The tool's website says you need to boot from the CD or Floppy disk. I suspect that type of tool is not going to get around Bitlocker-ed partitions, or other similar types of full-disk encryption.
Cheers Ken ________________________________________ From: Ben Scott [[email protected]] Sent: Saturday, 25 April 2009 6:01 AM To: NT System Admin Issues Subject: Re: Spotted this a couple of days ago... On Fri, Apr 24, 2009 at 2:15 PM, David Lum <[email protected]> wrote: > If you had disk encryption that would protect against this tool though yeah? Disk encryption will protect you from a password editor, like pnordahl's ntpasswd utility. I don't think disk encryption will protect you from a runtime debugger/patch like Kon-Boot claims to be. Password editors involve booting and running software which lets you edit the NT authentication database (also called "SAM"). It bypasses security since the booted software is under the control of the attacker, rather than the nominal system owner. Disk encryption with thwart such scenarios, because without the encryption key, you can't read the disk's metadata structures, nor write valid data to the hard disk. A runtime debugger/patch involves booting software which sets up the processor in a debugging mode, then chains to the OS on the hard disk. The OS thinks its booting normally, but when it comes time to login, the debugger recognizes the login routine and patches the logic which checks the credentials, such that they always always allow logon. Disk encryption won't help you here, since the OS ends up booting and doing all its disk encryption stuff like it normally would. One important difference between a password editor and a runtime debugger/patch is that the former leaves evidence -- the password, stored on disk, will no longer be what it should be. A well-done runtime debugger/patch will not leave any evidence behind. It may be possible for an OS to detect that it's being debugged/patched and halt the system. That would depend on what the hardware architecture allows for debugging, i.e., whether a debugger can run completely transparently or not. I can't remember the specifics (i.e., how x86 does things). But a pure software VM could, in theory, thwart even that. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
