±Forensic Focus Partners

Become an advertising partner

±Your Account


Forgotten password/username?

Site Members:

New Today: 3 Overall: 36445
New Yesterday: 2 Visitors: 141

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Adequacy of the offline acquisition of FDE drive

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts

Senior Member

Adequacy of the offline acquisition of FDE drive

Post Posted: Sep 22, 14 16:27

Hello everybody,

I've got a drive with FDE - some older Pointsec version, yet the customer is unsure which. I need to image it and decrypt it in order to do the analysis. I have user credentials, so there's fortunately no need for any recovery procedures. I have no access to a tool that can deal with encrypted drives (e.g. EnCase), so I need to figure out a way to make an image of decrypted file system.

What I want to do is to make a live acquisition from the booted system, following the procedure:
1. make a clone of the original drive
2. attach the clone to my forensic laptop via blocker
3. boot up the system from the clone (by choosing the clone in the boot sequence startup menu)
4. image running system using FTK Lite

Do you find this procedure adequate and forensically sound? Or can you come up with something else?

An another thing - will I be able to make an actual full physical copy of the clone that way?  

Senior Member

Re: Adequacy of the offline acquisition of FDE drive

Post Posted: Sep 22, 14 16:35

If you have the Admin credentials:

- In theory there is no difference between theory and practice, but in practice there is. - 

Page 1 of 1