Join Us!

Notifications
Clear all

Encrypted drives  

Page 1 / 2
  RSS
hogfly
(@hogfly)
Active Member

As a matter of methodology….does anyone encrypt their target drives or acquired images?

Quote
Posted : 17/07/2009 3:29 am
kovar
(@kovar)
Senior Member

Greetings,

I generally wipe my acquisition drives, fill it 99% full with a TrueCrypt volume, and acquire into the TrueCrypt volume. The remaining 1% is for putting unencrypted notes on the drive.

This approach will not work with hardware imagers. I use a ThinkPad or Mac Book Pro with an eSATA card and an eSATA-SATA writeblocker running EnCase to do most of my acquisitions.

-David

ReplyQuote
Posted : 17/07/2009 4:29 am
hogfly
(@hogfly)
Active Member

David,
Would you say that it is industry standard to encrypt?
Do you think your acquisition/processing times are impacted?

ReplyQuote
Posted : 17/07/2009 5:58 am
kovar
(@kovar)
Senior Member

Greetings,

I don't think I am in a position to say if it is an industry standard or not. However, due to regulation, bad publicity, and lawsuits, corporations are certainly getting more careful about transporting data in the clear. But if a corporation is doing acquisitions internally and the drives are never going off site, they may decide not to use encrypted media. How many people in the industry are doing acquisitions and then transporting the images outside of the building or network?

There is certainly more prep time required using software encrypted drives though this can be addressed by preparing drives while equipment is otherwise idle. There is a performance hit, although likely small, and much smaller than encrypting the images using EnCase during the acquisition.

Another issue is that this method will not work with hardware imaging solutions so you have fewer imaging options.

-David

ReplyQuote
Posted : 17/07/2009 6:10 am
echo6
(@echo6)
Member

Would you say that it is industry standard to encrypt?
Do you think your acquisition/processing times are impacted?

The thing I like about truecrypt is;
1) It is open source
2) It is supported on Windows, Mac and Linux.

Hmm, I've never really tested it on acquisition/processing times. I have LUKS on my Linux laptop and FreeOTFE is supposed to support LUKS. I hate having to be tied to any one OS when I need to access the data. TBH on the Operating Systems I have utilised FDE I can't say I've really noticed a performance hit.

I'm begining to see a lot of organisation insisting upon encryption for laptops and removable media. As for using it for protecting forensic images, can't say I see many doing it but you do raise an interesting point.

In some circumstances it may not be appropriate or feasible during acquisition, e.g. live data collection.

ReplyQuote
Posted : 17/07/2009 10:12 pm
gkelley
(@gkelley)
Active Member

Very interesting question. We do the majority of our imaging using Voom Hardcopy devices as they provide speed that our clients usually want. In some situations we use a boot disk like Helix.

Use of encryption would render the Hardcopy devices unusable. I would think that similar devices such as Logicube's devices would be put in the same situation.

ReplyQuote
Posted : 23/07/2009 11:59 pm
hogfly
(@hogfly)
Active Member

@echo6 Agreed it is a good solution, though very time consuming. As David points out, it adds quite a bit of overhead in drive preparation.

Greg - Great points. Hardware duplicators are rendered useless - except for the solo III - ICS sells a hardware level disk cypher unit.

The thing I keep coming back to is chain of custody versus encryption. Is anyone willing to bet their chain of custody will always be 100%? What about in states(for those in the US that is) that have data encryption laws?

ReplyQuote
Posted : 24/07/2009 1:47 am
CdtDelta
(@cdtdelta)
Active Member

So just so I'm clear, are you talking about encrypting them while you are acquiring or afterwards?

ReplyQuote
Posted : 24/07/2009 2:51 am
ronanmagee
(@ronanmagee)
Active Member

The thing I keep coming back to is chain of custody versus encryption. Is anyone willing to bet their chain of custody will always be 100%? What about in states(for those in the US that is) that have data encryption laws?

Chain of custody may be one thing but if you're travelling global and don't have data encrypted it may be inspected by airport staff - just check out the advisory for Saudia Arabia here. I'm not sure how you record that one on the chain custody, especially if the confiscate the drive.

ReplyQuote
Posted : 24/07/2009 5:12 am
gkelley
(@gkelley)
Active Member

Greg - Great points. Hardware duplicators are rendered useless - except for the solo III - ICS sells a hardware level disk cypher unit.

Forgot about that one, thanks for the reminder.

The thing I keep coming back to is chain of custody versus encryption. Is anyone willing to bet their chain of custody will always be 100%? What about in states(for those in the US that is) that have data encryption laws?

What specific encryption laws you are talking about? With respect to chain of custody, are you talking about being able to state that the data hasn't altered or that the data hasn't leaked? With the former, that is done through documentation and verification of hashes. With the latter, it is more difficult, but we prevent leakage with strict rules regarding transportation of the data as well as where it is stored - in a controlled access room within our offices.

I do think, though, that encryption is something that the industry needs to start considering.

ReplyQuote
Posted : 24/07/2009 5:45 am
hogfly
(@hogfly)
Active Member

Chain of custody may be one thing but if you're travelling global and don't have data encrypted it may be inspected by airport staff - just check out the advisory for Saudia Arabia here. I'm not sure how you record that one on the chain custody, especially if the confiscate the drive.

ronan,
I absolutely agree. I'm looking at every angle and not presenting my own opinion here.

ReplyQuote
Posted : 24/07/2009 6:37 am
hogfly
(@hogfly)
Active Member

So just so I'm clear, are you talking about encrypting them while you are acquiring or afterwards?

Doesn't matter really, as long as the target disk/image is encrypted. The disk can be encrypted before acquisition, during or after, though during would complicate things unless it's hardware level.

ReplyQuote
Posted : 24/07/2009 6:39 am
hogfly
(@hogfly)
Active Member

What specific encryption laws you are talking about? With respect to chain of custody, are you talking about being able to state that the data hasn't altered or that the data hasn't leaked? With the former, that is done through documentation and verification of hashes. With the latter, it is more difficult, but we prevent leakage with strict rules regarding transportation of the data as well as where it is stored - in a controlled access room within our offices.

I do think, though, that encryption is something that the industry needs to start considering.

Greg,
I'm referring to laws such as those referenced in the following article http//www.scmagazineus.com/New-laws-require-data-encryption/article/115552/ . Generally called "data breach laws".

It's more a question of data leakage or asset theft. If the drive containing the image is lost in transit, or stolen.

ReplyQuote
Posted : 24/07/2009 6:44 am
CdtDelta
(@cdtdelta)
Active Member

Chain of custody may be one thing but if you're travelling global and don't have data encrypted it may be inspected by airport staff - just check out the advisory for Saudia Arabia here. I'm not sure how you record that one on the chain custody, especially if the confiscate the drive.

I'm curious how often people have problems traveling with evidence? In terms of it possibly getting confiscated. From the experiences I have usually when I end up telling security what I do and if they could be careful because "x" case has evidence in it, they usually are more accommodating.

That being said I haven't traveled internationally with evidence, so I don't know if the attitude changes.

Tom

ReplyQuote
Posted : 24/07/2009 7:15 pm
gkelley
(@gkelley)
Active Member

I'm curious how often people have problems traveling with evidence? In terms of it possibly getting confiscated. From the experiences I have usually when I end up telling security what I do and if they could be careful because "x" case has evidence in it, they usually are more accommodating.

About 18 months ago I traveled back from Mexico City. No problem getting there with the equipment or coming back. I can't even remember if they looked through the bags at the equipment - I had about a half dozen hard drives and a bunch of various write blockers and internal PCI cards.

Also neither I nor my staff have had any problems traveling domestically.

ReplyQuote
Posted : 24/07/2009 7:32 pm
Page 1 / 2
Share: