DiskCryptor and Windows 10 – does it work?

Never ever decrypt a disk and encrypt it again, real data will be accessible with forensic tools.

HDD, SDD, Memory Cards, etc. can be readed in forensic and get near the 83 last states.

To ensure data will not be recoverable you need to do a wipe with at least 100 pass with special patterns, that way a forensic will not be able to get the data that the disk / memory had on the past.

Such forensic is done in laboratories, analizing how the physical particles are.

Each bit of data is not really a 0 or a 1, if you write the same value twice on the same position, the physical medium can be seen different than doing a write of a 0 after a write of a 1, etc.

Of course, the controller of the medium will not let you get such old data, but a more datailed scan of the material can get such data… that is the way some companies can recover 100% of your data after a full 100% surface format… but it has a cost.

Just as an example, recover tha last 5 states of a position (normally a 4KiB) on a disk can cost 500 euros, recovering a HDD of 500GiB can cost 1200 euros, but recovering last 10 states of such disk can cost some million of euros, most of the cost is because it is needed more than a month of supercomputing, not to mention last 83 (the top most record i know had gotten one company as a proof of concept).

Getting such 83 last states was done on a 32MiB block and took more than five years of supercomputing, but they got 100% of all 83 last states… they tried for the 84 last state and only got near 85% of the data.

Decrypting a disk over a non-encrypted disk is very risky, the data will be on plain and will still be accesible at least until it will be overwritten near 83 or more times.

So i use this technique to ensure i am on the safe line (all done on a secured with physical access control)… warning… it can take a full month to do it with a 500GiB system partition:

1.- Decrypt over the disk, so it will be normal and accesible by anyone
2.- Clone the partition, to be safe, over a secured encrypted disk (a disk i prepared that after being encrypted and mounted has been wiped at least 100 times, including 100% of the partition, not only data zones, and then formated so i can write files on it and be sure any last state, at least 100, will be garbage)
3.- Do what ever i need to update the system that would not work if encrypted
4.- Do another clone on that secured disk i mention in step 2
5.- Encrypt over the disk, so now it is encrypted… but not yet safe, last 83 states can be recovered, and last states where not encrypted
6.- Do another clone of the encrypted version (not mounted) over such secured disk i mentioned on step 2
7. Do at least 100 wipe passes on all the disk with garbage and special patterns, this way last states will not be agle to be recovered with laboratory forensic techniques… this step can took more than a month
8. Recover the encrypted clone (the one i did on step 6), so now the disk presents the same data as on step 6, but between step 2 and 8 the disk has been wiped at least 100 times.

That is it, a lot of work to ensure clear data will not be recoverable from the disk.

Not to mention, i use a cascade algorithms, muti password levels, keyfiles, etc.

Be secure implies be slow, really slow.

If you do not want such level of security… do a different thing… use a Read Only Live Distro on the disk (no need to encrypt nothing, because nothing can be written), mount an external media where your data is and work with it, unmount it and put such data on a secured place.

There are the two options… Windows way (slow encryption multi layer) or Linux way (Read Only Distros with all software you need).

If you need to upgrade/update Linux software on a Distro… boot with it, recreate the new ISO, then replace old one with the new one… or better, have both and edit bootloader to let choose, so you can test the new one prior to replace the old one with the new one.

Yes, Linux can boot a distro from inside an ISO (if that distro is prepared for that, for ecample it initramfs is configured to loop mount the iso).

Another good thing of Read Only Linux Distros is that they allways boot identically (if no hardware fail or is changed) and they do not need to write anything anywhere, they do such writes on a ram drive that get lost on next reboot, but they can mount anything you want on read/write.

Once someone has discovered / used one of such distros, never ever again want to use a normal Linux installed on the disk.

Just as a point… on some of them you can also mount in read/write another medium and put it in join way (better said differencing) so any block of the ISO file can be written, but not on the ISO itself, on the differencing file… so you can install software, etc… also you can reboot and mantain such changes until you want to throuth them away.

The nearest concept most known for most people is the Inmutable and not auto-reset functions of a VirtualBox Disk… but for your real system.

It is like taking a snapshot of your system, but much better… a snapshot can be edited by malware, the ISO file not… Kernel mounts it in Read Only and if you do not set a mount point for holder, it will no be accesable.

Just to clarify that… the ISO is under a path on a mount point (only visible on initramfs), such mount point will not be visible by the kernel after mount rootfs. Warning: It will not be possible to unmount it, so do not use any filesystem that needs unmount… that is why i allways talk about ISO… but is it really a RAW image, not an ISO 9660 FileSystem, Joliet, etc.

Or do it also better, like me if you are as paranoid as me… Put an Ext4 on the whole disk… now search for a sector to sector zone on the free space and use a loop mount of that area as the rootfs… Linux system is hidden… of course this needs a two level of LUKs without headers to make a search on the disk not be able to find it… and a Grub2 on external medium that let you type the mount commands… done with a mini linux kernel + initramfs that presents a console prompt that let me loop mount the rootfs and then load the kernel & initiram of the hidden Linux, warning, the initramfs of that Linux must also have that console prompt and i need to type twice per boot such mount commands, one to be able to read kernel and initramfs, one for the Linux have rootfs mounted. Paranoid way.

Windows sucks, it does not let me hide it (while running it on real hardware), so i prefer to use VirtualBox under such hidden Read Only Linux Distro and over it the Windows… and of course the differencing RAW file i use for such Hidden Read Only Linux is stored over a LUKs container, so i can reboot and not loose apps i installed, etc… when i am happy with new configuration i recreate the RAW image for such Hidden Read Only Linux and test it, after really happy i replace the old one with the new one. The system allways boots without any write to disk (unless i order the oposite, aka mount the diff file) and i can use my external data in R/W way, also secured the same way.

I carry all that on a disk inside a USB 3.1 Gen2 TypeC (10Gi/s) enclosure, so my PC has no internal medium., so i can boot my Linux in near any PC, BIOS only or U-EFI (i put both Grub2 versions), and i only need 1GiB of RAM (2GiB or more if i want to run Windows under VirtualBox, depends on what Windows i want to run).

Thanks for this blog entry, Mr. Khromov!

As of 2020, I am still using Diskcryptor on Windows 10 (1909). Sadly, the offical Diskcryptor site seems to be abandoned. Is Diskcryptor still safe to use? Do you still use it? I thought about migrating to VeraCrypt, but Diskcryptor still works absolutely fine.

Sincere regards