, , , ,

Earlier this month a story broke about Christopher Glenn, a former contractor being found guilty of copying sensitive files from the US military’s systems. It wouldn’t have gained much interest, but for one thing: the FBI managed to access data stored by Glenn in a hidden TrueCrypt partition. The question was posed: Can the FBI decrypt TrueCrypt? The short answer would seem to be ‘yes’, but not because of some weakness in the software itself, or because of some capability that’s not yet public.

Glenn’s ‘compound’ was raided because he was allegedly engaged in the sexual exploitation of minors. However, he was actually convicted for the theft of sensitive military files, none of which apparently were ‘Top Secret’, and there’s no mention of espionage. He was fired for stealing the files in October 2012, but it wasn’t until March 2015 the drive containing the encrypted partition was acquired, according to The Register article. From this, we could surmise that the FBI managed to defeat Glenn’s encryption within a short period, during a fairly routine investigation. But how? The three most probable explanations are:
* Glenn wrote the 30-character password down somewhere.
* The FBI coerced him into revealing the password
* The encryption key was stored in system memory during the raid.

Even with technical expertise, it’s actually very hard to use encryption to withhold evidence of a serious crime. As Glenn discovered the hard way, it’s analogous to cleaning up a physical crime scene, trying to confound an experienced forensics team – and this holds true for an isolated computer. Doing this in an IT ‘ecosystem’ that’s more or less fully compromised by the intelligence services in collusion with Silicon Valley firms requires a paranoid mindset, an extreme level of self-discipline and meticulous OPSEC.

On the surface, a fully encrypted volume protected with a complex 30-character password is a good way to use TrueCrypt, but the problem again is the partition was being encrypted and decrypted within a larger ‘ecosystem’. The activity has a footprint. An operating system might record the fact a hidden partition was occasionally being mounted, the password/key is retained in system memory, and the NSA/GCHQ could determine whether someone of interest downloaded a copy of TrueCrypt. In the United Kingdom, that’s pretty much enough to pressure a suspect into revealing a password under RIPA 2000.