Security Laboratory

Security Laboratory


Real World Pitfalls of Full Disk Encryption


Keith Loyd and Stephen Northcutt
Summary: In the The Pitfalls of Full Disk Encryption by Peter Giannoulis[1] we point out that Full Disk Encryption(FDE) offerings provide a warm and fuzzy feeling to CxO's after the data loss headlines of the last few years, but FDE solutions may introduce their own set of issues. Due to the recent massive data losses, organizations are racing to deploy solutions, in fact the US Government is searching for a government wide FDE product.[2] While FDE does provide strong protection to data lost due to lost or misplaced laptops, the protections do come with a potential downside including per seat cost and impact on performance[3] that organizations should be aware of and adapt their process and procedures to accommodate FDE.

Automated Patch Process

FDE means every byte on the disk, including the operating system, is encrypted. So what happens when you need to patch? Every month organizations evaluate the fallout from Microsoft's patch/black Tuesday. While many organizations have a mature patching process having dealt with major virus and worm outbreaks over the past several years, most FDE offerings create a new obstacle to contend with due to their pre-boot authentication. Pre-boot authentication protects lost or stolen computers from unauthorized access, but it places a kink in the reboot process most automated patch deployment systems require. Organizations can still push the monthly patch bundle, but now must deal with the issue of having to have a user enter the pre-boot authentication credentials before the FDE program will load the operating system. Depending on the asset being protected by the FDE product, this could cause some operational heartburn. Another potential problem is forensics, most large organizations have the capability to perform forensics using staff member of the security department, but how do you perform forensics on an encrypted drive?

Forensics Hurdles on Full Disk Encryption (FDE) Systems


Covert Hard Drive Forensics Acquisitions - Organizations need to plan, test, and practice for forensic investigations involving FDE systems. Individuals entrusted to conduct investigations inside their organizations need to know how to forensically duplicate a hard drive and replace a FDE disk so that the system still functions after a late night tag and bag investigation, and if they have done their job well, the people using the system will not observe the change. Rarely will an investigator have an exact one for one replacement for the evidence disk being acquired. The FDE software must be flexible enough for an investigator to copy an evidence hard drive to a dissimilar drive. Drives by two different manufactures may not have the same number of sectors for similarly marketed drive capacities; this should not be a problem for the FDE solution, if it does, choose another product.


Overt Hard Drive Forensics Acquisitions- More and more large organizations are performing internal forensic investigations. Deploying FDE to the organization's computer systems can frustrate the investigation process if there is no consideration for these investigations where secrecy is not required. The same protection that prevents an identity thief from stealing data will prevent an internal investigator from performing their duties if the organization has failed to develop a process of recovering encrypted disks and volumes.

The process of acquiring a digital forensic image while maintaining evidence integrity in a FDE environment

Whether you need to acquire the evidence drive under cloak and dagger situations or routinely in the lab, the process for maintaining the evidence drive integrity is the same for most investigations. FDE does require investigators to perform an extra step before a true forensic investigation of the hard drive can begin. Forensically examining encrypted disks is rather futile, which is why they must first be decrypted.

Forensic investigations dealing with FDE will almost always deal with data at rest, so it is important to prevent modification to the evidence hard drive when possible. Obviously, some modification to the evidence must occur or there will be no investigation. The process for decrypting the evidence will vary by FDE product. The following is one process that has been tested and is reasonably reproducible if/when needed.

  • Use a mechanical drive duplicator like an Image Masster Solo to duplicate the evidence drive
  • Using the forensically duplicated drive, mount the encrypted drive with the FDE product's recovery/decryption application, making sure you do not load the operating system of the duplicate evidence drive
  • Remember New Year's resolution to be more patient. The decryption process can take anywhere from many hours to several days depending on the hard drive's capacity and health.
  • Once the hard drive has been fully decrypted, resume your normal forensic investigation process, whether that is with open source software or a commercial offering the investigation is just like normal from this point.

Summary

Organizations need to standardize on a FDE solution. Standardization simplifies the creation of policies, procedures, and processes needed to maintain utility of the data the FDE solution is charged with protecting. Encryption key archival is paramount to any FDE deployment, which is much easier to maintain with an organization wide standard.

FDE deployments challenge the notion of the Confidentiality, Integrity, and Availability (CIA) triad being the only things an information security program needs to protect. With FDE an organization needs to be able to recover the contents of a FDE disk in cases where the encryption key is lost, the pre-boot authentication is no longer available due to the end user..etc. If the FDE encryption key is lost, the organization has not lost confidentiality, availability, or integrity of the encrypted disk. It would be hard to argue that CIA has been lost at all. However, the usability of the information has been lost. Utility is one piece of the Parkerian hexad[4], which more accurately describes today's threats to information security.

Request for real world experiences

If you have experiences, either positive or negative, with Full Disk Encryption deployment, whether it is related to forensics or not, we would love to hear from you, drop us a note, stephen@sans.edu

1. http://www.sans.edu/resources/leadershiplab/pitfalls.php
2. http://government.zdnet.com/?p=2807
3. http://www.xml-dev.com/blog/index.php?action=viewtopic&id=250
4. http://www.answers.com/topic/parkerian-hexad-1