From time to time, I’ve talked about looking after the security of data stored on portable devices (like laptops), and have suggested that disk encryption is one tool that can help with this. (For example, one might use the free, open-source TrueCrypt software.) Yet one sees investigators on TV shows like the various editions of CSI and NCIS cracking the encryption on the bad guy’s laptop in the time it takes to show a couple of commercials.
Fortunately, a report posted this week at the PhysOrg site provides reassurance that encryption really is effective, and that the TV shows are engaging in artistic license to a considerable degree. Though I am sure that the authors did not intend their work to be a testimonial to the effectiveness of encryption technology, it serves fairly well.
A joint U.S./UK research team has found that common encryption techniques are so good that law enforcement, from local to highly resourceful federal agencies, are unable to get at data on a computer hard disk that could be used to prove the guilt of people using the computer to perpetuate crimes.
The research, published in the journal Digital Investigation [abstract], indicates that the problem for law enforcement is made worse by inappropriate or sloppy forensic techniques. For example, if computer equipment is seized pursuant to a search warrant, it is common practice to transport the machine to another location to analyze the information it contains. But turning the system off may cause passwords or encryption keys held in memory to be lost; in some cases it may actually trigger data destruction.
The practice of shutting down an evidential computer is not an acceptable technique when dealing with FDE or even volume encryption because it may result in all data on the device being rendered inaccessible for forensic examination.
The authors discuss some possible changes in forensic practice to increase the chances of getting either unencrypted data, or encryption keys. However, cracking the encryption itself is quite difficult.
The unfortunate bottom line though, is that the authors openly admit that once the drive is encrypted, there is little to nothing to be done, which a lot of criminals are surely going to be really pleased to hear.
If experience is any guide, this may prompt calls for some sort of legal “fix” to prevent criminals from getting away with it. As with other security technologies, encryption has unsavory uses as well as good ones. We do not prohibit the sale of safes just because someone might use one to lock up his evil secrets.
Extreme Tech also has a short article on this research.