Encrypted Data Exposed

I came across a question worded similarly to the following:

An organization is enforcing full disk and removable media encryption for all computers. Which threat can expose sensitive data on these computers?
A. Header manipulation
B. Botnet infection
C. Stolen laptop
D. Spam

The answer is "B". I come to the same answer by the process of elimination. However, I'm not familiar with how a Botnet would specifically accomplish this. Thoughts?

Find more posts tagged with

Comments

lsud00d

Malware/botnets can steal the encryption key

mjb2424

If the computer is part of a botnet, an intruder has access to the system. If they can access the system, the full disk encryption is irrelevant. Any data could be relayed back to said intruder since the disk encryption is undone when the operating system uses data on the disk. The data is only encrypted when stored (at rest) on the disk. Once loaded into memory, the data must be decrypted otherwise the data could not be used.

This whitepaper outlines this briefly:
http://community.pepperdine.edu/it/content/how-wde-works.pdf

teancum144

mjb2424 wrote: »

If the computer is part of a botnet, an intruder has access to the system. If they can access the system, the full disk encryption is irrelevant. Any data could be relayed back to said intruder since the disk encryption is undone when the operating system uses data on the disk. The data is only encrypted when stored (at rest) on the disk. Once loaded into memory, the data must be decrypted otherwise the data could not be used.

This whitepaper outlines this briefly:
http://community.pepperdine.edu/it/content/how-wde-works.pdf

Great explanation and whitepaper, thanks! So basically, the botnet can only access the data while the user is logged in. The botnet can access the data in RAM because it has been decrypted. Also, the botnet can access the data at rest because it is retrieving the data with the user's credentials (i.e. the user has logged in so the botnet's data "request is sent to the OS's I/O manager, which forwards the request to the file system manager.").

Please confirm my understanding.

mjb2424

That pretty much sums it up to my knowledge. However, bear in mind that any fine details will depend on the environment. For this specific question though, your post is the explanation for the answer.