Encase & Credant encryption
Does anyone else use Encase to investigate hosts that have been encrypted using Credant, and if so, is it working?
We work in offline mode, creating the Credant forensic bundles (i.e the .bin files), and copying these to the forensic workstation.
When using Encase 6.10, we have partial success. The user's personal files are successfully decrypted, but system files (i.e. the event logs) which are encrypted with the Credant SDE key remain encrypted.
We have also tried the investigations using Encase versions 6.14 and 6.16, but the problems here are more severe. After parsing the MFT, Encase correctly prompts for the password and location of the Credant .bin file, but then just loops round and round the same screen until the user selects "cancel" (at which point obviously no decryption takes place).
I have support calls out with Guidance, and Credant, but so far none of the suggestions have worked.
Just wondering if anyone else is experiencing the same issues, and if so whether they were able to find a fix.