The Advent of Trusted Computing: Implications for Digital Forensics ABSTRACT
TCG has been developing a set of guidelines [8] that will serve as
The release of computer hardware devices based on “trusted
a baseline for a wide variety of platforms—from personal
computing” technologies is heralding a paradigm shift that will
computers, personal digital assistants, to cellular telephones.
have profound implications for digital forensics. In this paper, we
A number of initiatives falling under the auspices of trusted
map out the contours of a trusted environment in order to
computing (TC) are currently under development. The most
establish the context for the paper. This is followed by the main
notable ones are: (i) hardware-related projects—Intel is
components of the TC architecture with an emphasis on the
developing a new chip called LaGrande Technology (LT) and
Trusted Platform and the Trusted Platform Module (TPM). The
AMD is working on one called Pacifica. (ii) Software-related
next section presents a synopsis based on three threat models, viz.,
projects—Microsoft is releasing a new operating system they
(i) pc owner-centric, (ii) trusted computing-centric, and (iii)
have christened Windows Vista—originally called Palladium/
digital forensics-centric and then briefly touches on the
Next-Generation Secure Computing Base (NGSCB)/Longhorn. At
implications and unintended consequences of trusted computing
the time of this writing, a dominant design has begun to coalesce
for digital forensics. Finally, the last section of the concludes with
a recommendation on how to mitigate the negative effects of
To establish the context for the paper, we begin by mapping out
the contours of a trusted environment. This is followed by the
Categories and Subject Descriptors
main components of the TC architecture with an emphasis on the Trusted Platform and the Trusted Platform Module (TPM). The
K.5.0 [Legal Aspects Of Computing]: General.
next section presents a synopsis based on three threat models, viz., (i) pc owner-centric, (ii) trusted computing-centric, and (iii)
General Terms
digital forensics-centric. Section 5 outlines the implications of
trusted computing for digital forensics with respect to file system analysis and evidence recovery. Finally, the last section of the
Keywords
paper offers some recommendations on how to mitigate the negative effects of trusted computing for law enforcement.
Cybercrime, data recovery, encryption, file systems, forensics, specifications, Trusted Computing.
2. TRUSTED COMPUTING OVERVIEW
The TCG defines trust as “the expectation that a device will
“We shape our tools, and thereafter
behave in a particular manner for a specific purpose” [8]. To be considered a trusted environment, a minimum of three conditions
our tools shape us”—Marshall McLuhan.1. INTRODUCTION Protected capabilities—are based on a set of commands that have
The Trusted Computing Group (TCG) is a not-for-profit industry-
exclusive permission to access shielded locations (e.g., memory
standards organization that was set up to establish specifications
and/or registers) where it is safe to work on sensitive data.
for architectures, functions and interfaces that support hardware-
Integrity measurement—is the process of obtaining metrics of
based trusted computing solutions. As part of their mandate, the
platform characteristics that affect the integrity (trustworthiness)
Permission to make digital or hard copies of all or part of this work for
personal or classroom use is granted without fee provided that copies are
Integrity reporting—serves two main functions: (i) to expose
not made or distributed for profit or commercial advantage and that copies
shielded-locations for storage of integrity measurements, and (ii)
bear this notice and the full citation on the first page. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior
to attest to the authenticity of stored value based on trusted
SAC’06, April, 23-27, 2006, Dijon, France. Copyright 2006 ACM 1-59593-108-2/06/0004…$5.00.
3. TC ARCHITECTURE Secure Functions. The trusted chip (i.e., the TPM—see Fig 1)
This section describes the logical layout of the TC architecture as
manages three main groups of functions: (i) public key functions,
outlined in the TCG documentation [8].1 At present, the TCG
(ii) trusted boot functions and (iii) system initialization and
specifications are being designed to provide personal computers
management functions.2 In order to verify that there have been no
with an essential hardware base for client-side security.
malicious additions to the hardware or software, measurements
According to Safford, the TC architecture provides two important
(i.e., SHA-1 hashes) are made during the boot process and stored
security functions: secure storage of signature and encryption
in the Platform Control Registers (PCRs).
keys and system software integrity measurement [7]. It should be
Based on the current configuration, the TPM behavior is limited
noted that the TC architecture includes both hardware i.e., the
by a combination of three mutually-exclusive modes of operation:
trusted platform module (TPM) and software components i.e., the
Enabled / Disabled—the TPM may be enabled/disabled multiple
trusted support services (TSS). Given the focus of this paper on
times within a boot period. When the TPM is enabled, all features
data recovery, only hardware issues will be dealt with.
are available; whereas when the TPM is disabled, all operations
The Roots of Trust represent the minimum functionality needed to
are restricted except the ability to report TPM capabilities and to
describe the properties that affect the trustworthiness of a
accept updates to the Platform Configuration Register (PCR).
computing environment. The trusted platform is comprised of
Activated / Deactivated—when activated all features of the TPM
three Roots of Trust: (i) a root of trust for measurement (RTM)—
are available. In a deactivated state, the TPM is similar to
measures integrity and enables transitive trust; (ii) a root of trust
disabled except that operational state changes such as "change
for storage (RTS)—presents summary values for integrity digests
owner" or "activation with physical presence" are possible.
and maintains the sequence of digests; and (iii) a root of trust for reporting (RTR)—reports information held by the RTS. The
Owned / Un-owned—a platform is owned when the owner of a
Roots of Trust must be trusted due to the fact that any
platform is authorized to perform all functions including
misbehavior taking place within the confines of the system might
not be detected. Each root is expected to function correctly
TC Keys. The main classification for TC keys are non-migratable
without external oversight. The Trusted Building Blocks (TBB)
vs. migratable. Non-migratable keys embedded in the TPM
and the Roots of Trust form a trust boundary where measurement,
include: (i) the Storage Root Key (SRK) and (ii) the Endorsement
storage and reporting can be accomplished using a minimal
Key (EK). Migratable keys may be exchanged (exported/
configuration. According to the TCG specifications, "[t]he TBB
imported) which enables the TPM to sign application data and
should be established such that devices containing other
enforce usage restrictions. This allows the key pair to follow the
measurement code do not inadvertently extend the TBB boundary
user around irrespective of device type. To extend non-migration
where trustworthiness of the linkages has not been previously
attributes to opaque data, data are stored with the RTS using a
established" [8]. Or, as Stafford points out, "integrity
non-migratable storage key. This means that as long as an opaque
measurement can be used to detect software compromise, such as
object is controlled by the TPM, it cannot be decrypted elsewhere.
a rooted kernel, and to lock down use of protected keys and data
Within the TCG schema, keys are considered communication
endpoints. Therefore, if communication endpoints are poorly
configured or keys are improperly managed, a breach in security may result. The TPM advances security by providing both key management and configuration management features (e.g., features such as protected storage, measurement and reporting are combined to “seal” keys and platform configurations making endpoint definition stronger.3 The TCG defines four classes of protected message exchange:
Binding—is based on the traditional operation of: (i) encrypting a message using the intended recipient's public key and (ii) recovering the message using the intended recipient's private key.
If the private key is a nonmigratable key, then only the TPM that
3.1 Trusted Platform Module (TPM) Signing—is a process that associates the integrity of a message
The main components included in the TPM schema that are
with the key used to generate the signature.
expected to have the greatest impact on the personal computing environment include: (i) secure functions with a focus on the modes of operation and the issuance of credentials, (ii) TC keys
with a focus on measurement and the protected message exchange
2 Using the initialization and management functions, the owner
protocols, and (iii) expanded capabilities with a focus on secure
can turn functionality on and off, reset the chip, and take
input/output, memory curtaining, sealed storage, and attestation.
3 Protected messaging is based on two principles: (i) that
messages intended for one and only one individual can be
1 The background material for section 3, unless noted, is drawn
encrypted using a public key and (ii) the message can be
protected from tampering by signing with a private key.
Sealing—binds a set of metrics—a platform configuration state
4. THREAT MODELS
that must exist before decryption can proceed—to a message. The
Computer Security concerns the protection of information assets.
symmetric key used to encrypt the message is associated with a
For personal computers this means the protection of stored data
set of PCR register values and a non-migratable asymmetric key.
and programs. Protection typically involves integrity,
Sealing ensures that “protected messages are only recoverable
when the platform is functioning in a very specific known configuration” [8:16].
Scenario 1: The traditional pc threat model. In the traditional security model for personal computers, the threats are external Sealed-Signing—can be used to provide an assurance that the
and do not involve the owner of a personal computer (pc). That is,
platform that signed the message meets specific configuration
the owner is trusted and has full control over the pc. The owner is
identified by a password and/or biometrics. The adversary is an
Any command that affects security and privacy or is capable of
unauthorized user (a hacker)–see Fig 2. With networked systems
revealing platform secrets must be authorized which means that a secret must be supplied as part of command invocation. Commands that do not require authorization include: (i) informational commands (i.e., they contain no security or privacy information) and (ii) privacy relevant meta commands (i.e. they are needed to configure command validation).
Expanded Capabilities. Once the TPM has been activated, new
features will be available to pc owners, content providers and law
Figure 2. The traditional pc threat model
enforcement agents (LEAs). The particular capabilities singled out for our review are the ones generating the most controversy
of computers, the computers are only used as platforms and the
information assets are stored centrally and managed by a network administrator who enforces the access control policies of the
Secure Input and Output (I/O)—to minimize the type of threat
system. With such systems, the administrator is the only trusted
posed by keyloggers and screen-grabbers, secure I/O provides a
tamperproof communications route between a user and an application. Under secure I/O, the keyboard and mouse will be
Scenario 2: The trusted computing threat model. The security
protected from physical attacks; screenshots or scrapes will be
model for trusted computing is similar to the personal computers
disabled; and programs that deliberately corrupt, modify or
model, except that in this case the trust between the pc and its
mislead the user will be prevented from running or operating.
owner is broken–see Fig 3. That is, every user, including the
Memory Curtaining—memory that has been isolated from other internal processes enables trusted programs to run without interference.4 Encryption keys locked in a data vault (a chip attached to the motherboard) are used to maintain privacy and integrity. Although process isolation can be achieved using software, the advantages of hardware include: (i) greater backwards compatibility, (ii) less code needs to be rewritten and
(iii) fewer changes to device drivers and application software.
Figure 3. The trusted computing threat model
Sealed Storage—encryption keys, based on a combination of
owner of the pc, is untrusted. Only the pc is trusted. The owner
hardware and software, are used to store data in an encrypted
has restricted access to the information assets stored on the hard
format means the data can be read only by the same combination
drive of her/his computer. The restrictions are intended to limit
of software and hardware. If an application other than the one that
and contain the damage that can result from any security flaw in
was used to seal the data attempts to decrypt or unseal the data,
the operating system of the computer, as well as to protect its
the operation will fail. Similarly, if the data is copied in encrypted
owner from, inadvertently exposing or corrupting information
form to a different machine, attempts to decrypt it will be
assets stored on the hard drive (e.g., by importing malicious
code), privacy threats (by encrypting stored data on the hard drive
Attestation—is the process of verifying and vouching for the
with keys generated by the hardware), illegal copying or file
accuracy of information and it works by having the TPM generate
sharing, unfriendly behavior to the software and publishing
a certificate that confirms—NO unauthorized installs, updates or
industry, by tethering (preventing files from migrating), lock-ins
changes to have been made to the user’s hardware or software.
(only approved software will run), forcing upgrades/downgrades,
Attestation is designed to prevent data (e.g., commands,
and possibly other non-disclosed mechanisms (the good, the bad
executables, private information) from being sent to/from a
and the evil?). This model can be regarded as a special case of the
security model for networks in which the network is replaced by a single computer and the administrator by the operating system of the computer. This is essentially a Big Brother model [4], in which (the hardware of) the computer is designed in such a way
so as to protect its owner from “wrongdoings”, where the
4 With curtained memory, even the operating system is denied
wrongdoings are determined to a large extent by business and
corporate interests. This does not benefit the software industry as
a whole, because it introduces anti-competitive practices [4, 7] but
to mention, preventative measures—passphrases/biometrics,
it enforce Digital Rights Management [23].
curtained memory and sealed storage—may have been set up to thwart unauthorized access. Ideally, LEAs will secure the
Scenario 3: The digital forensics threat model. The security of
cooperation of the pc owner who will reveal pertinent
the models discussed so far, focuses on preventing attacks. For
information. Most likely, unless some kind of plea bargain or
our last model, the model for digital forensics, security focuses on
immunity arrangement is worked out beforehand, there will be
detection. This model is similar to the model for trusted
little or no incentive for the pc owner to cooperate since without
computing, only that in this case the hacker is replaced by a
the decryption keys, incriminating data will remain protected5 i.e.,
trusted law enforcement agent (LEA). The owner of the computer
unrecoverable. For forensics practitioners, this means that a new
remains untrusted–see Fig 4. The objective of the LEA is to ex-
generation of intermediary forensics tools will be needed that can to extract data from TC-enabled machines.
File System Analysis. Given the ease with which data can be modified, a major issue confronting all cyberinvestigations is “what type of data can be trusted.”6 When dealing with TC- enabled computers, not only will more system data be stored in
tamper-proof logs but data that were previously out-of-bounds
Figure 4. The digital forensics threat model
will now be routinely signed, sealed and bound to a user. Every time someone who operates a TC-enabled machine comes in
tract incriminating data stored on the computer. The computer is
contact with a digital object, a unique fingerprint will be created.
trusted not to corrupt this data, and to make it possible for the
It is assumed that once critical mass is reached, law enforcement
agent to decrypt it. The main difference from the model for
will be able to rely on digital signatures and time stamps derived
trusted computing is that in this case the “wrongdoings” are
from authentication procedures to corroborate evidence and rule
determined by well-established legal procedures, based on the
out suspects—in much the same way that DNA is currently used.
interests of society as a whole, rather than the interests of the
Similarly, it is expected that hashes/digests that are generated as a
by-product can be used for separating ‘known from unknown’ file types and data carving purposes. In other words, law enforcement
5. TC IMPLICATIONS
will have at their disposal a historically rich source of metadata
As noted earlier, trusted computing has generated a ground swell
they can use to more closely associate individuals with the
of controversy. Without the addition of user-friendly fixes—viz.,
actions, thereby increasing the likelihood that this evidence will
some type of override mechanism—opposition is likely to
continue [2]. Once trusted computing is deployed on a massive
Data Recovery. At the time of this writing, details regarding
scale and the reality of a ‘locked down’ computing environment
Microsoft’s new operating system (Windows Vista) are few and
starts to sink in, there is bound to be a backlash. However, from a
far between. To date, no guidelines, comparable to the TCG
digital forensics point of view, the advent of trusted computing, is
specifications, have been published. Therefore, it is difficult to
not all bad. In fact, the TC-enabled features most feared by the
hazard a guess as to how well data recovery efforts will fare under
naysayers may become a boon for cyber-investigators. On the
trusted computing. To consider what some of the implications
other hand, if file-encryption becomes the norm, trusted
might be, we can conjecture the following:
computing may turn out to be law enforcement’s worse nightmare. To get an inkling of the potential impact of TC and its
In keeping with past releases (e.g., Windows 9x/0x, NT, XP),
unintended consequences, this section focuses on three key
Vista will most likely retain the same layout, data structures
elements in the digital forensics arsenal: acquisition, file system
(records, signature values, flags, options) and file formats
(indexing, journaling) that first appeared in the FAT file system and were later revamped/revised and incorporated into NTFS
Acquisition. At the scene of the crime, it has become standard
[3:351-395]. If so, that is good news. Apart from learning new
practice to “bag and tag” evidence and take it back to a safe
terminology and tweaking some data recovery tools, no
environment (e.g., a certified forensics lab) for imaging and
significant changes in digital forensics modus operandi will be
analysis [8]. When dealing with servers, to avoid disruption, most
required for recovering unencrypted data on a TC-enabled
forensics examiners—once normal safeguards are in place—will
machine. It is expected that the Microsoft OS will retain little
acquire the evidence right on the spot. With trusted computing, it
endian ordering, the Master File Table (MFT), metadata, and file
is still unclear what type of acquisition policies should be
attributes. DOS partitions, clusters, sectors and slack space will
followed. For example, if it is known a priori that a case involves
continue to exist. Short/long file names and deleted data will
unencrypted data, it will be safe to follow ‘standard operating
procedures.’ Depending on the circumstances, it will be up to the
forensics team to decide where and how to acquire the evidence.
Alternatively, if a TC-enabled box with encrypted data becomes
6 Carrier makes a distinction between essential (trusted) and
part of an investigation, cyber-investigators are well advised to
nonessential (untrusted) data. For example, he considers file
approach these machines/devices as if they are mission critical. In
system information such as content addressing to be essential,
any event, forensic teams responsible for data recovery should err
otherwise the system would be unable to read the file; whereas
on the side of caution. Depending on what type of secure I/O or
data and time stamps are nonessential because they can be easily
remote attestation has been set up, these machines may interpret
manipulated by the user [3:12-13]. Non-essential data that can be
any unauthorized interference as a threat and act accordingly. Not
easily manipulated is more likely to be challenged in court.
continue to be recovered in the same manner. Data will continue
practice of using encryption keys that are not stored on the
to be written to the hard drive using the same allocation
computer (or cannot be internally generated by the computer) is
algorithms. Now, for the bad news. There is no reason to expect
the most serious threat to digital forensics. By the same token,
that Microsoft will follow in the same footsteps.7 In fact, given
whoever uses this practice, the one being recommended by the
Microsoft’s track record, there is every reason to believe
TCG, is also at great risk of losing all data stored on the hard
otherwise. Most likely—which may account for all of the
drive if he/she loses the encryption keys. So these keys must be
delays—Microsoft is poised to come out with an entirely new file
kept safely. This is where law enforcement must insist that the
system that is not backward compatible, retains no structures in
TCG rework their design to incorporate some type of key
common with NTFS and cannot be reverse-engineered (without
recovery mechanism even though we recognize that this solution
running afoul of the DMCA). All of which does not bode well for
is unlikely to be popular with pc owners. However, the
alternative—losing valuable data--is even less appealing.
6. UNINTENDED CONSEQUENCES 7. CONCLUDING REMARKS
Under the current guidelines, trusted computing based on
The release of computer hardware devices based on TC is
hardware encryption uses a key generated internally (which is a
heralding a paradigm shift that will have profound implications
function of the computer identity, the software encryption identity
for digital forensics. TC-enabled machines are expected to thwart
and possibly other system parameters). What happens if LEAs do
everything from denial of service attacks, unauthorized access,
not have access to the decryption key or worse still, there is a
phishing scams, to illegal downloads. What is often overlooked in
hardware malfunction? Does this mean that all data on the hard
this brave new world—where every bit is locked down—is the
drive is lost, in the sense that it is encrypted and the system
downside risks. Conducting a cybercrime investigation in an
cannot compute the required decryption key so the information
environment dominated by secure I/O, curtained memory, sealed
storage and attestation technologies will present some unique
In fact it is possible to get the key, provided cyberinvestigators
challenges for law enforcement. Any increase in actionable
have access to the computer ID and the software encryption ID.
evidence may be offset by encrypted data that cannot be
recovered. Just as the Internet spawned spammers and hackers; no doubt trusted computing will create a new breed of cybercriminal
A: The hardware is designed so that it is impossible to get the
who uses encryption and darknets to avoid detection. In
computer ID (note that it must be easy to get the software ID,
conclusion, we ignore at our peril, McLuhan’s admonition:otherwise the computer will not be able to generate a key for encrypting/decrypting). In this case, it will be impossible to We shape our tools, and thereafter, our tools shape us. compute the decryption key and therefore to decrypt stored data, even by the pc owner. If trusted computing is implemented this way, it is doomed, because any hardware failure will result in all 8. REFERENCES stored data being lost forever—and that does not make good
[1] Against TCPA. URL: http://www.againsttcpa.com/what-is- business sense, so it is unlikely to prevail. B: It is possible to extract the ID from the hardware so the owner
[2] Anderson. R. ‘Trusted Computing’ Frequently Asked can recover the data. For the same reason, the agent can recover
Questions - TC / TCG / LaGrande / NGSCB / Longhorn /
the data, as indeed anybody else who has physical access to the
Palladium / TCPA. Version 1.1 August 2003. URL:
pc. For example, even a thief. The only way around this that we
http://www.ftp.cl.cam.ac.uk/ ftp/users/rja14/tcpa.pdf .
can see (so that the agent can, but the thief can’t) is to protect the
[3] Carrier, B. File Systems and Forensics Analysis. Addison- computer ID. It must not be in the clear, and the manufacturer must not know it (i.e., a malicious manufacturer may sell these Ids to hackers who can then compute the keys).
[4] Chaum. Security Without Identification: Transaction
Systems to Make Big Brother Obsolete. Commun. ACM.
The solution to this dilemma would be to hardwire the pc with an
“encryption” ID which is printed internally and stored in a way that it can’t be easily recovered. To access the encryption key, the
[5] Lemos, R. Hardware security sneaks into PCs, CNET
hardware would have to be destroyed and the TPM could never be
News.com. 3/16/2005. URL: http://news.com.com/
used again to assert trust. But any lost or incriminating data would
Hardware+security+sneaks+into+PCs/2100-7355_3-
be recoverable. This will result in the pc getting a new protected
hardware ID, while making it possible to access the encrypted
[6] Safford, D. Clarifying Misinformation on TCPA/Palladium/
data with the exposed key.8 Lastly, we should point out that the
DRM. October, 2002. URL: http://www.research.ibm.com/
7 An anonymous reviewer points out: “WinFS is not going to be
[7] Schoen, Seth. Trusted Computing: Promise and Risk. URL:
an entirely new file system (as was originally hinted at). Instead it
http:// www.eff.org/Infrastructure/trusted_computing/2003
is adding relational components to the existing NTFS structure.”
From what we can ascertain, it seems that Vista will incorporate
[8] Trusted Computing Group. TCG Specification
two files systems: WinFS and NTFS—the details of how they will
Architecture Overview. Revision 1.2. 28 April 2004. URL:
https://www.trustedcomputinggroup.org/downloads/TCG_1_
8 In fact, a TC-enabled machine will need several ids, because
some may have to be published for attestation purposes.
anno V, numero 18spedizione in abbonamentopostale - 70% - D.C.I. PNTrimestrale dei Centri di Aggregazione Giovanile della provincia di Pordenone Pordenone Locandina di Sonorika 2007, grafica di Sandro Corazza Note da Sonorika Ma che musica ragazzi! La musica racconta i giovani [p. 9] Il punto di vista: intervista a Teho Teardo Intervista a R. Buttignol Tutti al cyber-m
CURRICULUM FORMATIVO E FROFESSIONALE Dott Rodolfo Hurle - Laurea in Medicina e Chirurgia conseguita presso l’ Universita’ degli Studi di - Borsa di Studio universitaria presso Istituto Scientifico H.S.Raffaele di Milano (1989-1990) per studi nell’ambito dell’urologia oncologica - Specializzazione in Urologia conseguita presso l’ Universita’ degli Studi di ATTIVITA’ LAV