seem that you can withhold your key in many cases.

Re:

[esocid]

Don't worry, it's Certified for Windows Vista!

Re:

[squallbsr]

So, this must be what that hidden NSAKEY/KEY2 encryption key is for...

_NSAKEY [wikipedia.org]

Re:

[lattyware]

Well done for saying what was clearly stated in the article, pointing out the bloody obvious, +insightful to you sir!

What could possibly go wrong?

[mrbah]

Reverse engineering and (more) malicious usage in 3... 2... 1.

Re:What could possibly go wrong?

[nawcom]

Reverse engineering and (more) malicious usage in 3... 2... 1.

Link to torrent of the COFEE thumb drive image on TPB in 3... 2... 1.

Re:

[tokul]

Reverse engineering and ...

Why do you have to reverse engineer it when tools already exist?

This works!

[towelie-ban]

They're already selling these online. Just check the box next to "I certify I'm a cop. Seriously, I am." and it's all yours for $19.95.

Here it comes...

[NewbieProgrammerMan]

Cue the "if you have nothing to hide..." responses (and possibly some Hans Reiser jokes).

Do not pass "go", do not collect...

[Anonymous Coward]

"Where do you want to go today?"
Jail?

To save your time

[trifish]

The summary and article in one word:

FUD

Re:

[Enderandrew]

Not this time actually.

Fear, Uncertainty and Doubt is how they sway you away from competing products. Here they are just selling one of their own, with no mention of a competing product.

LIAR!

[SatanicPuppy]

This is huge! Windows passwords aren't enough to secure my porn! Call the government! Call nasa! Call a lawyer! This is an outrage!

Seriously. Does anyone here NOT know how to pull all the data off a windows machine without a password? I can think of a half-dozen ways to do it, and there is plenty of commercial software out there if you wanted to purchase some.

If someone has physical access to your machine, it is NOT secure. This is why people use encryption.

How the -

[Fynd]

...bypasses all of the Windows security...

All of the Windows security - I can't even fathom how complex that device must be, that sure is a lot of security to bypass.

Re:How the -

[pilgrim23]

Did anyone else notice that the Microsoft spokesman's name is...Mr. (Agent?) Smith?

Re:

[InlawBiker]

I can only imagine it's a collection of small apps and scripts that locate important files and registry values. These are already available, all over the place. Most of them are free.

By saying it bypasses *all* security, that would include full disk encryption and somehow obtaining admin access. I find it very hard to believe that this is the case.

I'd be real interested to see this USB key examined. There should be a bounty paid to the first person to get their hands on one.

Interesting thought

[Oxy the moron]

This article poses a question I've always wondered about. Do most criminal investigations of the computer-related nature have experts that are well-versed in multiple operating systems? Seeing as to how this is government, I would guess the answer is "no," and that is partly why we have this... uhh... "benefit" from Microsoft to aid our investigators.

Makes me curious as to what would happen if, for some reason, my computer were seized and the police booted up to an Ubuntu welcome screen... heh...

Re:

[AltGrendel]

Makes me curious as to what would happen if, for some reason, my computer were seized and the police booted up to an Ubuntu welcome screen... heh...

They would probably post questions to "Ask Slashdot".

Re:

[EasyTarget]

No.
They'll get my FreeBSD box, fail to understand it, probably reformat the RAID drives trying to run a 'disk checker' on them. Then use this as evidence of my wrongoing.

"He had a 'so called' open computer, that no 'normal' person can understand, breaking all Microsoft's standards and patents. It's made of Demons! burn the TERRORIST!!!"

Re:

[SatanicPuppy]

They just hire consultants. It's pointless to have a bunch of computer security guys on your staff when it's a tiny minority of your crimes that are dealing with computer issues.

Re:

[Mia'cova]

If there's a valid reason to perform a full search, they'll pay to get the job done, regardless of weather or not they can do it internally. Of course, by handling the windows case in-house, most searches can be handled internally.

They don't just give up if they get a unix shell and let the killer go.

Re:

[99BottlesOfBeerInMyF]

This article poses a question I've always wondered about. Do most criminal investigations of the computer-related nature have experts that are well-versed in multiple operating systems?

From what I've seen, no. According to an FBI guy I know, as of a few years ago when the FBI found a Mac during an investigation, they shipped it to the RCMP (canadian mounties) for analysis. There is also a fairly well known computer forensics program at the university nearby (one of the largest of such programs in the country). They do cover Linux and NTFS but very sparsely. Most of the Linux stuff is about setting up a and using a Linux box as an investigative tool, not investigating other Linux machi

Re:Interesting thought

[blueg3]

Yes. Most criminal investigations have experts well-versed in many operating systems. More regional departments may not have Macintosh or Unix experts, though almost all computer forensic investigators have familiarity with Unix, and would send the computer to another office. There are a lot of experts working in law enforcement, so if their case is important enough, your hardware will be shipped to an office that has an expert.

They wouldn't boot your machine, though. They'd remove the drive, duplicate it, and then look at the duplicate through a hardware write blocker. Software would probably indicate that the majority of the disk was ext2/whatever Unix format you use partitions, and the layout of the root partition would make it fairly clear you were using a Unix variant. If they really wanted to "boot" your machine, they'd boot an image of your drive using a VM.

I dunno...

[Otter]

It basically bypasses all of the Windows security...

The article is extremely vague, but I don't see where this assertion came from. It sounds like they're distributing USB drives with a collection of cracking and monitoring tools; like what any self-respecting 1337 h4x0r carries around with him. If that's correct, there's no reason to think the same thing couldn't be done for Linux.

Re:

[QuantumRiff]

Right, but what happens when that cop tries to copy c:\windows\system32 (cause IIS defaults to putting its logfiles in there) from the hard drive to the pen drive; that's what step 18 in the carefully laid out instructions say. He really doesn't want to tinker, because evidence has to be gathered a certain way, to be used in court. He got promoted from a different post last year, and has been sent to lots of training on forensics for windows systems.

Re:

[Otter]

Yes, but the difference is Linux isn't made with intentional security holes that the maker obscures and then peddles to law enforcement agencies.

Could you please point out the part of the story where you and the submitter are getting this "bypassing security" thing from?

Re:

[plague3106]

Uh, can you point to a section of the article that indicates that intential security holes were built in? Last I checked, if you have physical access to any computer, you can get in.

Re:

[CSMatt]

In this day and age, the police no longer need warrents.

The ultimate zero-day exploit

[G4from128k]

This sounds like the ultimate exploit. MSFT is hardly going to close these security holes. I wonder when copies of this USB drive (and network-enabled variants of the attacks) will be employed by malware and botnet vendors.

This is very smart on Microsoft's part...

[ConceptJunkie]

...it's just one more nail in the coffin of being "allowed" to use OSS. After all, if you have nothing to hide then you have nothing to fear, and only criminals would use OSS that would allow them to evade government snooping.

I'm sure some lobbyist is sitting with a Congressional staffer right now, explaining how requiring Windows on every computer is essential to the War on Terrorism.

Re:

[KiltedKnight]

Considering that one interpretation of the MS Windows EULA basically says that while you own the computer, you don't really own the computer... All you need is some creative lawyer to use that interpretation to say, "Well, you don't really own the box. It's just on loan to you from Microsoft. This device allows Microsoft to examine their property."

Physical access equals ownage under any OS

[Mashiara]

unless the hardware itself is secured and tamper-resistant enough (ie cost of successfull tampering is higher than value of data).

This has always been true.

Re:

[99BottlesOfBeerInMyF]

Physical access equals ownage under any OS

Dude. Even Windows (Vista) supports encrypting your disk these days. Assuming it was turned off when seized, that does not mean your data has been compromised or is realistically recoverable, especially by your average cop shop.

wow

[theheadlessrabbit]

i wish i had known about this during last months pwn to own contest.

Then i'd be running ubuntu on my cracked and pwned vista machine right now, instead of runnung ubuntu on my purchased and formatted vista machine.

Required?

[dotancohen]

I wonder if some jurisdictions will begin requiring this, in the sense that if someone is using a system that does not support easily bypassing security that will be enough for 'probable grounds'.

Simple Protection

[Jonah Hex]

Disable Autorun, that way the automated tool can't start. ;)

And if the USB software interacts with the computer while the OS is running, how can that be considered untainted evidence? AFAIK computer forensics rely on having snapshots of the machine with no possible interference from the OS and running programs.

Jonah HEX

Re:

[Applekid]

AFAIK computer forensics rely on having snapshots of the machine with no possible interference from the OS and running programs.

This is a war on terror / pedophiles / drugs / little chocolate donuts! How dare you use semantics to cloud our investigations to protect the people / children / teens / diabetics.

Re:

[CSMatt]

If there was a War on Little Chocolate Donuts, the police would strike.

Not new

[The MAZZTer]

Anyone can boot from a Knoppix live CD and mount NTFS drives in Linux and poke around. NTFS security is not applied under Linux so you can have a look at anything you want. I don't see how this is a big deal.

The only thing that might be a problem is browsing the registry, but I wonder if wine's regedit can load native Windows registry hives. If so, then all Microsoft has done is taken existing Linux functionality and made it user friendly for the police.

Speaking of which, anyone wanna place bets as to how long it takes for this tool to spread across p2p and torrent sites?

Re:

[tlhIngan]

Anyone can boot from a Knoppix live CD and mount NTFS drives in Linux and poke around. NTFS security is not applied under Linux so you can have a look at anything you want. I don't see how this is a big deal.

The only thing that might be a problem is browsing the registry, but I wonder if wine's regedit can load native Windows registry hives. If so, then all Microsoft has done is taken existing Linux functionality and made it user friendly for the police.

Speaking of which, anyone wanna place bets as to how l

Offline NT password and registry editor?

[guruevi]

I've had the following tool in my collection for a long time: http://home.eunet.no/pnordahl/ntpasswd/bootdisk.html [eunet.no]

It's quite easy, boot up the computer from that disk and you can reset the passwords in a few minutes. Linux-based too for that matter.

FTFA:
The device contains 150 commands that can dramatically cut the time it takes to gather digital evidence, which is becoming more important in real-world crime, as well as cybercrime. It can decrypt passwords and analyze a computer's Internet activity, as well

Re:

[SatanicPuppy]

Windows doesn't HAVE an encrypted file system...This is talking about breaking the encryption on Windows passwords which is a lot easier.

TFA very light on details

[Toreo asesino]

locally stored passwords for websites have been crackable for a while now, and in Windows Server has been disabled by default for this reason.

User login passwords for Windows itself is something else and you can't "just decrypt" them.

Apart from that, it just sounds like MS have provided a bunch of analysis tools.

Is this really news or am I missing something here?

Customs

[Hemogoblin]

Unless there's a huge public backlash before then, I predict that Customs will roll these out to every major airport within the year.

Re:Customs

[Ioldanach]

Unless there's a huge public backlash before then, I predict that Customs will roll these out to every major airport within the year.

I hope so, because then the first slashdotter that has to go through customs can have his laptop automatically dd the entire contents of whatever usb drive gets attached to it, before they even realize it can't figure out what his laptop is running.

Well, why am I not surprised?

[flajann]

Well, golly. This of course means there is *no* security on Windows computers. It's only a matter of time that this backdoor is cracked and becomes generally available to everyone.

The only thing I use Windows for is to run TurboTax and games. And I'm wondering about the TurboTax even.

But all hope is not lost -- running Windows on a hypervisor would be a bit more secure -- at least you can restart with the same snapshot, eliminating any attempts to embed a rootkit or snooping ware.

But really, with Lin

Scary - and unbelievable

[wvmarle]

This sounds too scary to be true - and if true, it won't be long for this to be reverse-engineered.

Bypassing passwords/security: that sounds like a built-in back door. Not a security flaw: "this bug is a feature". And those back doors if confirmed to exist will be found soon.

The most unbelievable part is "decrypting passwords". Since when is the actual password stored, instead of a cryptographic hash of it? If decryption were possible, they are using a two-way encryption and a secret key is somewhere hidd

Re:

[jimicus]

What OS you run won't make the remotest bit of difference.

It really wouldn't be hard to cook up a Linux-based thumbdrive which automatically mounts more or less any filesystem in common use today, runs a combination of find and grep to weed out potentially interesting files, copy them onto an area of the thumbdrive and shut the system down when done.

It probably wouldn't generate anything which would stand up to forensic questions in court, but it would give you a pretty good idea as to whether or not it's w

TrueCrypt !

[unrealmp3]

For local data privacy, I would use TrueCrypt, not Windows EFS. Use Full Disk Encryption on TrueCrypt, and their COFEE thumbdrive won't be of any help.

Maybe this "security device" is simply...

[dyfet]

...a USB drive that boots something like Knoppix with NTFS file system support! ;)....

People have been using that to recover data from broken and otherwise defective Microsoft Windows boxes for a long time now...

MS is giving out for free

[Intron]

Naturally they don't want police to have to carry around Knoppix CDs.

FUD

[idlemind]

Since when has physical access to a machine ever been safe for any operating system? Also, it's not like Microsoft programmed in back doors for law enforcement; they are just bundling their version of script kiddie hacks.

Viruses?

[Maximum Prophet]

So as soon as a law enforcement type plugs this into the Bad Guy's computer, a virus is installed on the thumb drive and gets installed on every other machine that the drive is plugged into. (Like Mr. Law Enforcement's own desktop!!!)

Great Idea(tm) (:-)

Imagine the TSA was using these. Every businessman's computer would be owned. If the virus also disabled the detection systems, our Bad Guy could also attack other bad guy's systems. He'd rule the world... Bwa Ha Ha Ha....

There is no security without physical security

[Eskarel]

Who really cares? With the exception of file or whole drive encryption, which this device isn't going to help with anyway, if someone has physical access to your box for any length of time, they have access to your machine, doesn't matter what OS you're running, or how complex your password is, phyiscal access to your box will give them any unencrypted data eventually.

With the right tools you can read files regardless of permissions, change passwords, add users, etc, almost anything. Building a linux live c

It's OK, theyre doing it to keep the internet safe

[LighterShadeOfBlack]

Best quote from Brad Smith (of Microsoft):

"We're doing this to help ensure that the Internet stays safe."

That's a relief.

Seriously though, I'm curious to know more about what exactly this does. At first I assumed this was typical /. FUD and was essentially just a bootable USB drive to dodge Windows user permissions etc. but from reading the article it does actually sound like it's taking advantage of real security flaws in a running instance of the OS.

Just one question...

[Phroggy]

Anybody have a torrent of the files on this thumb drive? Might be fun to play with! ;-)

Re:

[mozkill]

yeah, if it actually exists, why not share it with everyone? if you did that, then maybe someone would patch it right? lol. if nobody steps forward with a thumbdrive, ill assume this article is fake propaganda.

interesting.

[apodyopsis]

hmm.

I have a compact distro on a thumb drive that I can boot on, mount ntfs vfat and rifle through a computer should I wish - but this sounds like its more comprehensive then that. And if it is designed for widespread cop usage then it must be extremely user friendly as well. And TFA implies you do not even need to power down the PC.

So.. I would a guess an auto run application that is designed from the bottom up the bypass security, promote to admin rights, scan for files matching keywords, copy log f

It basically bypasses all of the Windows security

[Cro Magnon]

And was one of the easiest things that Microsoft has ever done.

So who needs Microsoft's device?

[Orion Blastar]

Here are the top four password recovery tools for Windows [about.com] according to about.com's article.

Nothing to Hide...

[SilentBob0727]

In unrelated news, it is now a felony not to run Windows on your machine, and Linus Torvalds has gone into hiding.

Could set crooks free easier too

[JustASlashDotGuy]

FTA:

It also eliminates the need to seize a computer itself, which typically involves disconnecting from a network, turning off the power and potentially losing data. Instead, the investigator can scan for evidence on site.

The second you plug one of these into the suspect's machine while it's running, you just set the criminal free. Reason being, you potentially just altered the original source of data and could have injected you own "evidence". Any lawyer would get you off in a heart beat.

You'd always have to shut it down, image the drive, and then run your test against the image. If you ever so much as boot the image and use the device at that point, you've still just changed a shit load of files during the boot up process and a lawyer may still be able to get you off.

This device is only helpful if it contains a standalone script that can be pointed to a set of files on a write-blocked drive. Blindly letting it have full read/write access to any drive would be instant not-guilty result.

Unless this device gets some hefty certs, I'd be surprised if any law enforcement agency that reports to the public courts would ever use this device as reported.

Am I trolling again?

[sm62704]

When I said you should have your computer dual boot, with networking disabled on the windows side (which is how my PC was set up before the power supply burned out last week) so you wouldn't get viruses, spyware, and other nasties on your PC I was modded "troll".

Now the summary says "Just one more reason not to run Windows on your computer."

I guess the submitter was trolling? But at any rate, it seems to me that since Windows can't read hda, as long as you keep your terrorism plans, drug dealers' phone book

This has already been done

[Shadow-isoHunt]

This is not something new people, I can dump your RAM from my USB key already(After a reboot!) and go through for whatever I'd like.

http://tourian.jchost.net/shadow/liveusb/boot.png [jchost.net]
http://tourian.jchost.net/shadow/liveusb/memoryremenance.png [jchost.net]
http://tourian.jchost.net/shadow/liveusb/memoryremenance-filecarving.png [jchost.net]

http://citp.princeton.edu/memory/ [princeton.edu]
http://mcgrewsecurity.com/projects/msramdmp/ [mcgrewsecurity.com] (The MS isn't for microsoft)

Re:

[palewook]

More Info: http://www.news.com/8301-10784_3-9930664-7.html [news.com] And PDF's with details from 2 conferences: http://www.techsec.com/pdf/Tuesday/On%20Demand%20Mike%20Duren.pdf [techsec.com] http://www.marcomattiucci.it/ieong.pdf [marcomattiucci.it]

Nothing really new..

[greywire]

Not sure what the big deal is.

If you are a computer forensic investigator you already have many available tools (EnCase, etc) to do the same thing, not to mention the obvious linux based free tools (Helix, etc) that let you pound away on a computer (or captured image) and get whatever you want off it.

Keeping your computer completely secure is about as practical as copyright owners keeping their data totally protected. Its always an escalating two way battle and the winner is just the one who's willing to go the farthest with it, but nothing is 100% safe.

Privacy and DRM are both doomed for the same reasons.

Get over it.

Re:If It's Possible...

[vux984]

So, the sheer fact that there is a device that can do this also means that anybody can do this because the methods are in place for bypassing security. It's only a matter of time before someone spends enough energy to develop a device that can do this (outside of Microsoft).

No. The ONLY question that is of any interest is whether or not this device actually has a back door to Windows encryption. Somehow I seriously doubt that it does. Its probably little more than a bootable drive with NTFS support, and some tools. If you've got a password on your login, it doesn't mean you are using encryption. And this tool probably just lets you get straight to searching the -unencrypted- disk without cracking the login, or without pulling the drive and installing it somewhere else to scan through.

The implications of a device like this are scary to say the least. Although I'm not a Microsoft hater, this alone is more than enough to make me take a second look at options other than Microsoft Windows.

I suspect your average Linux LiveCD Recovery Disk has all the same tools on it. MS is just getting on board with their own version, to remove another area, where, right now, you have to use Linux. If that's the case the implications aren't scary at all.

And this whole are article is pure FUD.

Unless they've provided a back door to the encryption. That is the -only- question. But I really doubt they have.

Re:

[MMC Monster]

This is already built into Ubuntu: http://xkcd.com/416/ [xkcd.com]

Re:If It's Possible...

[SatanicPuppy]

Yea, look at linux...No way would it be possible to reset the root password [linuxgazette.net] if you had physical access to the machine.

I can't believe all the people who are freaking out about this. This isn't a remote exploit. This isn't a massive security hole. This is trivial stuff that anyone who is reasonably computer savvy should be able to do.

Re:

[Maximum Prophet]

Won't work in the USA. If you are using a non-Windows machine, they'll just assume that you *are* a terrorist.

Re:

[99BottlesOfBeerInMyF]

He said that if one is going to use one's computer as an aid to their criminal career, use a Mac. The RCMP and all the rest were completely ignorant when it came to the Mac OS as well as everything else not Windows.

This is interesting. An FBI guy told me they shipped all the Macs they seized to the RCMP, who had staff experienced in analyzing them, whereas the FBI did not.

Re:

[SatanicPuppy]

Truly, a non-working computer is the ultimate in protection.

Re:

[mozkill]

huh? just so you know, you can boot up and get access to all the files in a linux distro just as easily as this article says you can on Microsoft distros.

Re:

[anss123]

Tools like this have existed for a long time. The fact of the matter is that unless you encrypt your hard drive and store the encryption keys somewhere NOT on your hard drive your files can be read. Ubuntu is no better than Windows here and consoles are worse (if it's privacy your after).

Some COFEE info from an Australian L.E. Conference

[d3ac0n]

Google .DOC-to-HTML link [209.85.165.104]

Here is the original link if anyone wants it: http://scissec.scis.ecu.edu.au/wordpress/conference_proceedings/2006/forensics/Proceedings_Forensics2006.doc [ecu.edu.au]

If you scan down about 15% of the way down, there is a blurb about COFEE mixed in with the rest:

Computer Online Forensic Evidence Extractor (COFEE)

In year 2006, inspired by WFT, Ricci Ieong started the development of Computer Online Forensic Evidence Extractor (COFEE) (Ieong 2006) COFEE uses batch script to manage a list of existing incident response tools and IT security tools volatile data forensics acquisition system similar to WFT, IRCR and FRED. But all the scripts, programs were stored on USB storage device before data acquisition.

Instead of requesting users to key in the output directory, COFEE automatically redirect the output to the inserted USB storage device. With the automatic OS version detection and storage assignment scheme, Operating System dependent program will be automatically selected after the version detection. Investigator only needs to insert the USB storage devices to the target machine and click one to two buttons in order to start the data acquisition process.

Another difference between COFEE with other live forensics toolkits is separation of the data acquisition procedures with the data examination procedures. In WFT, the report generation processes are executed immediately after the data acquisition process on the target machine. However, performing report generation on target machine may also alter the memory content in the target machine. As report generation does not necessarily be executed on target machine, therefore, only data acquisition programs, in COFEE, would be executed on target machines. All program selection, data examination and analysis processes would be performed on investigator machine.

Besides, more forensics programs are supported by COFEE such as screen capture and password capture tools.

Interestingly, this article if from 2006. So COFEE has been around for 2 years already. Fascinating that we are just hearing about it now.