近期因工作的需要,开始接触笔记本硬盘加密。

粗略看来,笔记本电脑的加密实现分为三类:含有加密芯片的电脑使用BIOS设置磁盘密码加密、mac笔记本使用filevault加密、无加密芯片电脑使用软件加密(TrueCrypt)。下边对对这三类进行下分析:

加密芯片bios加密:

这类加密的优点是可以做到全盘加密,甚至可以加密MBR,真正实现全盘加密,因为加密是靠芯片实现的,即使硬盘被拆卸也无法读取其中的内容。但这种加密方式的缺点也是显而易见的,无法做到灵活的加密,只可针对硬盘加密,且因开机就以解密,所以对已开机的电脑无保密可言。

mac机器的filevault加密:

filevault分为filevault1和filevault2,自mac 10.7后均使用filevault2,且因filevault1现已证实可被破解,所以已退出舞台。

无加密芯片电脑使用软件加密(TrueCrypt):

软件加密较硬件加密灵活,可单独加密文件,分区等,但是无法加密元信息,可能存在信息泄露风险,且密码是保存在本地的,存在被破解的可能性。

下面来研究下每种加密方式的检测方法:

加密芯片bios加密:

加密检测思路主要是从BIOS加密启动标志在内存中的偏移角度入手,事例代码和分析如下:

#预留位置

mac机器的filevault加密:

使用mac脚本,通过正则表达式提取命令行中的关键字判断,参考地址,示例代码和分析如下:


#!/bin/sh
CORESTORAGESTATUS="/private/tmp/corestorage.txt"
ENCRYPTSTATUS="/private/tmp/encrypt_status.txt"
ENCRYPTDIRECTION="/private/tmp/encrypt_direction.txt"
DEVICE_COUNT=`diskutil cs list | grep -E "^CoreStorage logical volume groups" | awk '{print $5}' | sed -e's/(//'`
EGREP_STRING=""
if [ "$DEVICE_COUNT" != "1" ]; then
    EGREP_STRING="^\| *"
fi
osversionlong=`sw_vers -productVersion`
osvers=${osversionlong:3:1}
CONTEXT=`diskutil cs list | grep -E "$EGREP_STRING\Encryption Context" | sed -e's/\|//' | awk '{print $3}'`
ENCRYPTIONEXTENTS=`diskutil cs list | grep -E "$EGREP_STRING\Has Encrypted Extents" | sed -e's/\|//' | awk '{print $4}'`
ENCRYPTION=`diskutil cs list | grep -E "$EGREP_STRING\Encryption Type" | sed -e's/\|//' | awk '{print $3}'`
CONVERTED=`diskutil cs list | grep -E "$EGREP_STRING\Size \(Converted\)" | sed -e's/\|//' | awk '{print $5, $6}'`
SIZE=`diskutil cs list | grep -E "$EGREP_STRING\Size \(Total\)" | sed -e's/\|//' | awk '{print $5, $6}'`
if [[ ${osvers} -lt 7 ]]; then
    echo "FileVault 2 Encryption Not Available For This Version Of Mac OS X"
fi
if [[ ${osvers} -ge 7 ]]; then
    diskutil cs list >> $CORESTORAGESTATUS
    if grep -iE 'No CoreStorage' $CORESTORAGESTATUS 1>/dev/null; then
    echo "FileVault 2 Encryption Not Enabled"
    fi
                                             
    if grep -iE 'Logical Volume Family' $CORESTORAGESTATUS 1>/dev/null; then
        if [ "$CONTEXT" = "Present" ]; then
            if [ "$ENCRYPTION" = "AES-XTS" ]; then
                diskutil cs list | grep -E "$EGREP_STRING\Conversion Status" | sed -e's/\|//' | awk '{print $3}' >> $ENCRYPTSTATUS
            if grep -iE 'Complete' $ENCRYPTSTATUS 1>/dev/null; then
                echo "FileVault 2 Encryption Complete"        
            else
            if  grep -iE 'Converting' $ENCRYPTSTATUS 1>/dev/null; then
                diskutil cs list | grep -E "$EGREP_STRING\Conversion Direction" | sed -e's/\|//' | awk '{print $3}' >> $ENCRYPTDIRECTION
            if grep -iE 'Forward' $ENCRYPTDIRECTION 1>/dev/null; then
                echo "FileVault 2 Encryption Proceeding. $CONVERTED of $SIZE Encrypted"
            else               
                echo "FileVault 2 Encryption Status Unknown. Please check."
            fi
        fi
    fi    
    else
        if [ "$ENCRYPTION" = "None" ]; then
            iskutil cs list | grep -E "$EGREP_STRING\Conversion Direction" | sed -e's/\|//' | awk '{print $3}' >> $ENCRYPTDIRECTION
        if grep -iE 'Backward' $ENCRYPTDIRECTION 1>/dev/null; then
            echo "FileVault 2 Decryption Proceeding. $CONVERTED of $SIZE Decrypted"
        elif    grep -iE '-none-' $ENCRYPTDIRECTION 1>/dev/null; then
            echo "FileVault 2 Decryption Completed"
        fi
    fi
fi
fi
fi
fi
    if [ "$ENCRYPTIONEXTENTS" = "Yes" ]; then
        diskutil cs list | grep -E "$EGREP_STRING\Fully Secure" | sed -e's/\|//' | awk '{print $3}' >> $ENCRYPTSTATUS
            if grep -iE 'Yes' $ENCRYPTSTATUS 1>/dev/null; then
                echo "FileVault 2 Encryption Complete"
        else
            if  grep -iE 'No' $ENCRYPTSTATUS 1>/dev/null; then
                diskutil cs list | grep -E "$EGREP_STRING\Conversion Direction" | sed -e's/\|//' | awk '{print $3}' >> $ENCRYPTDIRECTION
                if grep -iE 'forward' $ENCRYPTDIRECTION 1>/dev/null; then
                    echo "FileVault 2 Encryption Proceeding. $CONVERTED of $SIZE Encrypted"
            else
                if grep -iE 'backward' $ENCRYPTDIRECTION 1>/dev/null; then
                    echo "FileVault 2 Decryption Proceeding. $CONVERTED of $SIZE Decrypted"
                elif grep -iE '-none-' $ENCRYPTDIRECTION 1>/dev/null; then
                    echo "FileVault 2 Decryption Completed"
                fi
            fi
        fi
    fi
    fi
                                                   
    if [ "$ENCRYPTIONEXTENTS" = "No" ]; then
        echo "FileVault 2 Encryption Not Enabled"
    fi
        if [ -f /private/tmp/corestorage.txt ]; then
            rm /private/tmp/corestorage.txt
        fi
        if [ -f /private/tmp/encrypt_status.txt ]; then
            rm /private/tmp/encrypt_status.txt
        fi
                                                
        if [ -f /private/tmp/encrypt_direction.txt ]; then
            rm /private/tmp/encrypt_direction.txt
        fi


无加密芯片电脑使用软件加密(TrueCrypt):

TrueCrypt作为开源软件,软件下载源代码下载,分析源代码获取是否启动了全盘加密的检测方法。