±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 0
New Yesterday: 1
Overall: 27354
Visitors: 51

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Partial safeboot/McAfee encrypted image

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Partial safeboot/McAfee encrypted image

Post Posted: Tue Nov 13, 2012 9:49 pm

Hi,

I have a partially acquired image using Encase Enterprise that is Safeboot/McAfee encrypted. Is EnCase able to decrypt it? My guess is no. Just wamt to confirm this.

Also, Encase has a acquisitiom restart function. Anyone use it before? Does that actually work? If yes, is it only available on ECC?

Thanks.  

kwokhong
Member
 
 
  

Re: Partial safeboot/McAfee encrypted image

Post Posted: Wed Nov 14, 2012 8:03 am

From the EnCase 6.15 manual -
EnCase provides a way for you to view SafeBoot encrypted hard drives during an investigation. This feature is only available to a user with an EDS cert enabled
 

jhup
Senior Member
 
 
  

Re: Partial safeboot/McAfee encrypted image

Post Posted: Wed Nov 14, 2012 8:59 am

- jhup
From the EnCase 6.15 manual -
EnCase provides a way for you to view SafeBoot encrypted hard drives during an investigation. This feature is only available to a user with an EDS cert enabled


Common Sense Manual 3.58 (yes I have an old version) tells me:
even if you have an EDS cert enabled Encase 6.15 (Deluxe Version Shocked ) you won't be able to decrypt a partial Safeboot image, at least to the same extent as you cannot decrypt a partial Safeboot image in Safeboot already knowing it's password, and of course "partial" says nothing, some parts of a Safeboot volume are anyway "vital" and if they are missing you have little (please read as "NO") chances with *any* tool.


Also, actual Version of Safeboot (or Endpoint Encryption) may make a difference, in case of need:
digfor.blogspot.it/201...tk_18.html

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 1