Tuesday, April 29, 2008

Who needs System Volume encryption when you can't use your BIOS?

In preperation for a talk I'm giving at UUASC - LA Chapter on File System Forensics (May 1), I was getting a little too creative with Bit Locker on my Windows Vista Ultimate laptop. I ususally demo installing and configuring bitlocker, suspending the laptop mid-encryption, then show how if somebody wanted to acquire a forensic image of the bitlocker protected drive-you could tell what was encrypted so far. Somehow, either by past demos or some other glitch--I rendered the laptop useless. Not just encrypted--but I could no longer access by BIOS configuration even when after the POST it would register a keypress to enter the BIOS config. After diving deep into the hardware, I was able to find the capacitor I suspected was used as a battery for the CMOS/BIOS config and was able to ground it to discharge--now I had my BIOS back because this disabled the TPM chip.

Fortunately, the encryption stage of the configuration never got deep enough to my important data (you know, the stuff I neglected to back up this month) so I was able to pull it off with a backtrack bootable USB I keep with me.

So I'm still glad I use encryption when traveling--I had my drive encrypted because of the extra "attention" the course materials would attract while crossing borders (I was in Kelowna, BC, Canada teach SANS Security Essentials last week). So I'll have to work out this glitch. funny thing is while I was restoring (might as well take advantage of a fresh machine) I realized Lenovo gave me Vista Business disks--so while I wait for them to ship the new ones I'll play with truecrypt to protect my data.

So fortunately, I wasn't planning on demoing bit locker at Thursday's UUASC meeting, but rebuilding a laptop was a huge pain since I'm trying to finish a penetration test and prepare for a super busy May.

0 Comments:

Post a Comment

Subscribe to Post Comments [Atom]

<< Home