Post by macarró
I am using DriveCrypt Plus Pack, could anyone explain in an easy way
where the risk is with that?
For what I understand the preboot password gets stored somewhere in the
keyboard buffer after the computer has been switched off.
How long for does the preboot password remains stored in the keyboard
buffer in DCPP?
The problem is this: When you use Full Encryption you must enter the
password before Windows bootup starts. The keystrokes are stored in a
lower section of memory available to the bootloader. Once Windows
boots, it no longer needs the lower keybuffer - Windows traps all
future keystrokes with its own processes and memory buffers. But it
takes no action regarding the contents already in the lower buffer.
The main problem is not anything related to the 'cold boot' attack,
although that could also pose a possible risk. The problem is that a
small piece of assembly code could be placed by malware which could
read the contents of that original keybuffer. Your entire password
would remain there plainly visible during any time your computer was
on. Most encryption software will clear their own memory buffers of
entered passwords ( they use master keys extracted with the passwords
) but they had not provided any method of clearing the lower level
At the time of the first report, I had used a hex editor on memory of
a machine running DCPP and the entire password was still there after
Windows booted. Then I tested a TC machine and one with BestCrypt
Volume Encryption. Same potential problem. Jetico rushed a first fix
followed by TrueCrypt a day or so later.
As far as I know, if you are using DCPP, it clears all passwords
within Windows allocated memory buffers but I think the lower buffer
is not cleared since I have seen no news from them otherwise. I
removed DCPP, not because of this, but I needed that machine for other
If Shaun is still with Securstar, perhaps he ( or anyone else on their
staff ) could provide additional progress reports.