Adequacy of the off...
 
Notifications
Clear all

Adequacy of the offline acquisition of FDE drive

2 Posts
2 Users
0 Likes
331 Views
(@fraudit)
Posts: 72
Trusted Member
Topic starter
 

Hello everybody,

I've got a drive with FDE - some older Pointsec version, yet the customer is unsure which. I need to image it and decrypt it in order to do the analysis. I have user credentials, so there's fortunately no need for any recovery procedures. I have no access to a tool that can deal with encrypted drives (e.g. EnCase), so I need to figure out a way to make an image of decrypted file system.

What I want to do is to make a live acquisition from the booted system, following the procedure
1. make a clone of the original drive
2. attach the clone to my forensic laptop via blocker
3. boot up the system from the clone (by choosing the clone in the boot sequence startup menu)
4. image running system using FTK Lite

Do you find this procedure adequate and forensically sound? Or can you come up with something else?

An another thing - will I be able to make an actual full physical copy of the clone that way?

 
Posted : 22/09/2014 4:27 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

If you have the Admin credentials
http//digital-forensics.sans.org/blog/2009/09/11/decrypting-a-pointsec-encrypted-drive-using-live-view-vmware-and-helix/

jaclaz

 
Posted : 22/09/2014 4:35 pm
Share: