Didier Stevens

Monday 13 July 2009

Quickpost: TrueCrypt’s Boot Loader Screen Options

Filed under: Encryption,Entertainment,Quickpost — Didier Stevens @ 0:26

Ready for some Security Through Obscurity fun?
I’ve been playing with TrueCrypt‘s Boot Loader Screen Options to display a custom message when I boot my laptop with full disk encryption.

20090712-130932

It’s probably enough to be misleading during a casual inspection of your laptop:

20090712-131802

The screen doesn’t even display asterisks when you type your TrueCrypt password.
It’s just as unresponsive as the original “NTLDR is missing” screen.
The only difference with the Windows XP NT Loader missing message, is that the original is just a bit longer:

20090712-112128

Or you can just let it display gibberish, like this:

20090712-135343

20090712-135116

And if challenged, say your laptop was infected with a virus from that damned hotel’s WiFi network.


Quickpost info


15 Comments »

  1. […] juli 2009 door admin De Belgische beveiligingsonderzoeker Didier Stevens gebruikt het opstartscherm van encryptiesoftware TrueCrypt om personen die zijn laptop willen inspecteren te […]

    Pingback by TrueCrypt boodschap moet laptop inspectie misleiden - BLOG PC Web plus - — Monday 13 July 2009 @ 8:17

  2. This works, until someone presses escape. I am using Truecrypt for my windows partition but I also have a Linux distro installed on a other partion. Pressing escape will lead me to the GRUB bootloader installed in the linux partition.
    I guess the same thing applies to this trick when you do not have a dualboot system, pressing escape will bypass the bootloader and I guess leaves you with some TrueCrypt error message or NTDLR error.
    So I’d rather use the first obscurity method because it would be strange to see gibberish and after pressing escape seeing the windows or Truecrypt bootloader (fail) :)

    It is a interesting concept though.

    Comment by Tim — Monday 13 July 2009 @ 8:35

  3. Simple but elegant. You rock as usual. Some organizations are lucky to have you as a volunteer. ;-)

    Comment by Security4all — Monday 13 July 2009 @ 9:24

  4. @Tim There’s an option to disable the boot manager (i.e. ESC key).

    But the most important aspect to get this trick to work are your social engineering skills, not your technical skills ;-)

    Comment by Didier Stevens — Monday 13 July 2009 @ 10:01

  5. Kan je, indien je tijd & zin hebt, #Becrypt ook is op de rooster leggen ? :)

    Comment by Bram — Monday 13 July 2009 @ 14:17

  6. […] gives us a nifty little tip on hiding the fact that our laptop is encrypted. Quickpost: TrueCrypt’s Boot Loader Screen Options << Didier Stevens Tags: ( encryption truecrypt […]

    Pingback by Interesting Information Security Bits for 07/13/2009 | Infosec Ramblings — Monday 13 July 2009 @ 21:03

  7. I’d like for the next version of TrueCrypt have the option of automatically loading the decoy system if the hidden system password is not entered within 5 seconds.

    In my case, I can actually get a hidden operating system working and have the decoy system unencrypted (no need to type a password) which is what I want to happen. Unfortunately, the boot loader of TrueCrypt still waits for a password, and I just put the text “Press ESC to continue.”

    I want it so that I don’t need to press ESC, just let it wait for a few seconds.

    Comment by David — Thursday 12 August 2010 @ 6:55

  8. Why is this message so short?
    How can I even put owner details on my laptop to provide Lost and Found information?

    I would like to put something like this:

    “If this laptop is found, please contact the owner :
    Email: owner@email.com
    Phone: 555-555-5555″

    Comment by Wobble — Friday 15 October 2010 @ 4:24

  9. […] cosa que me gusta MUCHO de TrueCrypt es la posibilidad de hacer esto, es decir, cambiar el mensaje de arranque del PBA por algo tipo “Windows loader is […]

    Pingback by Alfredo Reino » Archivo del Blog » Criptografía y Privacidad – Cifrado de discos — Friday 26 November 2010 @ 11:55

  10. @9 I hope you’re trying to make a joke and I just don’t get it…otherwise, why the hell would you want that sort of information readily available on the boot screen of a system you are obviously concerned about the security of?

    Or if you’re so unconcerned about your system security…why are you using TrueCrypt?

    Comment by NoTownKasper — Saturday 15 January 2011 @ 2:53

  11. @11, I can answer that: I’m concerned about the data on my laptop falling into the wrong hands should I lose it, or it be stolen. I am not carrying state secrets on there. If I lose it, though, it would be nice to have the thing returned to me. Putting my contact info in the bootloader lets a finder know how to get it back to me without giving them access to my sensitive files.

    Comment by Tony Karakashian — Tuesday 1 March 2011 @ 0:55

  12. @9, definitely agree. I’m not worried about feds or any “spies”, my information isn’t valuable enough to take the time and resources to break the encryption. All I’m worried about is thwarting the common thief or any technical savvy person who knows the simple linux boot disk trick for resetting a windows login password. I want them to see it’s not worth their time when they steal it and just leave it sitting for some “good” person with a conscience to pick it up and be able to return it to me. Even if someone with enough expertise to know that they can just replace the drive to have a perfectly good laptop gets a hold of it, then I will at least know my data has been safe.

    Comment by Guy who doesn't like the idea of being hacked — Saturday 26 March 2011 @ 4:12

  13. @13 or just install windows over your encrypted drive :)

    Comment by Anonymous — Tuesday 17 January 2012 @ 10:48

  14. Put your contact info on a sticker that is visible. I marked my laptop with a paint pen.

    Comment by David — Tuesday 14 February 2012 @ 13:06


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 244 other followers

%d bloggers like this: