· Makes it easy if someone were to physically steal your computer and tries to steal your data.
· Asks for bit recovery key next time you reboot your computer, BUTTS is not a strong encryption key
· Full disk encryption cannot encrypt rootkits
· Software based encryption where it decrypts the data from the drive before feeding it to the operating system and encrypts it back when it is storing the data in the hard drive.
o Overhead is that you can get performance issues
o Hardware option does not have performance-based overhead
· Bit locker in windows / File locker in MacOS
· VeraCrypt free open source
· Hardware option would be a self-encrypting drive usually a solid-state drive. Get best of both world
· Ways to make FDE more secure:
o Trusted Platform Module (TPM)- it can also detect tampering attempts
o File system level encryption which can encrypt and decrypt individual files on demand
· If someone were to boot your computer through USB it would easily bypass the OS password
· We can also password protect our BIOS settings as it is the RAM
· https://freedom-to-tinker.com/2008/02/21/new-research-result-cold-boot-attacks-disk-encryption/
· https://blog.elcomsoft.com/2016/06/breaking-bitlocker-encryption-brute-forcing-the-backdoor-part-i/
· https://www.youtube.com/watch?v=eRuca6eAdFM
· TPM is on the Mother board and tpm stores the encryption key, so say an attacker were to take your drive and try to boot into their operating system then it cannot ask the tpm for the that has been sealed.
· If you have enabled the bitlocker in transparent way then you may not even realise that your device is encrypted because it automatically decrypts the drive on boot and feeds plain text to the OS
· You could do a cold boot attack where when the TPM releases the value to the RAM you lower the temperature sufficient enough so that the RAM does not lose its memory and potentially boot the drive into another Operating system
· You could ground the pins of the TPM chip to clear out the memory and reset it back to zero.
ATTACK Details:
· Supposing we have physical access to the device and supposing that the bitlocker is enabled by default to act as transparent encryption meaning that logging in to the operating system
· Since bitlocker is only present in a enterprise or Pro versions It might possibly mean that the device is connected to the network and has to talk to the domain name provider to verify the credentials (trust relationship between this workstation and the primary domain has failed)
· Using samba to create a fake domain controller but the name has to match the actual domain controller that the device is using.
· Expired login credentials and it will prompt you to change password . You change password disconnect it from the fake network because it is now saved to cache