The fuzz was able to read stuff of my PGP whole-disk encrypted laptop drive.

[22562256]

Someone made forum posts that are critical of some Indian. I was in India and was picked up by the local fuzz. They took my laptop and phone. No, I didn't do anything; I don't even know this guy.

My laptop HD was encrypted with PGP whole disk encryption and my phone was a POS, so I didn't really worry about my data.

When I bought my laptop, I used PGP whole disk encryption on the entire drive, created two partitions C & D and installed the OS (XP) on C.

After a night in an Indian jail, they took me, and my laptop, to the cyber-crimes office.
Here they removed the hard-drive off my laptop and plugged it into a desktop computer which was running some forensics software.

Here is the kicker: They were able to read files from the C partition of my HD. Most of the files they read appear to have been deleted (by me) long ago. I only saw the screen for a few minutes.

HERE ARE MY QUESTIONS
1. How is it possible to read files from a drive encrypted with PGP whole disk encryption?

2. I no longer have my laptop but I do have a backup on an external HD. The backup is on a PGP encrypted hidden partition. I need to buy a new laptop and would like to buy a Mac. Is there any software for the Mac that can read the PGP encrypted hidden partition off my external HD?

Thanks.

[fredbclem]

Well i don't think you have a very good trip of India. Yes indeed a software is available  for the Mac that can read the PGP encrypted hidden partition off my external HD. You can easily find it on net.

[22562256]

My stay in India was not pleasant and I still have not recovered from the incident.

If it helps you guys, I defragmented all partitions of my HD, with Diskeeper, a few days before the incident.

[omeksioglu]

I am sorry to hear that you had such a bad trip. Did you go to your country's embassy? How come they don't give you your Laptop back! If you would had laptop an analysis could be done.

Was your laptop shutdown or hibernated? You specify that they were able to read data from drive C; do you use different passwords for C and D? If your computer was hibernated was C the only portion that was decrypted at hibernation?

Did police get you at air port? Did you use internet in India? Wireless or cable? Where? 

Was your password easy to break with rainbow-tables?

[22562256]

The fuzz picked me up from the hotel, kept me in jail for one night and, the next day, took me to the cyber-crimes office. My laptop was switched off, the HD was removed and plugged into a desktop running some forensics software. They did a text search (name of the guy) and looked at the images.
They were able to view images, stuff that I deleted long back. After this, the cyber-crimes office kept my HD and gave my laptop back to the cops. We returned to the police station where they pestered me with personal questions like how much I earn and where I work. They kept my laptop. I was never arrested and did not go to the embassy.

I have one, strong, password for PGP whole disk encryption.
If you read my original post, I said that I used PGP whole disk encryption on the entire drive, then created two partitions C & D and, then, installed XP on C.
I was thinking and this may not be what I actually did. For one thing, is it even possible to install the OS, install PGP, encrypt the whole drive, partition and then install the OS again? Maybe I'm missing something.

[22562256]

I used the net at the hotel (wireless). I use NOD32 firewall.

One more clue, when they removed and searched my HD, for the text string, with their forensics software, the search only took a few seconds (5 maybe). This tells me that whatever they were reading was small.

[JamesMartinez]

It's really good firewall..When you are using an internet it need to take care that no other viruses and malwares should enter into the PC.For this you require a good firewall and you firewall is doing more than that. Where did you purchase this firewall and how much is the cost?

[22562256]

This is an important thread, please don't spam.

[John Locked]

Please tell us exactly how you went about the installation Of PGP and the subsequent OS install. You state that you encrypted the whole drive (which assumes you had an OS up and running, and installed the PGP software in the first place), and then created a C & D partition. How can that be? Did you type that incorrectly? Your post sounds like you installed PGP, but then wiped it out by reformatting, repartitioning, and installing the OS. Was just the bootloader installed, making you think that everything was encrypted? Something is not adding up here.

JL

[22562256]

Hi John:
I too think that my implementation of PGP WDE was not as I originally posted: See my comment on Feb 1, 2012.

We both have the same doubt and I've been trying to recall how I implemented PGP WDE. More than likely what I did was to create the C & D partitions, installed the OS on C, installed PGP then implemented WDE on the physical drive.

If something comes to me, I'll post it here.

Here are the facts:
1. They could tell that I had two partitions: C & D.

2. They could not read the D partition. They shouted at me, "WHY DID YOU FORMAT D?"

3. It *appeared* that they were only able to read deleted files from the C partition.

4. Their forensics software took around 5 seconds to search the C partition (> 50 gigs) for a string.

5. I defragmented all HD partitions, with Diskeeper, a few days before the incident.

[edgars.abb]

Hello, TheButterflyMon.

I'm not familiar with PGP and i perfectly don't know English, because it isn't my native, but i will ask you couple of questions, to make a clear vision of your problem, and i hope you and other forum users will understand what i mean, heh.

You said, that they were only able to read deleted files and you encrypted your hard drive excatly AFTER you bought your laptop.
Are you sure, you encrypted it right after? When did you delete them? Could it be possible, that you  deleted these files before you encrypted your hard drive with PGP? So in result these deleted files stayed on your hard drive unencrypted. I assume, that PGP encrypts only new files, that are written to your HDD AFTER encryption, not before, to speed up encryption process, so any information that was on HDD before encryption could be partially still available for recovery.

I know one safe cure for this - backup your data to external hard drive, fully earse your main drive with some special software (1-pass is enough, i think), encrypt it with PGP and then copy all data back from your backup drive. After that, fully earse your backup HDD.

Their forensics software took around 5 seconds to search the C partition (> 50 gigs) for a string.

I must definetly not agree to this one, because of phrase "> 50 gigs" and physics. Just because they probably have a "super cool and super fast" computer doesn't mean, that they can scan for some text string whole partition in matter of seconds. As you maybe already know, all hard drives, solid state drives, usb sticks, etc. have a maximum possible speed for reading and writing data. If we make some simple calculations - 50 gigs = 5 secs, then 10 gigs = 1 sec. Now tell me, what HDD in world have so fast reading speed (10gb/sec)? If you can find any cheap one, i will definetly buy it.

From this i assume, that they partially searched information on your 50gb partition.

Anyways, i don't use PGP, but i'm researching data encryption with Truecrypt. I've read before some rumors, that PGP has some backdoors, but i can't confirm that, because i've not checked it personally.

I would like to see a response from You.

Thanks.

[SuperAX]

Scary situation, sorry to hear it-

Regarding the "5-sec" thing- perhaps they only found a "search match" to a text string within that time, not a complete scan of 50 gigs.  Windows can do that on my pc using search without any special software :/

 It would certainly be plausible-

[22562256]

Hi edgars.abb and SuperAX. Thanks for your replies.

edgars.abb:

1. Yes, I encrypted my laptop right after purchase. The *deleted* files they were able to read where created, edited and deleted long after I purchased and encrypted my laptop.

2. You are absolutely right. It is not possible to search a >50GB partition, for a text string, in a few seconds. I posted this fact because it was unusual and may yield some clues to what was happening under the hood.


It is also very possible that I did not properly install PGP WDE. See the comment by John Locked.

[22562256]

Your post sounds like you installed PGP, but then wiped it out by reformatting, repartitioning, and installing the OS. Was just the bootloader installed, making you think that everything was encrypted ...

JL:
I think installing an OS on a PGP WDE encrypted drive will override the PGP bootloader with the OS bootloader.

I tried this on a virtual machine: Installed XP, PGP, used PGP WDE on the drive then used the XP install disk to create two partitions and installed XP on the C partition.

There was no trace of the PGP bootloader.

[22562256]

Since the fuzz was able to tell I had two partitions, C and D, I wonder whether PGP WDE encrypts the partition map. I'm sorry but I'm not an expert on PGP.