Monthly Archives: June 2014

Jun 23 2014
4 Comments
Security Essentials, Security Infrastructure

BitLocker with TPM in 10 Steps.

lockerStarting with Windows Vista, Microsoft used a secure development lifecycle from start to finish. By introducing this software development practices, Microsoft built better software using secure design, threat modeling, secure coding, security testing, and best practices surrounding privacy. One of many features introduced was the BitLocker drive encryption. This allows to encrypt the full content of the volumes and is designed to work with Trusted Platform Module (TPM) security device. By encrypting the drive contents you add an additional layer of protection that helps defend against evil maid attacks, offline attacks and disclosure of data when a laptop is lost or stolen. Windows 7 brought more enhancements to this technology that will drive its adoption because is more user friendly, supports BitLocker To Go (protects removable media) and reduces the administration overhead e.g. does not require an admin to layout the hard drive partition in a special form (now you know why during Windows 7 you might see a partition of 100MB NTFS Volume – This volume allows the BIOS locate and run the Bootmgr). BitLocker can work with or without a TPM. A TPM is a tamper resistant security chip on the system board that will hold the  keys for encryption and check the integrity of the boot sequence and allows the most secure BitLocker implementation. BitLocker needs a TPM chip version 1.2 or higher enabled on the BIOS. Without a TPM the Bitlocker can store its keys on a USB drive that will be used during boot sequence. BitLocker encrypts the contents of the hard drive using AES128-CBC (by default) or AES256-CBC algorithm, with a Microsoft-specific extension called a diffuser. To run BitLocker you need Windows 7 Enterprise or Ultimate edition. When configuring Bitlocker you have a number of options:

  • TPM Only: No authentication required for the boot sequence but protects against offline attacks and is the most transparent method to the user.
  • TPM with PIN : Adds “What you know” factor to the boot process and the user is prompted for a PIN.
  • TPM with USB : Adds “What you have” factor to the boot process and the user needs to insert the USB pen that contains the key.
  • TPM with USB and PIN : Most secure mode using 2 factor authentication boot process but the most costly in terms of support e.g. user loses its USB or forgets its PIN.
  • Without TPM : It does not provide the preboot protection and uses a USB pen to store the key.

How to enable BitLocker with TPM in 10 Steps?

  1. Determine if your computer has support for TPM 1.2.
  2. Enable TPM in the BIOS settings.
  3. On Windows launch the TPM management console (tpm.msc).
  4. Initialize it and create a owner password.
  5. Save and print the password.
  6. Define Group Policy settings to ensure a TPM is used with BitLocker and define the authentication method.
  7. Turn on BitLocker on the desired hard drive.
  8. Define the authentication method.
  9. Save and print the recovery key.
  10. Encrypt the drive.

Let’s review each one of these steps into more detail.

Step 1 : To determine if your computer has TPM support you can check your computer model documentation or check the BIOS directly.  In my case I had a second hand Dell Latitude E6400 Laptop with TPM capabilities.

Step 2: I went to the BIOS and enabled the TPM Security option.

tpm-bios

Step 3 : I booted Windows and called the TPM management console by executing tpm.msc.

tpm-init

Step 4 : In the TPM management console, click on the Initialize. This will start the process where you need to manually create a password or generate one. In this case I selected to automatically create the TPM password.

tpm-step2

Step 5 : Save the password file in a USB drive (file.tpm) and print the password for recovery purposes. Please keep this file in a secure location away from your computer’s
local hard drive.

tpm-step3

Step 6 : On windows run gpedit.msc and go to the Group Policy Editor. Provide administrator credentials if you have UAC configured. Navigate to Computer Configuration – Administrative Templates –  Windows Components – BitLocker Drive Encryption, Operating System Drives: Require Additional Authentication at Startup. Here Enable this setting and under options, verify that the option Allow BitLocker Without a Compatible TPM is unchecked. I left the remaining settings by default but it is here that you can configure 2 factor for the boot process.

tpm-step4

 

Step 7 : Select the drive you want to encrypt, right click and select Turn On BitLocker.

tpm-step7

 

Step 8 : The options that you defined in the group policy will show here in order to define the authentication method, in this case I selected TPM with PIN.

tpm-step5

Step 9 : Save the recovery key to a USB pen and and print it for recovery purposes. The recovery key is used to recover the data on a BitLocker protected drive.

tpm-step6

Step 10 : Finally, encrypt the drive and select the “Run Bitlocker system check” in order to ensure the recovery key can be used.

tpm-step10

 

When you reboot your computer you will be prompted with a Windows BitLocker Drive Encryption PIN entry where you need to supply the PIN in order to start the operating system.

I terms of  management the BitLocker settings can be configured/checked using the manage-bde.exe command. For systems where the Windows is part of a domain the key for each machine can be backed up as part of an escrow service. This way business owners like legal teams or others can gain access to the machine in case the user loses the USB key or PIN or there is the need to due to an insider threat. Another method is to use the data recovery agent (DRA) that creates a certificate that can be used to unlock the encrypted volumes. Further there are several group policies settings that can be configured.

The recovery process is also easy in case you have the USB drive/printed the recovery keys. Note that during the boot process if the system detect any changes like a different hard drive or change/upgrade the bios you might be asked to provide the recovery keys due to an alteration of the boot process. Other than the full volume encryption the BitLocker To Go is also great method to encrypt removable hard disks and thumb drives.

As you can see is extremely easy to add additional layer of protection to your system. If you have a Windows 7 Enterprise or Ultimate license then this is a great feature to protect the family photos and wife cooking trade secrets from falling into the wrong hands.

 

References:

Windows Internals, Sixth Edition, Part 2 By: Mark E. Russinovich, David A. Solomon, and Alex Ionescu

 

Tagged , , ,
Jun 09 2014
Leave a comment
Digital Forensics and Incident Response, Malware Analysis

Malware Analysis

malwareanalysisMalware analysis is a very interesting topic, will continue to evolve in size, density and specialization. Additionally is intellectually challenging. One goal of performing this activity might be to analyze malware in order to determine its actions and get insight into its behavior and inner workings by analyzing its code. By doing this we can find answers to pertinent questions such as:

  • What are the malware capabilities?
  • What is the worst it can do?
  • Which indicators of compromise (IOC) could be used identify this malware in motion (network), at rest (file system) or in use (memory)?  – This IOCs can then be used across our defense systems.
  • What tactics, techniques and procedures (TTP) are used?
  • Which category does it falls i.e., criminal, commodity malware or targeted attacks?

To find answers to these and other questions there are several processes, procedures and tools. One well established process is called dynamic  or behavioral analysis. This process consists of executing the malware specimen in a safe, secure, isolated and controlled environment in order to determine its actions, behavior and how it interacts with host system at network, file system, registry and others. The instruments used during this process will allow us to gain better understanding of the malicious code and its capabilities and are mainly based on monitoring and capturing system changes at network, memory, I/O level, etc. Different tools exist to accomplish this. The tool choice is different depending on the operating system the malware runs on, the individual experience/preference and company culture. One great toolbox is the REMnux Linux distro which brings together a great number of tools for analyzing malicious executables.  Among other things it can also emulate a variety of networking services that assist during the behavioral analysis.

Another process is called static or code analysis and consists of analyzing the code or structure of the executable to determine its function. In contrast to the behavioral analysis, the static analysis does not execute the malware. Static analysis is normally a much more complex process that requires understanding of several techniques that should be ideally supported by knowledge of operating system internals and software development.  This process might consist of disassembling, debugging and decompiling the executable.  Different tools exist to assist this process and it might take you to complex topics such as unpacking and decrypting.  As so it might be overwhelming to find the needle in the haystack when going through this techniques. You might want to focus on the execution flow, code blocks, where it starts, what does it call? to start shaping an understanding.

So, which process should I use? Which tool to execute first? There is no right or wrong answer! Several approaches exist  and a combination of both process is normally used.  Start step by step in a incremental and controlled fashion. Use more than one tool to substantiate evidence.  Use the internet, books and research papers to assist you gathering knowledge about operating systems, networking, programming or security. How well are you educated in such topics will assist you during the malware analysis.  Jump from the behavior analyses process to the static code analysis and vice-versa in order to move forward.  If you get stuck, don’t give up!

As you look more and handle the tools better you slowly train yourself to determine what is normal and what is unusual. Soon you start recognizing differences and deviations from the norm.  If you are doing malware analysis as part of a forensic analysis, incident response or just for fun this is a fascinating journey!

For further reference you may want to look into the following books: Malware Analyst’s Cookbook and DVD: Tools and Techniques for Fighting Malicious Code, the Practical Malware Analysis and Malware Forensics: Investigating and Analyzing Malicious Code . More formal training is available from SANS with GREM course authored by Lenny Zeltser. Free resources are the Dr. FU’s Security blog on Malware analysis tutorials. The Binary Auditing site which contains free IDA Pro training material.  Finally, the malware analysis track  in the Open Security Training site is awesome. It contains several training videos and material for free!

Tagged , , , ,