General question, if Bitlocker is "secure" then how come I see products for legal and law agenices that can bypass the encryption. Whats the point of securing your data if tools can just open it up? doesn't that mean personal security is moot?:P Advice offered, If you need more help it is advised to seek the council and advice of paid professionals. The answer is always 42, or reboot.

BitLocker, like most encryption solutions, is one layer of a comprehensive security strategy. But, disregarding all of the conspiracy theories, law enforcement agencies do not have secret backdoors to bypass encryption (this statement is incredibly general in nature, quite dependent on your country of origin, software, etc.). In fact, if you keep your eyes on the news, you'll see the occasional criminal case that outlines typical U.S. law enforcement techniques to "bypass encryption". Break into your home or office, plant keystroke logger, get out, and then wait. A few days later, law enforcement has officially "bypassed the encryption". See: http://news.cnet.com/8301-10784_3-9741357-7.html Of course, the level of effort that one puts into a security strategy should be based on the sensitivity of the data. Multi-factor authentication is typically enough to thwart off the basic law enforcement strategy outlined above. For highly sensitive data, I generally recommend a standalone encryption method that requires a password (something you know) and a second factor (something you have - maybe a set of files on a USB keychain drive or a token). Even with this strategy, you have to be careful with the hidden cameras, hidden sound recording equipment, and other methods to obtain the second factor. If this were the movies, you could perform a security sweep of the premises when you wake up each morning. Brian

Yes, Brian your statements are true. I was just tossing it out there, I am aware of at least one product, that will by default out of the box allow their software to access Bitlocker encrypted drives. They are a MS partner, and used for making "legal discovery". One big thing that irks me a little is that security, can seem to be a flavor, or compromise. I good example is that say an home environment, you want a sercure setup, patch your stuff regularly backup and encrypt your data, you get a decent home FW/router. You think life is good for the most part. But in a coprorate environment, you see the direct oposite of that case, sure the company wants to be secure as a whole overall, but have access and control over all pc's in its perview. Now you look at Windows 7, which has been rock solid in my use, and I like it. But here on my laptop sits an operating system that has all the hooks, holes, connectors, etc... that allow many tools to take over/manage/obatin information/gain access to files on. My 2 cents is that I would like to see a true personal OS, and a coporate OS difference. And it would be nice to have the ability to encypt my files and not have off the shelf products able to just crack them open. I don't mind passwords and encryption strings a mile long, but whats the point if there are backdoors for vendors to use to get your data?:P Advice offered, If you need more help it is advised to seek the council and advice of paid professionals. The answer is always 42, or reboot.

On Sun, 2 Oct 2011 15:36:29 +0000, Jason Hiegel wrote: And it would be nice to have the ability to encypt my files and not have off the shelf products able to just crack them open.? I don't mind passwords and encryption strings a mile long, but whats the point if there are backdoors for vendors to use to get your data? There are no backdoors built into either Bitlocker or EFS: http://news.softpedia.com/news/Windows-7-BitLocker-Crack-Claims-Addressed-by-Microsoft-129445.shtml Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca Analog: Hors d'oeuvre, usually made from cheese and covered with crushed nuts. Served at all staff parties.

EnCase® Decryption Suite Tools suitable for decryption of disks, volumes, files, and folders. Capable of decrypting: Microsoft BitLocker, Microsoft BitLocker, GuardianEdge Encryption Plus/Encryption Anywhere/Hard Disk Encryption, Utimaco SafeGuard Easy, McAfee SafeBoot, WinMagic SecureDoc Full Disk Encryption, PGP Whole Disk Encryption, Microsoft Encrypting File System (EFS), CREDANT Mobile Guardian, PST (Microsoft Outlook), S/MIME encrypted email in PST files, NSF (Lotus Notes), Protected storage (ntuser.dat), Security Hive, Active Directory 2003 (ntds.dit), and others. http://www.guidancesoftware.com/forensic.htm#tab=2 I've seen this stuff run, pretty scary stuff. Was run on a machine on a part of a network (not part of the domain, no ad account) that accessed a bitlocker encrypted drive.:P Advice offered, If you need more help it is advised to seek the council and advice of paid professionals. The answer is always 42, or reboot.

On Mon, 3 Oct 2011 14:33:17 +0000, Jason Hiegel wrote: I've seen this stuff run, pretty scary stuff.? Was run on a machine on a part of a network (not part of the domain, no?ad account)?that accessed a bitlocker encrypted drive. If Bitlocker was properly configured with a TPM and a PIN then there's no way this software would have been able to crack the encryption. Any software vendor that claims they have a product that can crack 256 bit AES encryption in any reasonable time frame is simply lying. If Bitlocker was not properly configured then all they've done is to hack the underlying protection mechanism which any competent hacker can do given physical access to the computer and enough time to do so. You may recall the stories going around about the "shoe bomber's" computer being protected by EFS and that the government got some kind of backdoor access from Microsoft. That was a load of crap. By default, the private key for EFS is simply stored in the user's profile and is protected by the Data Protection API (DPAPI). If your password can be cracked then your EFS encrypted files can be accessed. Had he used a stronger password or better yet, stored his EFS certificate on a smartcard, no one would have been able to decrypt his files. The bottom line is that there is no backdoor built into any encryption mechanism provided by Microsoft. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca Hackers have kernel knowledge.

Well thats a good thing to know, I was just curious after a lively talk with the security guy, The encase folks were talking up a storm about it, and I was just seeking the nuggets of truth from the many talented folks on the forums. I never read that about the shoe bomber, but I will have to find that to read. I do a ton of cyptography reading, practice and theroms. I also have had to stave off the aftermath of hacks and virus/malware expoits on machines at differnt places over the years and peoples home pc's. Paul, one thing I have not seen a good guide on is how to take a Windows 7 machine and lock that sucker so tight that God himself would have to wait 14 billions years to crack open. You have any hardening practice docs you are familier with? (Of course, disconnecting the ethernet cable is a good start :) ) :P Advice offered, If you need more help it is advised to seek the council and advice of paid professionals. The answer is always 42, or reboot.

On Mon, 3 Oct 2011 14:33:17 +0000, Jason Hiegel wrote: I've seen this stuff run, pretty scary stuff.? Was run on a machine on a part of a network (not part of the domain, no?ad account)?that accessed a bitlocker encrypted drive. If Bitlocker was properly configured with a TPM and a PIN then there's no way this software would have been able to crack the encryption. Any software vendor that claims they have a product that can crack 256 bit AES encryption in any reasonable time frame is simply lying. If Bitlocker was not properly configured then all they've done is to hack the underlying protection mechanism which any competent hacker can do given physical access to the computer and enough time to do so. You may recall the stories going around about the "shoe bomber's" computer being protected by EFS and that the government got some kind of backdoor access from Microsoft. That was a load of crap. By default, the private key for EFS is simply stored in the user's profile and is protected by the Data Protection API (DPAPI). If your password can be cracked then your EFS encrypted files can be accessed. Had he used a stronger password or better yet, stored his EFS certificate on a smartcard, no one would have been able to decrypt his files. The bottom line is that there is no backdoor built into any encryption mechanism provided by Microsoft. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca Hackers have kernel knowledge.