BitLocker reliability when encrypting selective folders only

[tekset5]

Hi,

I understand that whole encryption drive is always better, but really the ONLY thing I need to encrypt is MY DOCUMENTS, as this is where all my personal data is. So my question is, if I used bitlocker to encrypt that one folder only, and say my hard disk was stolen, would they be able to find or regenerate the encryption certificate key somehow? I assumed that since all the system files are available, they might be able to find a way to locate that or retrieve it in some way.

Also, if someone did steal the hard disk, wouldnt they be able to run a password reset tool (I know it existed on XP, it was a boot cd) on the operating system and just log in with a new password, then retrieve the MY DOCS contents (since once you log in, you can see the data)??

Thanks in advance!

 

[Alejandro85]

I guess you're refering to EFS instead of BitLocker, as it's only for whole drive (as far as I know).

Anyway, to quickly answer your concrete question, yes, it CAN always be decrypted once they got your HD in their hands. The key point for this is that they gain physical access, and security-wise that's "game over, the attacker won".

The real reason behind this is that with your encrypted files in hands, they are always able to run any kind of offline attack they want, completely ignoring whatever security you might put. They can, at the very least, run a brute force on your password or the encryption keys, and given enough time, get your data. This is not a problem specific to EFS or Windows or anything, but any encryption technology has the same flaw.

The only variable you can affect is how long it may take to do it. Brute force, or even some dictionary attacks take much time, not to mention that a casual thief may not care at all at it, just reselling the thing for easy profit. Encryption main attempt is to make an attacker think twice if it's worth to attempt to crack it or not, as it'll be very resource and time consuming.
Different is the case if someone specifically wants something on your HD, when you may expect people will spend any resources they have to get what they want.

In practice, an encrypted HD will possibly deter most people away (going for the lowest-hanging fruit) because they see it as "too hard" (for a good reason), but keep in mind that a determined attacker (for whatever reason) may be able to get it. So, if you need 100% security, the only way to go is not to let the HD in the incorrect hands.

 

[tekset5]

Yes, sorry, I think I meant EFS. Its where you right click a folder, go to properties->advanced and then encrypt.

I understand perfectly well that the brute force can be used, and you can only effect the time it takes to encrypt. Which is the exact point. We can easily make it such that it would take them millions of years to decrypt. IMO, that is essentially the same as saying it cannot ever be cracked.

What i want to know is, besides brute force, is there any OTHER way they can crack a folder encryption?

That is, can they somehow retrieve/reset the login password, in order to log into windows and view the folder. OR can they somehow obtain the encryption key (or file) by searching through the system files and maybe running something?

 

[logicearth]

Btw, forcing a password reset or changing it outside of the user account makes those encrypted folders impossible to access. Your password is tied to the encryption key.

 

[Alejandro85]

That is, can they somehow retrieve/reset the login password, in order to log into windows and view the folder. OR can they somehow obtain the encryption key (or file) by searching through the system files and maybe running something?

Yes, it's possible to do such things. There are programs that do that, provided the whole disk is unencrypted. Since login passwords are hashed, they can probably apply those brute force (or most likely, rainbow tables) to crack them offline, and login into your account. It's not difficult to do so, and MUCH easier than crack the actual encryption key. Reseting the password is even simpler, but pointless as it would invalidate the certificate as logicearth said.

The certificate itself can be extracted by logging in into another administrator account and accessing the certificate store (again trivial if they can reset the administrator password without disturbing yours).

Someone may correct me here, but I was always under the impression that EFS is in practice more effective locking out more legitimate users rather than a skilled attacker, all because the encryption key is stored together with the data, and relying on tying it with the user password and Windows installation.

Btw, forcing a password reset or changing it outside of the user account makes those encrypted folders impossible to access. Your password is tied to the encryption key.

But how do you achieve the same once they gain access to the computer? Nice in an emergency as a "self-destruct button", though