Using Windows 8′s “hidden” backup to clone and recover your whole PC | Ars Technica

Looking for missing Backup functionality in Windows 8? Everything is still there plus a much improved File History. If you want to create an image of your hard disk, look for Windows 7 File Recovery (strange? I missed that too the first time…). For the details: Using Windows 8′s “hidden” backup to clone and recover your whole PC | Ars Technica.

Tip: If you want to enter Advanced Startup Options during boot, just hold Shift while booting…

Advertisements

A €299 forensic tool decrypts BitLocker, PGP and TrueCrypt disks

The Russian Elcomsoft sells Elcomsoft Forensic Disk Decryptor for €299. Of course the tricky part is how to decrypt the contents. Below you can read what they say about finding the encryption keys. I copy from their website:

Perform the complete forensic analysis of encrypted disks and volumes protected with desktop and portable versions of BitLocker, PGP and TrueCrypt. Elcomsoft Forensic Disk Decryptor allows decrypting data from encrypted containers or mounting encrypted volumes, providing full forensic access to protected information stored in the three most popular types of crypto containers. Access to encrypted information is provided in real-time.

Features and Benefits

  • Decrypts information stored in three most popular crypto containers
  • Mounts encrypted BitLocker, PGP and TrueCrypt volumes
  • Supports removable media encrypted with BitLocker To Go
  • Supports both encrypted containers and full disk encryption
  • Acquires protection keys from RAM dumps, hibernation files
  • Extracts all the keys from a memory dump at once if there is more than one crypto container in the system
  • Fast acquisition (limited only by disk read speeds)
  • Zero-footprint operation leaves no traces and requires no modifications to encrypted volume contents
  • Recovers and stores original encryption keys
  • Supports all 32-bit and 64-bit versions of Windows

efdd s This $299 tool is reportedly capable of decrypting BitLocker, PGP, and TrueCrypt disks in real time

Three Ways to Acquire Encryption Keys

Elcomsoft Forensic Disk Decryptor needs the original encryption keys in order to access protected information stored in crypto containers. The encryption keys can be derived from hibernation files or memory dump files acquired while the encrypted volume was mounted. There are three ways available to acquire the original encryption keys:

  • By analyzing the hibernation file (if the PC being analyzed is turned off);
  • By analyzing a memory dump file *
  • By performing a FireWire attack ** (PC being analyzed must be running with encrypted volumes mounted).

* A memory dump of a running PC can be acquired with one of the readily available forensic tools such as MoonSols Windows Memory Toolkit
** A free tool launched on investigator’s PC is required to perform the FireWire attack (e.g. Inception)

Acquiring Encryption Keys

Generally, the choice of one of the three attacks depends on the running state of the PC being analyzed. It also depends on whether or not installation of a forensic tool is possible on a PC under investigation.

If the PC being investigated is turned off, the encryption keys can be retrieved from the hibernation file. The encrypted volume must be mounted before the computer went to sleep. If the volume is dismounted before hibernation, the encryption keys may not be derived from the hibernation file.

If the PC is turned on, a memory dump can be taken with any forensic tool if installation of such tool is permitted (e.g. the PC is unlocked and logged-in account has administrative privileges). The encrypted volume must be mounted at the time of memory dump acquisition. Good description of this technology (and complete list of free and commercial memory acquisition tools) is available athttp://www.forensicswiki.org/wiki/Tools:Memory_Imaging.

Finally, if the PC being investigated is turned on but installing forensic tools is not possible (e.g. the PC is locked or logged-in account lacks administrative privileges), a remote attack via a FireWire port can be performed in order to obtain a memory dump. This attack requires the use of a free third-party tool (such as Inception: http://www.breaknenter.org/projects/inception/), and offers near 100% results due to the implementation of FireWire protocol that enables direct memory access. Both the target PC and the computer used for acquisition must have FireWire (IEEE 1394) ports.

Once the original encryption keys are acquired, Elcomsoft Forensic Disk Decryptor stores the keys for future access, and offers an option to either decrypt the entire content of encrypted container or mount the protected disk as another drive letter for real-time access.

Dropbox Launches New Windows 8 App

TechMad Infodates

Image

Dropbox has announced at the LeWeb 2012 conference in Paris this week that they are currently developing and will soon be launching a new Dropbox Windows8 application which will be designed to be used with and support Microsoft’s new Modern user interface.

It has been rumoured that Dropbox was considering developing a new Windows 8 app, but until today it had never been officially announced.

Dropbox has now now submitted their new Windows 8 app for approval by Microsoft, and as soon as this is complete the Windows 8 Dropbox app will be available for users to download.

The new Dropbox Windows app will work across the both versions of Windows 8, offering access to files, photos and media files stored in the cloud from the desktop but also on Windows RT devices like the Surface.

View original post