In this part of the chapter you will learn how to break into encrypted file-hosted volumes. You will find out how law enforcement agencies, special services and hackers do it. You will learn about the proven method of getting access to encrypted storages known as rubber-hose cryptanalysis and state-of-the-art techniques such as RAM forensic analysis.
To guard against having your encrypted file-hosted volume compromised, you need to take comprehensive prevention measures by adhering to the rules of encrypted file-hosted volume safe use. This part will focus on the first five of them.
Be aware that though an encrypted file-hosted volume, given you are using both a strong password and keyfile, will prove almost impossible to defeat to all malicious intruders, this is applicable only to dismounted encrypted file-hosted volumes. In the event of a mounted encrypted file-hosted volume, there is direct access to all the files inside it. If at this moment someone gets access to your computer, he will get access to all the files of the mounted encrypted file-hosted volume. However, there is a way out of every attack. You can protect yourself even from rubber-hose cryptanalysis, and you are going to learn how to do it as you move through the course.
Secret 1. Protect your encrypted file-hosted volumes from antiviruses.
You must have heard about the fallout between Kaspersky Lab and the U.S. National Security Agency. The confrontation resulted in a devastating blow to users’ trust in Kaspersky Lab’s products and turning away from using them not only in the U.S. but in other countries as well.
A Kaspersky antivirus was installed on a user’s personal computer who was recruited by NSA (some argue that the user was an NSA contractor). The antivirus found suspicious files identified as classified information on the user’s machine files and uploaded them to Kaspersky Lab for analysis. This was confirmed by Eugene Kaspersky, the company’s founder and chief executive, but the unknowns remain. According to NSA, the secret files were passed on to Russian intelligence agencies while Kaspersky Lab’s statement says that the copy of the source code that was taken from the user’s machine was destroyed.
Most antiviruses are capable of sending any suspicious file, document or application from a computer to the servers of the product maker. This is a required measure to protect users and detect new threats. If you have an encrypted file-hosted volume on your machine, after it mounts, your antivirus will scan it and can send any file it will consider as malicious to the servers for analysts. Protecting yourself from this kind of threat is an important part of ensuring your work with encrypted file containers is secured.
There a lot of options to handle this issue. First, not all antiviruses index mounted encrypted file containers, sometimes it is possible to restrict their activity in the settings. Second, some antiviruses allow you to restrict sending files to the servers (for instance, if you have a Kaspersky product installed – by disabling KSN). Third, some antiviruses send only certain types of data, for instance, Windows Defender sends executable files but doesn’t send documents, images and other files. In some cases you are better-off without antivirus.
In this chapter I can’t give you a targeted solution for this problem since it depends a lot on the antivirus you are dealing with and how sensitive your data is, but I will revisit this topic in the chapter that focuses on antiviruses.
TipSecure the contents of your encrypted file-hosted volumes from antivirus.
Secret 2. Clean Data about open files and documents.
You have probably seen that Microsoft Word stores information about the names of open documents, similar to Pages in macOS and other word processor applications. Media players store names of videos, image view applications – names of images.
It is possible to get access to this data even when an encrypted file-hosted volume is unmo