Hello everybody,
I've got a drive with FDE - some older Pointsec version, yet the customer is unsure which. I need to image it and decrypt it in order to do the analysis. I have user credentials, so there's fortunately no need for any recovery procedures. I have no access to a tool that can deal with encrypted drives (e.g. EnCase), so I need to figure out a way to make an image of decrypted file system.
What I want to do is to make a live acquisition from the booted system, following the procedure
1. make a clone of the original drive
2. attach the clone to my forensic laptop via blocker
3. boot up the system from the clone (by choosing the clone in the boot sequence startup menu)
4. image running system using FTK Lite
Do you find this procedure adequate and forensically sound? Or can you come up with something else?
An another thing - will I be able to make an actual full physical copy of the clone that way?
If you have the Admin credentials
http//
jaclaz