The need for Full Disk Encryption (FDE) / System Encryption

With the increasing number of mobile computing devices the fixed desktop PC in the home has been on the decrease, in favour of a mix of mobile platforms. Whilst a number of people use their mobile or tablet devices for browsing the web, there is a large number of laptops in use which do not feature the common mobile ‘switch on’ storage encryption.

The need

The need full disk encryption to protect data at rest on laptop (and desktop) devices has never been so important. The largest concern for most security aware users, is the risk to their personal data through opportunistic theft of their device. Whether this be on a train, from a car or even their home.

You can protect against data loss through failure or device theft through good backups, however protecting the confidentiality of stored data requires Full Disk Encryption and strong passwords.

What is FDE / System Encryption?

“Disk encryption is a technology which protects information by converting it into unreadable code that cannot be deciphered easily by unauthorized people. Disk encryption uses disk encryption software or hardware to encrypt every bit of data that goes on a disk or disk volume. Disk encryption prevents unauthorized access to data storage.

Expressions full disk encryption (FDE) or whole disk encryption often signify that everything on disk is encrypted – including the programs that can encrypt bootable operating system partitions – when part of the disk is necessarily not encrypted. On systems that use a master boot record (MBR), that part of the disk remains non encrypted. Some hardware-based full disk encryption systems can truly encrypt an entire boot disk, including the MBR.” Wikipedia, 29 Dec 2015

Encryption Options

To encrypt a Windows 10 system you have 2 choices, BitLocker or 3rd party encryption software. BitLocker is made by Microsoft and included with Windows 10 Pro, therefore if your a home user you would need to pay to upgrade from home to pro. There are a number of 3rd party software options, and I am not going to attempt to cover them all, however they fall in to two broad categories. Free (as in beer), some of which are also Free as is (Freedom, Free and Open Source Software FOSS), and commercial where you would need to part with your hard earned cash.


I will mention Truecrypt first… A favourite no-cost solution for a large number of users was Truecrypt, however recently the project has been shelved by the developers and is no longer being maintained. Therefore it is advisable lo look at alternatives.


The VeraCrypt project describe the protect as: “VeraCrypt is a free disk encryption software brought to you by IDRIX ( and that is based on TrueCrypt 7.1a.”. They have taken the truecrypt source code and have continued to develop it, resolving issues identified during the Truecrypt audit, and are looking to continue building features.

The GPT problem

One of the core problems with some of these encryption solutions today is the lack of support for GPT, its likely if you are a Windows 8, 8.1 or 10 user, that you have a GUID Partition Table (GPT).

Solutions like VeraCrypt will not currently work for you on a system with a GPT drive (correct at time of writing, Dec 15). However there are some options….

See my next blog item: VeraCrypt Full Disk Encryption on Windows 10 (Coming soon)

Please feel free to comment below.


Windows 8.1 System with failed drive

Windows Installation Media Creation Tool

Windows Installation Media Creation Tool

So the drive has failed (or you have reloaded with Linux) and you now need to get Windows 8.1 reinstalled. No rescue media to hand, and no recovery partition available. Its time to reach for the Windows Installation Media Creation Tool. A great tool that enables you to create an ISO or boot USB from any working PC, to create media that you can use to rebuild your troubled device.

All being well your licence information will be stored in UEFI (from when your system was built) and you will be back up and running with no need to panic about keys.

You can grab it here:


Mitigating Credential Theft using the Windows 10 Isolated User Mode

In this video Seth Juarez interviews Seth Moore who describes another benefit of the Windows 10 Isolated User Mode, credential theft mitigation.

He first describes the kinds of credentials that can be stolen and how a hacker gains access to them. He then describes how the Windows 10 Isolated User Mode prevents the typical techniques from ever working. It is truly a fascinating look at how the Windows kernel group is continuing to innovate in order to protect us from being compromised. The best part for me is how hesitant Seth was to declare victory when it comes to having a bullet-proof system: this kind of attitude shows the level of vigilance the operating system folks have when it comes to securing our computing environments.
Quote: Seth Juarez (1)

You can access the video page directly here:

Thanks to Seth Juarez, Seth Moore and everyone else involved.



Windows 10 Security with Isolated User Mode Processes and Features

I stumbled across these videos by Seth Juarez the other day, which explain the detail around Isolated User Mode and security improvements in Windows 10. There is a lot of talk about privacy and ‘telemetry’ in relation to Windows 10, however there is a bigger picture. This should make an interesting watch for those interested in security, Windows 10, Kernel security etc.

Interesting stuff for client side eg: lsass.exe now with lsaiso.exe / Credential Guard (more on this another day) and server side eg: vTPM.

Thanks to Microsoft, these videos are great.

Video 1: Isolated User Mode in Windows 10 with Dave Probert
Dave Probert, Windows kernel developer, Protecting ourselves from kernel exploits. The solution he lays out forms part of Windows 10, and lays the foundation for future developments.

Video 2: Isolated User Mode Processes and Features in Windows 10 with Logan Gabriel
Logan Gabriel, Senior Security Engineer, discusses the processes and features that come in Windows 10 due to Isolated User Mode.

Video 3: More on Processes and Features in Windows 10 Isolated User Mode with Dave Probert
Dave Probert, Windows kernel developer, describes how lsass.exe (Local Security Authority Subsystem Service) can have a separate process LsaIso.exe (aka ‘Credential Guard’) to hold secrets within Secure Mode, then more on trustlets.

You can access the video pages directly here:
Video 1: Isolated User Mode in Windows 10 with Dave Probert
Video 2: Isolated User Mode Processes and Features in Windows 10 with Logan Gabriel
Video 3: More on Processes and Features in Windows 10 Isolated User Mode with Dave Probert

Thanks to Seth Juarez, Dave Probert, Logan Gabriel and everyone else involved.



Spinrite and the Humax DTR-T1000 YouView HD Digital TV Recorder

DTR-T1000I purchased Spinrite some time ago, and have used it a couple of times over the years, but never had any real big success story but equally, I have never had any real problematic drive.

The Humax DTR-T1000 YouView HD Digital TV Recorder in the living room started to play up, it was now out of warranty, so I decided it was time to remove the cover. Following the removal of three standard screws the cover came off easily.

Humax DTR-T1000 YouView HD Digital TV Recorder Partial Teardown

Humax DTR-T1000 YouView HD Digital TV Recorder Partial Teardown

I removed the drive caddy from the main chassis, then the standard Seagate 500GB SATA Hard Disk and connected it up to a PC as the only hard disk, booted and set the BIOS to ‘auto’ for the SATA interface. I let the system boot from the Spinrite CD, and set Spinrite to work at Level 2 – Recover unreadable data.

Off to bed, leaving Spinrite to do its magic on the 500GB. The next morning Spinrite was still going so despite the moaning I was subjected to about the lack of TV in the house, I left it to run.

Spinrite Status on DTR-T1000

Spinrite Status on DTR-T1000

Spinrite was still running the following evening (24 hours on), I glanced through the screens and decided to leave it to do its work. DVD tonight I thought, that will give it till this time tomorrow to complete, a good 48 hours.

Spinrite Detailed Technical Status on DTR-T1000

Spinrite Detailed Technical Status on DTR-T1000

Spinrite completed after 3 days, 22 hours and 19 minutes. I reconnected the drive, noted the internal fan appeared to have failed (maybe the cause of these issues…?) and connected it back up to the TV.

On came the box, and it booted successfully. All recordings were then available and the Humax DTR-T1000 YouView HD Digital TV Recorder functioned correctly. I did have a couple of recordings with issues, presumably due to unrecoverable sectors, however these recordings were still on the whole watch-able, and then once deleted, the issue was behind me.

For more about Spinrite, see:


Outlook 2010: cannot open your default e-mail folders

cannot-open-your-default-e-mail-foldersToday I had to resolve a problem with Outlook 2010 not starting. The user was greated with the message:
“Cannot open your default e-mail folders. The information store could not be opened.”

I found the Outlook.exe file was in XP compatibility mode.

To check:
1. Open My Computer and navigate to c:\Program Files\Microsoft Office\Office X\ or on 64-bit, C:\Program Files x86\Microsoft Office>Office X. (Where X is a version number)
2. Right click on Outlook.exe and click on Properties. Click on the ‘Compatibility’ tab and uncheck any compatibility mode options.
3. Retry.

Hope this helps with your problem….


Ubuntu Apache New Website (in 10 seconds)

Install the required components to host the site, eg: a LAMP stack. Update the Ubuntu server and install LAMP, Linux, Apache, MySQL and PHP:

$ sudo apt-get update
$ sudo apt-get install lamp-server^

Now we need to clone the default site config file, and customise it to our requirements. Once thats done, enable the site with a2ensite and restart Apache.

cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/
vim /etc/apache2/sites-available/
sudo a2ensite
service apache2 restart

Basic web server backup script – MySQL and Apache

I was working on a dedicated server the other day and needed a quick script to backup the website and the MySQL database. The following bash script will do just that, simply modify the directory paths within the tar command to ensure every folder you need is included, the MySQL command assumes all databases need to be backed up and that it should run as root.

In an ideal world you should modify this script to run within the context of a dedicated backup account.

# - R. Jervis - Quick (sample) webserver backup script

cd /backup
mysqldump --all-databases > dump-$( date '+%Y-%m-%d_%H-%M-%S' ).sql -u root -p
tar -cvzf backup-$( date '+%Y-%m-%d_%H-%M-%S' ).tar.gz /var/www/html/ /etc/apache2/ /etc/ssl/ /etc/php5/

Raspberry Pi Screensaver and Screen Blanking with Pidora

So I tried and failed to disable the screensaver and screen blanking within pidora on the Raspberry Pi. I was up against a time target and needed to find a solution.

I needed the screen to stay live, with no screen blanking or screensaver, even when the keyboard and mouse were completely disconnected. I tried a range of settings and all of them failed me within the time available. After aproxommatly 10 minuites, the screen would blank with either a black screen, gray screen, or screensaver depending on the settings in use.

I found some commands would work, however attempts to ensure this was the case after a reboot failed.

Option 1 – Disable the screensaver from within the settings menu

Option 2 – Reconfigure X power saving with .xinitrc

“You may need to install xset, a lightweight application that controls some X settings.”

apt-get install x11-xserver-utils

Now open up your ~/.xinitrc file (if you don’t have one then create it) and enter this:

xset s off         # don't activate screensaver
xset -dpms         # disable DPMS (Energy Star) features.
xset s noblank     # don't blank the video device

Start LXDE

exec /etc/alternatives/x-session-manager

To view your Xsession screen saver setting, use this command (must be used from xterminal)

xset q

Disable text terminals from blanking
change two settings in /etc/kbd/config


Disable Xsession from blanking
Additional info … _Signaling
Add these lines to /etc/xdg/lxsession/LXDE/autostart

@xset s noblank
@xset s off
@xset -dpms

Option 3: Simulate Input = The answer…
For me, the easiest answer in the end was to simulate mouse movement. A cop out some may say, but as this pi will never have a keyboard or mouse connected and I wanted the pointer out of the viewable area it also solved moving the pointer from the centre.

I created this file:

# - R. Jervis - Move the mouse to keep screen alive and force webpage refresh with F5. 

sleep 60

while :
	echo "Test"
	xdotool mousemove 30 45
	sleep 60
	xdotool mousemove 30 55
	sleep 60
	xdotool click 1
	xdotool key F5

I then enabled it to run on-boot.