I have been asked to make a presentation on the current state of full disk encryption, issues with basic key management, e-Discovery and forensics.
What areas would you like to read about?
Although the presentation will be for mostly technical but not experts, I would like to re-write it as an article and be would share it.
Off the top of my head, and I am hot and tired…
Well, first, there is the need to differentiate between the OS boot disk and the remaining storage, since most OSes require a recognizable MBR/GPT and a VBR. So there is the issue of TPM and whether you have a trusted boot pathway or not which could, conceivably, present a mechanism to decrypt the disk/volume.
Lacking that and compulsory powers which can demand disclosure, there is the question of whether social engineering can be used to determine the credentials needed to unlock the device. If so, is the search warrant/subpoena/production request sufficiently broad enough to include those pieces of evidence which could be used to assist in this process (e.g., names of children, pets, vacation spots, etc.) You mentioned key management and one issue would be whether an external device, such as a USB, was used and, if so, has it been produced.
In the US, there is also the issue of adverse inference. The party refuses to disclose the password necessary to decode the information on the device. Can the judge instruct that the jury consider an adverse inference with respect to the unwillingness of the party to disclose the contents of the device?
The real problem is that if someone really wants to prevent disclosure, they can, technically. So, as Sean Connery said in "The Untouchables" "What are you prepared to do about it?"