2

I have been working with live boot disks recently and I know that it gives you access to the computer's processing power, internet, and various other tasks without the hassle of a username/password.

Is it possible to obtain files created in another OS (e.g. Windows XP) that are saved to the "My Documents" or similar folders in that OS's filesystem? If so, how is this done, and is there any way to stop an attacker from doing this?

Savara
  • 490
  • 3
  • 15
Jon Valentine
  • 215
  • 3
  • 6

3 Answers3

7

Yes - live booting via removable media can enable the adversary access (read-only or read-write, depending on drivers) to the local HD. Without going into too many details, an OS can only provide protection while it's loaded. So if you bypass the OS, then the data is not protected.

With that said, you can protect against this type of situation by implementing physical controls. You can lock down the BIOS/firmware on a PC to disable boot from removable media and network (PXE boot). However, if the adversary has physical access to the system, they can easily walk away with the HD or perhaps the entire system and pop the HD into another PC.

Alternatively or in conjunction with the above, you can also protect the data through encryption. You can selectively encrypt data or you can use Full Disk Encryption. FDE encrypts all data on the HD with the exception of a small boot loader. FDE makes it much more difficult for an adversary to access the data, even when they have physical access to the PC. The only way the adversary can decrypt the data is by entering the correct authentication token (i.e. password, USB key, smart card, etc) or in rare instances, weaknesses in the FDE implementation (but this is extremely rare).

D.W.
  • 98,420
  • 30
  • 267
  • 572
bangdang
  • 1,824
  • 11
  • 9
  • Good thorough answer. To add to it, it's not just malicious users that can take advantage of this. If you have a user's system that became corrupt (virus/malware) and it won't boot, it's a great way to retrieve important documents or anything else the user wants to save. – Safado Apr 27 '12 at 17:27
  • 2
    All FDE implementations suffer from cold boot attacks (within 5-10 minutes after power off). Ultimately the key has to be stored unencrypted in the RAM, and unless the drives have been unmounted cleanly so this data is scrubbed it's recoverable 'till the volatility of the RAM wipes it (anything from 5 minutes to 2 hours). But cooling the RAM one can extend this. – ewanm89 Apr 27 '12 at 18:01
  • 1
    In general, I believe the rule of thumb is that if an adversary has physical access to your hardware, it's no longer your hardware. – pdubs Apr 27 '12 at 18:29
  • @ewanm89 source or references for the cold boot attack claim? – Joshua Drake Apr 27 '12 at 20:30
  • Note that physical security of the system is still important even when using full disk encryption. Otherwise an adversary could tamper with the boot loader so that it saves off a copy of the encryption key at system startup when an authorized user provides the key. – Mox Apr 27 '12 at 20:39
  • 1
    @JoshuaDrake https://citp.princeton.edu/research/memory/ – ewanm89 Apr 27 '12 at 22:45
  • @Mox Cold boot attack is also physical access, any remote attacks are against an already running system and therefore have access to the system anyway as the decryption is being done for ordinary usage. – ewanm89 Apr 27 '12 at 22:48
  • 1
    It seems silly to point out the cold boot attack on FDE considering there are easier ways to get the information. – Ramhound Apr 30 '12 at 11:15
2

If you boot into a LiveCD you will get access to all local hard drives. Current distributions such as Ubuntu and OpenSUSE actually give you more access to files on a system than the default installs of XP/Vista/7 grant their own users.

What can you do about it?

Encrypt your user files, this should keep address basic local security. This is an option that you can set in Windows per-user.

Be careful though, I haven't yet seen a way to recover files from an encrypted user profile.

BloodyIron
  • 121
  • 2
  • I don't know about "more" access. Its a simply procedure to claim ownership of a folder or file. – Ramhound Apr 27 '12 at 17:41
  • I find that Windows 7 is really anal about protecting sections of a user's folder, even to local admins. Comparatively accessing the same folders in a Live environment produces no such problems. – BloodyIron Apr 27 '12 at 17:45
  • I have mounted full image backups of previous installations of my operating or even different computers. The process to claim ownership of every single file is trivial. – Ramhound Apr 30 '12 at 11:16
  • Were user profiles encrypted before you made said backups? – BloodyIron Apr 30 '12 at 13:59
0

There is only one true way to ensure privacy of your hard drive. Full disk Encryption with a very long key. And even then there are ways to get around this if he has pysical access for example the cold boot attack,

dc5553
  • 365
  • 1
  • 8