Intelligence experts cracked Ian Watkins' password

PhoenixOD

CallYourBluff
The truth of the matter is, you don't need to brute force any password. The information can be taken physically from a hard drive. There are many ways to bypass the entire encryption process. It's not as if a hard drive has a dynamic encryption.

You can not lift data physically from a bitlocker encrypted drive , thats the whole point of the system

BitLocker ensures that every sector is encrypted with a slightly different key

Which could be called dynamically encrypted.

books.google.co.uk... NzJDCDnQ8&hl=en&sa=X&ei=uta0UvTkMsWw7AbejYGQDA&ved=0CEAQ6AEwAg#v=onepage&q=bit%20locker%20encrypts%20every%20sector&f=false

edit on 20-12-2013 by PhoenixOD because: (no reason given)

As I said you do not have to go directly for a brute force hack. ElcomSoft have software that uses a workaround. The only way to keep the encryption fool proof, would be to destroy the computer it was original created with. Clearly Watkins was not using this kind of encryption.

reply to post by CallYourBluff


That is the method i mentioned right in the very first post on the thread in case you had not noticed. Its can only be implemented in certain circumstances

If the PC being investigated is turned off, the encryption keys can be retrieved from the hibernation file. The encrypted volume must be mounted before the computer went to sleep. If the volume is dismounted before hibernation, the encryption keys may not be derived from the hibernation file.

If the PC is turned on, a memory dump can be taken with any forensic tool if installation of such tool is permitted (e.g. the PC is unlocked and logged-in account has administrative privileges). The encrypted volume must be mounted at the time of memory dump acquisition. Good description of this technology (and complete list of free and commercial memory acquisition tools) is available at www.forensicswiki.org...:Memory_Imaging.

Finally, if the PC being investigated is turned on but installing forensic tools is not possible (e.g. the PC is locked or logged-in account lacks administrative privileges), a remote attack via a FireWire port can be performed in order to obtain a memory dump. This attack requires the use of a free third-party tool (such as Inception: www.breaknenter.org...), and offers near 100% results due to the implementation of FireWire protocol that enables direct memory access. Both the target PC and the computer used for acquisition must have FireWire (IEEE 1394) ports.

www.elcomsoft.co.uk...

None of these methods bypass the encryption as you claim but look for pass keys. If there is no memory dump, or the computer is not in an unlocked state or has no IEEE 1394 it wont work.

Well clearly Watkins was not using this level of encryption. Taking data off a hard drive without the original key shouldn't be to difficult given the right tools. There will be observable differentiation between recorded data and newly encrypted data. That's how I would attack the problem. I don't think we are dealing with that type of case here, but also I don't believe any encrypted data is truly safe. Like I said earlier, without dynamic encryption any hard drive is vunerable.

He has started his sentence and time is being served at Her Majesty's Prison Wakefield . Also, called "monster mansion" because of the high profile / risk sexual criminals it houses. So, unfortunately , he will be amongst his own kind.

reply to post by CallYourBluff

Well clearly Watkins was not using this level of encryption.

Its not clear at all, that the whole point of the thread, at this point in time we dont know what kind of encryption he used other than it was hard drive encryption and file encryption. We want to know what kind of hard drive encryption it was but truecrypt and bitlocker are the most common. We also dont know what method was used to crack the passwords for both.

I could guess that the hibernation file method might be the way to go if it was a laptop as many windows laptops have hibernation set to enabled as default. But if this was the case then it wouldn't have taken an expert from GCQH to do the job as anyone with a small amount of computer knowledge could have done it.

PhoenixOD
reply to post by CallYourBluff

 

Well clearly Watkins was not using this level of encryption.

Its not clear at all, that the whole point of the thread, at this point in time we dont know what kind of encryption he used other than it was hard drive encryption and file encryption. We want to know what kind of hard drive encryption it was but truecrypt and bitlocker are the most common. We also dont know what method was used to crack the passwords for both.

I could guess that the hibernation file method might be the way to go if it was a laptop as many windows laptops have hibernation set to enabled as default. But if this was the case then it wouldn't have taken an expert from GCQH to do the job as anyone with a small amount of computer knowledge could have done it.

I agree completely but the fact that his password ( what I posted earlier ), suggests he wasn't that clued up on data encryption. As I understand it they found a separate hard drive with the incriminating data. Even so, exchanging that kind of filth doesn't go unseen. There is no longer a need for physical evidence on whatever storage media to convict these people. Your ISP has everything you download or upload recorded for 18 months. They say his arrest was due to a drug bust, I say they new exactly what they were looking for.

C21H30O2I
He has started his sentence and time is being served at Her Majesty's Prison Wakefield . Also, called "monster mansion" because of the high profile / risk sexual criminals it houses. So, unfortunately , he will be amongst his own kind.

I was actually suspecting Broadmoor. The sad thing is that this is clearly not a useless person. Quite an intelligent and capable human with a truly sick aspect to his personality. I think people like this this could be helped with the right treatment.