Hi,
I recently been given an e01 image of a device encrypted with Safeboot. The image was taken with FTK Imager, however when I boot the image into Encase it does not give the option to decrypt the data.
I had issues with this before, however, once I reimaged the original drive with Encase, the encryption was detected. Is there a way to force encase to detect the encryption on the disk or will a second capture be required via Encase?
Thanks
Hello,
This is a fairly common problem, usually remedied in one of two ways
1) You can "rescan" the device, to trigger authentication. There's a button for this in EnCase v7
2) Use the 32-bit version of EnCase to decrypt/reacqauire
#1 is the trivial case, where as #2 is more common
McAfee does not provide 64-bit DLLs to decrypt Safeboot devices. Therefore, only 32-bit EnCase is capable of decrypting Safeboot encrypted devices (at least for Safeboot 6 and EEPC 7).
If you are using 64-bit EnCase, try downloading/installing the 32-bit version. If it recognizes the Safeboot signature, it will prompt for credentials, then you can acquire the decrypted device for examination. Hope this helps.
ken
I've had this problem before. As already said, you need to use the 32-bit version of EnCase for SafeBoot to decrypt properly, and make sure you have the decryption suite installed and all of the certs in the correct folder.
A top tip; once you have decrypted the disk in 32-bit EnCase, save the case file and re-open in 64-bit EnCase. It will open just fine. You can then mount the disk in it's decrypted form (not available in 32-bit) and then don't have to use EnCase for analysis - win!