Tool Enables Instant Decryption of TrueCrypt and BitLocker by Analyzing Hibernation File
A sleep feature in Microsoft Windows may significantly reduce security of full disk encryption, Passware warned today. The Mountain View, California based company claims that the latest version of its Passware Kit makes instant decryption for powered-off computers possible by analyzing a hibernation file which is automatically created when a system enters hibernation. This file (hiberfil.sys) often contains data that may breach computer security, the company says.
If a computer with a mounted TrueCrypt or BitLocker To Go hard disk has hibernated at least once, Passware Kit will instantly decrypt the hard disk even if the computer is no longer running. If the target computer is running, the company’s Passware Kit Forensic 10.3 can decrypt hard disks encrypted with BitLocker or TrueCrypt in a matter of minutes the company claims.
“The complexity of IT security is not limited to anti-malware, anti-virus, phishing and other actions, but extends to behaviors that exploit little known flaws in operating systems,” said Dmitry Sumin, president of Passware, Inc.
“This latest version of Passware Kit is the absolute definitive tool for investigators. With the ability to extract encryption keys from a Hiberfil.sys file, there really is nowhere for the bad guy to run,” Andy Malone, CEO and senior technology of quality training (UK) Ltd.
In September the company announced that its software was capable cracking of BitLocker To Go USB Disks, saying it can decrypt “BitLocker To Go” thumb drives in less than 20 minutes.
Hibernation captures everything in memory (RAM) and writes it to your hard disk as the hiberfil.sys file. If you have 1GB of memory, the hiberfil.sys will be about 1GB. Want to delete hiberfil.sys or disable hibernation? Microsoft has some resources here and here that may help.
