Technical Details: Registry EntriesThe PC version of FreeOTFE
doesn't create any registry entries for itself unless the user chooses
to associate ".vol" files with the application, in which case only
those registry entries which are required to associate the FreeOTFE
executable with the filename extension are created. All user
options and settings are stored in a ".ini" file located in the
FreeOTFE
directory.
In addition to this, MS Windows does create a registry entry for each FreeOTFE driver used. This is inevitable; all OTFE systems running under MS Windows are required to do this in order to function correctly.
The following detail the registry entries are typically created by MS Windows:
Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<driver name>
These keys may have the following values under them:
Value
|
Type
|
Meaning
|
ErrorControl
|
DWORD |
0x00000001 - Normal error handling
|
Start
|
DWORD |
0x00000001 - Driver started at system
0x00000003 - Driver started manually
|
Type
|
DWORD
|
0x00000001
|
Portable
|
DWORD
|
This value is optional, but set to 0x00000001 if present.
This value flags that the relevant driver was installed in "portable mode", and should be removed
|
The PDA version operates in a similar
manner, though no registry entries are created automatically by the OS
for the drivers used. Instead, FreeOTFE4PDA is required to create a
sequence of registry entries when a volume is mounted. These registry
entries are deleted once the volume is dismounted.
Portable Mode Impact
|
This section applies to the PC version of FreeOTFE only
|
Although no files are copied to your computers hard drive when using portable mode,
because part of the manner in which MS Windows manages device
drivers, Windows still writes certain details
about the portable mode drivers to the registry. Specifically, the full
path and filename of the drivers used together with other basic
information on the drivers as detailed above.
When portable mode is stopped, most of this information is deleted by Windows automatically. However:
- Because of the way in which the registry stores data, an attacker may
be able to recover that information which has been deleted (this is analogous
to deleting a file on your filesystem; although its directory entry
may have been marked as "deleted", the data may still be recoverable)
- When Windows deletes its registry entries, it doesn't delete all
of them (e.g. HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_...)
It is not possible to securely delete the relevant registry entries
without "going behind Windows' back" - not exactly recommended when
working with kernel mode device drivers!
It should be noted that this applies equally to all disk encryption systems that support any kind of "portable mode".
Should it be a concern that an attacker may discover which FreeOTFE drivers were being used, it is suggested that you either:
- Change the filenames of the FreeOTFE drivers you will be using in
portable mode (e.g. rename "FreeOTFECypherAES.sys" to
"FreeOTFECypherTwofish.sys"). This will cause the data written to the registry to reflect this new
filename, hopefully convincing an attacker that the driver used was a
different one.
- If you only use one cypher and hash driver in portable mode,
store a number (or all) of the other cypher/hash drivers with your "portable" version of FreeOTFE.
Even if an attacker can determine which drivers you were using in
portable mode, that attacker will not be able to determine which of the
portable drivers you were actually using to encrypt/decrypt your data
with.
|