Another option, Cox said, is to ask software and hardware makers for help, especially when searching someone's house or office and encryption is suspected. "Manufacturers may provide us with assistance," he said. "We've got to make all of those arrangements in advance." (In a 2008 presentation, Cox reportedly alluded to the Turkish government beating a passhprase out of one of the primary ringleaders in the TJ Maxx credit card theft investigation.)
Sometimes, Van Buren said, there's no substitute for what's known as a brute force attack, meaning configuring a program to crack the passphrase by testing all possible combinations. If the phrase is short enough, he said, "there's a reasonable chance that if I do lower upper and numbers I might be able to figure it out."
Finding a seven-character password took three days, but because there are 62 likely combinations (26 uppercase letters, 26 lowercase letters, 10 digits), an eight-character password would take 62 times as long. "All of a sudden I'm looking at close to a year to do that," he said. "That's not feasible."
To avoid brute-force attacks, the Secret Service has found that it's better to seize a computer that's still turned on with the encrypted volume mounted and the encryption key and passphrase still in memory. "Traditional forensics always said pull the plug," Van Buren said. "That's changing. Because of encryption...we need to make sure we do not power the system down before we know what's actually on it."
A team of Princeton University and other researchers published a paper in February 2008 that describes how to bypass encryption products by gaining access to the contents of a computer's RAM--through a mechanism as simple as booting a laptop over a network or from a USB drive--and then scanning for encryption keys.
It seems clear that law enforcement is now doing precisely that. "Our first step is grabbing the volatile memory," Van Burean said. He provided decryption help in the Albert "Segvec" Gonzalez prosecution, and the leaked HBGary e-mail files show he "went through a Responder Pro class about a year ago." Responder Pro is a "memory acquisition software utility" that claims to display "passwords in clear text."
Cox, from the Justice Department's computer crime section, said "there are certain exploits you can use with peripheral devices that will allow you to get in." That seems to be a reference to techniques like one Maximillian Dornseif demonstrated in 2004, which showed how to extract the contents of a computer's memory merely by plugging in an iPod to the Firewire port. A subsequent presentation by "Metlstorm" in 2006 expanded the Firewire attack to Windows-based systems.
And how to make sure that the computer is booted up and turned on? Van Buren said that one technique was to make sure the suspect is logged on, perhaps through an Internet chat, and then send an agent dressed as a UPS driver to the door. Then the hapless computer user is arrested and the contents of his devices are seized.