Encrypted drives

Chain of custody may be one thing but if you're travelling global and don't have data encrypted it may be inspected by airport staff - just check out the advisory for Saudia Arabia here. I'm not sure how you record that one on the chain custody, especially if the confiscate the drive.

ronan,
I absolutely agree. I'm looking at every angle and not presenting my own opinion here.

So just so I'm clear, are you talking about encrypting them while you are acquiring or afterwards?

Doesn't matter really, as long as the target disk/image is encrypted. The disk can be encrypted before acquisition, during or after, though during would complicate things unless it's hardware level.

What specific encryption laws you are talking about? With respect to chain of custody, are you talking about being able to state that the data hasn't altered or that the data hasn't leaked? With the former, that is done through documentation and verification of hashes. With the latter, it is more difficult, but we prevent leakage with strict rules regarding transportation of the data as well as where it is stored - in a controlled access room within our offices.

I do think, though, that encryption is something that the industry needs to start considering.

Greg,
I'm referring to laws such as those referenced in the following article http//www.scmagazineus.com/New-laws-require-data-encryption/article/115552/ . Generally called "data breach laws".

It's more a question of data leakage or asset theft. If the drive containing the image is lost in transit, or stolen.

Chain of custody may be one thing but if you're travelling global and don't have data encrypted it may be inspected by airport staff - just check out the advisory for Saudia Arabia here. I'm not sure how you record that one on the chain custody, especially if the confiscate the drive.

I'm curious how often people have problems traveling with evidence? In terms of it possibly getting confiscated. From the experiences I have usually when I end up telling security what I do and if they could be careful because "x" case has evidence in it, they usually are more accommodating.

That being said I haven't traveled internationally with evidence, so I don't know if the attitude changes.

Tom

I'm curious how often people have problems traveling with evidence? In terms of it possibly getting confiscated. From the experiences I have usually when I end up telling security what I do and if they could be careful because "x" case has evidence in it, they usually are more accommodating.

About 18 months ago I traveled back from Mexico City. No problem getting there with the equipment or coming back. I can't even remember if they looked through the bags at the equipment - I had about a half dozen hard drives and a bunch of various write blockers and internal PCI cards.

Also neither I nor my staff have had any problems traveling domestically.

Greetings,

I had significant problems traveling in Asia and will forever be more cautious.

Also, to state the obvious, if you check the cases containing your drives then your COC is broken. This is why I tend to ship drives back, encrypted, via two different carriers, or at least on two different days.

-David

Hi All,

I know within the big four that encryption is a way of life. Although encrypting the target drives limits our acquisition options, it was deemed a necessary hit to ensure that the client data that we transport off site is as secure as we can make it. Preparing an encrypted drive is no hassle nor is setting it up to retrieve the image (we used truecrypt). There will be a performance hit sure, but as mentioned above I don't think it's really noticable. Saying that it does depend on the encryption used to how much of a performance hit you'll take, using say AES it will be small but you can use upto 3 encryption algorithms at once in truecrypt and that really effects perfomance.

In terms of if the data is stolen or lost. What would you prefer to tell the client, that the information was on a open hdd and that potentially someone out there has access to sensitive data or that is was securely encrypted and virtually unreadable. I mean they're still going to be *angry* sure, but does it not atleast minimise the impact (even just a little)?

I personally think it should be something the industry looks into. Having encryption is just another link in the chain of custody/data integrity.

Just my thoughts,

Cheers,

Kev

Greetings,

I had significant problems traveling in Asia and will forever be more cautious.

Also, to state the obvious, if you check the cases containing your drives then your COC is broken. This is why I tend to ship drives back, encrypted, via two different carriers, or at least on two different days.

-David

You're arguing that checking your evidence on a plane breaks your chain of custody, but shipping doesn't? One is as bad as the other, but this is why tamper-evident bags/envelopes exist. That said, I have always carried on.