Windows XP pro is setup on the lab machine. But need to burn a recovery disk before the encryption by using TrueCrypt.

• Limit the capacity of your disk to decrease the time needed for encryption

We only assigned 10GB to windows xp. And use AES + SHA 512 to encrypt the whole system disk. During the start up of the encryption one restart is required, and during the boot up we have to input the password previously defined in order to let the TrueCrypt boot loader load the system for us. It is only necessary for system disk encryption, in other encryption it is not necessary to input the password during the boot up.

In order to further save time, we did not use disk wipe.

• Got evil maid usb img from the blog of invisiblethingslab. It checks the MBR to see if certain disk encryption tools are used. If yes, it will change the boot code and hook itself to the boot code. So boot load before boot loader. Then the evil maid key logger, will log the input for the boot load manager of the disk encryption tools. Then the key will be captured.
• use UltraIso to convert img to iso which can be mounted and boot from at start up.
• during the boot up, the system ask if we want to “E”vil maid or do something else, we do want to “E”vil, so press E

• takes a while to get the check done and let the boot loader of evilmaid get hooked.
• then we just login normally
• we restart the VM from usb, this time the evil maid will just print the passphrase on the screen

Important remark: usb could not be used to start vmware, we have to use iso as cdrom to start up the machine. But the evil maid will not start until one usb device get mounted. So it uses cdrom to boot up then initialize the usb and hence the boot loader.

This attack will *not* be shown in any kind of system log. It is very difficult to detect. But if we can keep a hash of the original MBR and checks it every time during the start up the boot load, probably we can detect the attack in this way.

As previously mentioned, we can compare the hash of the MBR against the original one. However, the best and only perfect prevention will be NEVER leave your machine, no matter laptop or PC, unattended. TPM can be deployed to mitigate this kind of attack.

Use hard disk password to give extra protection.

Yes, as reported the attack is currently being confirmed to be effective on truecrypt and PGP whole disk.

By thinking of the way how it works, the attack will be effective for all the boot loader like whole disk encryption tool. They work in a similar fashion, infect the MBR, load before boot loader, log the key. It is commonly agreed by lots of people including engineers at trueencrypt and PGP, it is not possible to only use encryption to avoid this kind of attack, evilmaid, cold boot, stoned boot. Among all of them evilmaid is very system independent.