DDPE (Dell Data Pro...
 
Notifications
Clear all

DDPE (Dell Data Protection) and Forensics

2 Posts
1 Users
0 Likes
1,035 Views
(@susenstoob)
Posts: 2
New Member
Topic starter
 

Hello all,

So looking to have some conversation with anyone else out there who's org is using DDPE (Dell Data Protection Encryption) for host based encryption and what your evidence pre-processing looks like.

Here is what we are running into

As DDPE is a file level encryption (rather than FDE) we are running into some issues with evidence processing. If we run a full decrypt on a hard drive (decrypting all the encrypted files) PRIOR to evidence processing, then we run into the issue of the decryption modifying timestamps of files before forensic analysis begins (as the DDPE decryption process will touch each and every file in order to decrypt).

The other method we have tried is creating an image of the encrypted DDPE hard drive, bringing that into FTK, and then using FTK's built in hooks to present decrypted copies of the DDPE encrypted files (using the DDPE key). However this presents a different issue as we cannot export the decrypted copies from FTK (as they are not true files on the file system).

So just looking to have some dialog with anyone performing regular forensic analysis on systems encrypted with DDPE.

Thanks!

susenstoob

 
Posted : 25/05/2018 2:55 pm
(@susenstoob)
Posts: 2
New Member
Topic starter
 

Bump

DDPE (Dell Data Protection) and Forensics

Hello all,

So looking to have some conversation with anyone else out there who's org is using DDPE (Dell Data Protection Encryption) for host based encryption and what your evidence pre-processing looks like.

Here is what we are running into

As DDPE is a file level encryption (rather than FDE) we are running into some issues with evidence processing. If we run a full decrypt on a hard drive (decrypting all the encrypted files) PRIOR to evidence processing, then we run into the issue of the decryption modifying timestamps of files before forensic analysis begins (as the DDPE decryption process will touch each and every file in order to decrypt).

The other method we have tried is creating an image of the encrypted DDPE hard drive, bringing that into FTK, and then using FTK's built in hooks to present decrypted copies of the DDPE encrypted files (using the DDPE key). However this presents a different issue as we cannot export the decrypted copies from FTK (as they are not true files on the file system).

So just looking to have some dialog with anyone performing regular forensic analysis on systems encrypted with DDPE.

Thanks!

susenstoob

susenstoob

 
Posted : 07/06/2018 4:35 pm
Share: