Join Us!

Adequacy of the off...
 
Notifications
Clear all

Adequacy of the offline acquisition of FDE drive  

  RSS
fraudit
(@fraudit)
Member

Hello everybody,

I've got a drive with FDE - some older Pointsec version, yet the customer is unsure which. I need to image it and decrypt it in order to do the analysis. I have user credentials, so there's fortunately no need for any recovery procedures. I have no access to a tool that can deal with encrypted drives (e.g. EnCase), so I need to figure out a way to make an image of decrypted file system.

What I want to do is to make a live acquisition from the booted system, following the procedure
1. make a clone of the original drive
2. attach the clone to my forensic laptop via blocker
3. boot up the system from the clone (by choosing the clone in the boot sequence startup menu)
4. image running system using FTK Lite

Do you find this procedure adequate and forensically sound? Or can you come up with something else?

An another thing - will I be able to make an actual full physical copy of the clone that way?

Quote
Posted : 22/09/2014 5:27 pm
jaclaz
(@jaclaz)
Community Legend

If you have the Admin credentials
http//digital-forensics.sans.org/blog/2009/09/11/decrypting-a-pointsec-encrypted-drive-using-live-view-vmware-and-helix/

jaclaz

ReplyQuote
Posted : 22/09/2014 5:35 pm
Share: