Print 66 comment(s) - last by jamesd1234.. on Feb 22 at 9:23 AM

Ramona Fricosu's attorney says she may have forgotten the password

Last month, a Colorado woman was ordered to decrypt her laptop in order to help prosecutors obtain evidence in the bank fraud case against her. Now, Ramona Fricosu's attorney is saying that the defendant may have forgotten her password, further prolonging the case and getting prosecutors nowhere with the hard drive.

"It's very possible to forget passwords," said Philip Dubois, Fricosu's attorney. "It's not clear to me she was the one who set up the encryption on this drive. I don't know if she will be able to decrypt it. The government will probably say you need to put her in jail until she breaks down and does what she is ordered to do. That will create a question of fact for the judge to resolve. If she's unable to decrypt the disc, the court cannot hold her in contempt."

Davies said Fricosu has not said in any court documents that she has forgotten the password. They are waiting to see what position she takes in court.

Fricosu was accused of bank fraud in 2010, and had her laptop seized by authorities for investigative purposes. When attempting to search her hard drive, authorities found that it was encrypted using full disk encryption, which prevents unauthorized access to data storage. The option can be found in operating systems like Mac OS and Windows, and if authorities tried to crack it themselves, they could damage the computer.

Colorado U.S. District Judge Robert Blackburn then ordered Fricosu to decrypt her hard drive and return it to the court so prosecutors could use the files against her in the bank fraud case. Fricosu tried using the Fifth Amendment to protect herself, arguing that it protects her from compelled self-incrimination.

However, Blackburn concluded that "the Fifth Amendment is not implicated by requiring production of unencrypted contents of the Toshiba Satellite M305 laptop computer." Assistant U.S. Attorney Patricia Davies backed Blackburn's decision, saying that encryption cannot be a sure way for criminals to bypass the system.

Source: Wired

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

Is this actually necessary?
By drycrust3 on 2/7/2012 2:08:40 PM , Rating: 2
Does anyone know what type of encryption was used?
The reason I ask is Passware claim their Passware kit can decrypt Bitlocker or Truecrypt encrypted HDDs, and in some cases it can provide a nearly instant decryption.
The price of the software is $995 (presumably USD), which is probably within the police budget for this case.
In addition, if a brute force decryption is necessary then the Passware kit can make use of Amazon's servers to decrypt ten times faster than using a stand alone computer.
Here is a video supposedly finding the password to a Microsoft Office file (in less than 5 minutes!):
If the encryption was done with one of those programs, then maybe the HDD could have been decrypted by now if the police started when they first decided they needed to see what was on the HDD, and even though the Amazon servers won't be cheap, the price may have been cheaper than all the trips to court.

RE: Is this actually necessary?
By hkscfreak on 2/7/2012 2:24:09 PM , Rating: 2
Their technology relies on having the the decryption keys in memory while the computer is powered on and the drive is mounted which is a weakness in all drive encryption schemes. It won't help if the computer is powered off and not hibernated or if the drive was not mounted at the time the police recovered the computer.

I don't remember the exact math, but brute forcing AES-256 is an exercise in frustration. I remember reading somewhere that the sun will explode before you are likely to find the key.

If you're going to encrypt something I highly recommend TrueCrypt, which is free and includes some helpful features such as auto-dismounting when there is no activity and hidden volumes for plausible deniability.

RE: Is this actually necessary?
By drycrust3 on 2/7/2012 3:46:55 PM , Rating: 2
I highly recommend TrueCrypt

According to Passware, if you are using TrueCrypt "The decryption might take several minutes depending on the size of the memory image file".
I'm not sure if that means they can extract the password of a fully shut down computer with an encrypted HDD in less than an hour, but if does, then maybe TrueCrypt isn't as secure as you believe.
As I suggested, has anyone in the police department actually tried this software?

RE: Is this actually necessary?
By PhoenixTX on 2/7/2012 4:27:58 PM , Rating: 4
TrueCrypt is very secure. From the Passware website:

Passware Kit scans the physical memory image file ( acquired while the encrypted BitLocker or TrueCrypt disk was mounted , even if the target computer was locked), extracts all the encryption keys, and decrypts the given volume. Such memory images can be acquired using Passware FireWire Memory Imager (included in Passware Kit Forensic), or third-party tools, such as ManTech Physical Memory Dump Utility or win32dd.

If the target computer with the BitLocker/TrueCrypt volume is powered off, encryption keys are not stored in its memory, but they could be possibly recovered from the hiberfil.sys file, which is automatically created when a system hibernates.

NOTE: If the target computer is turned off and the TrueCrypt/BitLocker volume was dismounted during the last hibernation, neither the memory image nor the hiberfil.sys file will contain the encryption keys. Therefore, instant decryption of the volume is impossible . In this case, Passware Kit assigns Brute-force attacks to recover the original password for the volume.

Unless they seized this computer while it was on/hibernated and have kept it in that state for two years, then Passware (or anything like it) will be worthless.

RE: Is this actually necessary?
By SlyNine on 2/7/2012 9:20:52 PM , Rating: 4
Doesn't matter, since this is whole disk encryption the OS and thus hibernation file is most likely encrypted. If this person knew what they were doing there is likely (notice my weasel word) no way to encrypt the drive in a reasonable amount of time.

RE: Is this actually necessary?
By Varun on 2/7/2012 2:34:48 PM , Rating: 4
If you can do 2^56 guesses per second (that is a lot) it would still take you:
256 bit key:

50,955,671,114,250,072,156,962,268,275,658,377,80 7,020,642,877,435,085 years


RE: Is this actually necessary?
By bug77 on 2/7/2012 3:45:55 PM , Rating: 3
Yes, but they could use the Amazon cloud and divide that by 10!

RE: Is this actually necessary?
By Lifted on 2/7/2012 5:31:47 PM , Rating: 2
Wouldn't that be a lot less?

RE: Is this actually necessary?
By SlyNine on 2/7/2012 10:13:59 PM , Rating: 2
I don't think an Amazon cloud can do 2^56. In fact according to Toms Hardware, in regards to cracking WPA, said

"Each GPU cluster instance is armed with a 10 Gb Ethernet link, restricting bidirectional traffic between the master and nodes to 1.25 GB/s. This is what bottlenecks the cracking speed. Remember that a single ASCII character consumes one byte. So, as you start cracking longer passwords, the master server has to send more data to the clients. Worse still, the clients have to send the processed PMK/PTK back to the master server. As the network grows, the number of passwords each additional node processes goes down, resulting in diminishing returns. "

So having 4 Tesla GPUs is faster than renting an Amazon virtual computer.

Now lets say they have 100 570s, 2 of them can do 1.5billion passwords a second ( again according to tomshardware), so 1500000000x50=75 billion. So 75 billion Tries per second is about the Max amount of computer power they can through at it.

I believe to reach the Max security on AES 128 you need 32 characters. 64 for AES 256. But lets use 128 for example. You have 94 characters in a full ASCII character set. So you take 94 possibilities in every character of a passphrase. So if you have 2 characters in your password that's 94x94 or 94^2, If you use the full strength that's 94^32= 1.38067454 × 10^63 or 13 with 63 zeros behind it. That number looks like this 130000000000000000000000000000000000000000000000000 00000000000000 + possible combinations. So lets take 130000000000000000000000000000000000000000000000000 00000000000000/ 75000000000 Which takes you 1.84089939 X 10^52 Seconds to complete. That number looks like that
1800000000000000000000000000000000000000000000000 00000 So lets divide that by 60 and than by 60 again to get us to hours, and than by 24 to get to days, and than by 365 to get to years, than lets Divide by 10 again figureing they will find the phrases after trying 1/10 the possibilities. That number is 5.83745367 × 10^43 or 58000000000000000000000000000000000 years.

So it would take 58000000000000000000000000000000000 years to complete, now if you want to divide that by a million, or billion, you will still get a number that's to big to worry about.

No you are not brute forcing AES 128 with conventonal means. Not in our lifetimes anyways. Probably not with in the lifetime of the universe.

RE: Is this actually necessary?
By SlyNine on 2/7/2012 10:21:56 PM , Rating: 2
I screwed up, it should be 1.3 with 64 zeros behind it. But since the calculations were done using the scientific numbers the calculations are still correct. Just knock off a zero on each one of the non scientific numbers.

RE: Is this actually necessary?
By SlyNine on 2/7/2012 10:23:37 PM , Rating: 2
LOL oops again. But if you don't understand what I mean elementary algebra will show you.

RE: Is this actually necessary?
By Flunk on 2/7/2012 5:00:08 PM , Rating: 2
That's not actually how brute force attacks work. They work by comparing the hashes of likely passwords (dictionary attacks often work). If you did a dictionary attack, starting with low numbers of characters and working up it would be very unlikely that you wouldn't get the actual password much sooner than that.

RE: Is this actually necessary?
By SlyNine on 2/7/2012 9:23:47 PM , Rating: 2
Sorry but you're wrong. Any DECENT password will never be solved by a dictionary attack, for example use 3 random key files and a password using characters like / numbers and caps. Your dictionary hack in that case would be a complete waste of time and resources.

Further since this was full disk encryption she most def. Had a good passphrase.

RE: Is this actually necessary?
By MGSsancho on 2/8/2012 1:14:29 AM , Rating: 2
Requirements: Firewire.

Read up on Direct Memory Access technologies and

As said by another person above, unmount your encrypted drives when not in use. Shutting down might actually be beneficial as well.

"And boy have we patented it!" -- Steve Jobs, Macworld 2007

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki