David As Dustin stated, there are few known and publicised 'audits' of eCryptfs. That's not to say they have not been done.
However, I am one of the first that I know of who's written an academic paper on it in the UK. I have literally just submitted my final year MS(c) Thesis to the University here in England - it was basically about the digital forensic implications of eCryptfs for digital investigators. It's not for general circulation though unfortunately. It's worth me stating that I am by no means a smart guy - fairly average, so my findings could well be flawed or incomplete. Though my experiments opened up a whole new world of potential new areas of research, I did not find a way to 'simply' bypass eCryptfs. There is nothing over and above what Dustin has stated in his blogs and press interviews such as potential swap partition caching, weak login passwords etc. If you choose a good login password, it's as tough as old boots! Have you ever read about the creation and exchange of the FEKEK, FEK, EFEK and FNEK's, use of salt, etc? It's enough to send you mad! Creating flow charts about it sent me insane! With the right kit, experience, knowledge and (most significantly) physical access to both the machine and the wrapped-passphrase file where eCryptfs is running, recovery of encrypted data may be possible. I demonstrated how, using standard login passwords (such as the name of a city), and a fairly powerful computer with fairly good password recvoery software and techniques, access could be gained in a hour or so. I also demonstrated how, with physcial access, a certain hardware vulnerability could be exploited and used to potentially pull out the login password from memory, no matter how long or complex it is. None of this is new news though. Dustin has said as much himself. Without physical access to the machine or if a very good login password is chosen, it seems largely impossible to bypass eCryptfs encryption to me. That said, my research has now put eCryptfs 'on the map', so to speak, in the digital forensic world here in the UK. Several practitioners have now got their eye on it. Like anything new, everyone now wants to have a play! Thats a good thing for eCryptfs in my view as I can report back findings. Ted _______________________________________________ Mailing list: https://launchpad.net/~ecryptfs-users Post to : [email protected] Unsubscribe : https://launchpad.net/~ecryptfs-users More help : https://help.launchpad.net/ListHelp
