New Today: 0
New Yesterday: 5
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
· Windows 8: Important Considerations for Computer Forensics and Electronic Discovery
Gemplus GemSafe Toolbox
It appears to be a smart card authentication system. I was alerted to it's presence when looking at the raw physical images I took of a couple of desktop PCs. The file system is all present and visible but user created files seem to be encrypted separately. I can view the files and their metadata but I cannot view their contents. EnCase does not flag them as encrypted in the description column however they all fail the file signature analysis.
System files such as the $MFT, boot.ini etc. are not encrypted. This is a Windows XP Pro machine
I have attempted to make a Virtual Machine out of the image with both VFC and LiveView. The VFC one blue-screens for both normal and safe mode with an IRQL_NOT_LESS_OR_EQUAL error. The one created with LiveView simply will not run and says that there is not sufficient permission to open the .vmdk file even though I am a domain and local administrator user on the PC I created it on and am trying to run it from.
I fear both of these errors may be due to the Smart Card system.
So I am hoping if anyone else has any suggestions for me to try??? One of the machines I imaged was not booting correctly so it may not be possible to re-acquire that one in a live mode.
The only people who find what they are looking for
in life are the fault finders.
- Senior Member