.

FDE: Virgin Machine vs. Full Machine

<<

TomTees

User avatar

Newbie
Newbie

Posts: 45

Joined: Mon Apr 01, 2013 1:32 pm

Post Mon Apr 22, 2013 10:14 am

FDE: Virgin Machine vs. Full Machine

Recently I read an interesting research paper which talked about how Solid-State Drives (SSD) leave behind a horrible amount of old data that was supposed erased after "writing to zeros" and all that.  (Not trying to start a debate on that topic.)

Anyways, it got me to wondering this...

If a person wanted the safest of safe end-effect from *software* Full-Disk Encryption (FDE), would that mean that the FDE software should be installed on a "virgin" machine before it was ever used, OR could you have a computer with tons of personal data on it - including residual data that was "deleted" yet not truly erased off the face of the HDD - and still encypt every last bit on the HDD??


(To clarify, this would be for a conventional magnetic HDD, and NOT one of the newer Flash drives.)


My fear is that if I installed something like TrueCrypt on my 4-year-old laptop, that there might be sector or blocks with: Old Cache Files, Data Deleted but not Erased, and so on that might somehow escape being encrypted?!  (It seems like *software* FDE encrypts maybe 99% of your HDD, and I am worried about that last 1%...)

Does that make sense?

I am asking this for two reasons...

1.) I hope to buy a new MacBook Pro later this week, and I want to know if I need to set up FDE *before* actually using it to get the best effect?

2.) I have this ancient MacBook that has maybe 400GB of data on it, and I'm curious how effective installing something like TrueCrypt on it would be?  (Would doing that so late in the game really protect ALL of my data, or just most of it?!)

Sincerely,


Tom
<<

UKSecurityGuy

User avatar

Jr. Member
Jr. Member

Posts: 88

Joined: Wed Mar 27, 2013 10:51 am

Post Mon Apr 22, 2013 10:34 am

Re: FDE: Virgin Machine vs. Full Machine

I'm definately no expert in this area, but....

Unless your threat actor is a government organisation with a very invested interest in recovering your data - I think you'll be ok with Truecrypting the existing drive.

You're essentially adding random noise to every writable area of your disk, so it makes no difference as to the existing data in place.

As to the previously marked 'bad' sectors of the disk that may be inaccessable to the OS, I suppose you might in theory find a small amount of data in there.

If I had to use an existing HDD, and I was that paranoid about data leakage I would probably:

1. Run Spinrite http://www.grc.com/sr/spinrite.htm over the disk to recover as many 'bad' sectors as I could
2. Run http://www.dban.org/ over the disk to ensure that any existing data is unrecoverable
3. Truecrypt the disk
<<

TomTees

User avatar

Newbie
Newbie

Posts: 45

Joined: Mon Apr 01, 2013 1:32 pm

Post Mon Apr 22, 2013 12:48 pm

Re: FDE: Virgin Machine vs. Full Machine

UKSecurityGuy wrote:I'm definately no expert in this area, but....

Unless your threat actor is a government organisation with a very invested interest in recovering your data - I think you'll be ok with Truecrypting the existing drive.


Asked another way, what would software FDE NOT encrypt?

My understanding is that the difference between hardware FDE and software FDE, is that software FDE does not encrypt or whatever the "Boot Sector".

But after reading about how Flash technology works - or doesn't work?! - it got me to wondering if there are significant portions of my physical HDD that something like TrueCrypt misses, and thus if I had already written unencrypted data to the entire HDD, TrueCrypt might "miss" some of that current or old data?


You're essentially adding random noise to every writable area of your disk, so it makes no difference as to the existing data in place.

As to the previously marked 'bad' sectors of the disk that may be inaccessable to the OS, I suppose you might in theory find a small amount of data in there.

If I had to use an existing HDD, and I was that paranoid about data leakage I would probably:

1. Run Spinrite http://www.grc.com/sr/spinrite.htm over the disk to recover as many 'bad' sectors as I could
2. Run http://www.dban.org/ over the disk to ensure that any existing data is unrecoverable
3. Truecrypt the disk


Okay.

But back to my OP, would you agree that it is better to set up FDE on a virgin machine before you start using it, so - in theory at least - all of your data gets encrypted?


Tom
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Mon Apr 22, 2013 8:19 pm

Re: FDE: Virgin Machine vs. Full Machine

TomTees wrote:But back to my OP, would you agree that it is better to set up FDE on a virgin machine before you start using it, so - in theory at least - all of your data gets encrypted?


Yes, that is ideal because unencrypted data will never be written to the drive. However, you will still be reasonably secure if you encrypt data in place. You would have to have some insanely valuable data for someone to start rummaging through bad sectors; that is very expensive and time-consuming work.

Think about the scenarios you're trying to protect yourself against. They're probably something along the lines of preventing someone who steals your laptop at a coffee shop from accessing your email, files, etc. There's no need to go overboard or worry about every fluke scenario you read about.
The day you stop learning is the day you start becoming obsolete.
<<

TomTees

User avatar

Newbie
Newbie

Posts: 45

Joined: Mon Apr 01, 2013 1:32 pm

Post Mon Apr 22, 2013 9:09 pm

Re: FDE: Virgin Machine vs. Full Machine

ajohnson wrote:Yes, that is ideal because unencrypted data will never be written to the drive. However, you will still be reasonably secure if you encrypt data in place. You would have to have some insanely valuable data for someone to start rummaging through bad sectors; that is very expensive and time-consuming work.

Think about the scenarios you're trying to protect yourself against. They're probably something along the lines of preventing someone who steals your laptop at a coffee shop from accessing your email, files, etc. There's no need to go overboard or worry about every fluke scenario you read about.


Okay, sounds good.

So, any ideas on the next step, which is "What is the best FDE software to use?"

http://www.ethicalhacker.net/forum/http://localhost/ehnet2013/forums/viewtopic.php?t=4


Tom
<<

UKSecurityGuy

User avatar

Jr. Member
Jr. Member

Posts: 88

Joined: Wed Mar 27, 2013 10:51 am

Post Tue Apr 23, 2013 5:30 am

Re: FDE: Virgin Machine vs. Full Machine

I was using Truecrypt FDE, but I've heard it doesn't perform particually well with SSDs and trashes them quite quickly, so I've removed it from my own laptop and switched to Truecrypt containers instead.

I had a quick look and it doesn't look like Truecrypt supports your macbook for FDE http://www.truecrypt.org/docs/?s=supported-operating-systems so you can't use that (unless you're using Windows only).
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Tue Apr 23, 2013 8:27 am

Re: FDE: Virgin Machine vs. Full Machine

UKSecurityGuy wrote:I was using Truecrypt FDE, but I've heard it doesn't perform particually well with SSDs and trashes them quite quickly, so I've removed it from my own laptop and switched to Truecrypt containers instead.


^ +1  I heard a few complain about it, on SSD.  I'm also using it on a container / folder basis, instead.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH

Return to Other

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software