What are your current procedure in the cases where you stumble upon full disk encryption?
I am currently working on a case where I, using FTK Imager, mirrored a hard drive, only to find out that the data is encrypted with unknown algorithm.
The suspect has provided me with a password, but in order to try it I need to boot up the computer.
My take is that, obviously I want to start it up since getting data, regardless if I alter some of the information on disk is better than no data.
But what is your opinion? Is there a ideal way of doing this other than taking notes about the procedure.
What are your current procedure in the cases where you stumble upon full disk encryption?
Identify the encryption. Is it on-disk encryption – some hard drives do this. (Fairly easy – just check HDD spec sheets or tech manuals, and if it has been enabled) If so, it doesn't affect on-disk data (as far as I know, anyway.) Is it FDE software that needs to get started very early, prior to Windows boot (say, UEFI)? In that case, the password prompt or perhaps even boot code or UEFI partition content may identify the product or even give me code to analyze. Then I can often test it to see just what it changes. And what security options that I need to know about before I try.
This was fairly easy on pre-UEFI systems.
If I can't find it, I have no way to break unknown crypto, so I'd might as well give it a try. (With client's approval, of course.)
In that case, I'd probably set RTC date and time to something out of the way, in the hope that modified files can be identified. But I obviously can't protect myself against a password that signals that the real user is not present, and makes the crypto software erase the private keys or the hard drive or …
(Obviously, I'd love to see some research into 'how can we identify FDE products?' and documented results.)
To identify which encryption has been used, the information provided
If the storage is removable and has SATA/IDE connections, then you could try using a Shadow 3 Voom (
This does not always work with encryption present though, as sometimes a bit of data needs to change to show that it has been unlocked. In this case, you'd need to boot up the device live and hope for the best.
If you have been able to image something with full disk encryption present, there is a table
Depends on the environment, and you've not provided full information. However……..
I'm an internal corporate resource so this is the only stuff I have practical experience of; we had McAfee WDE foisted upon us by our outsourced provider. To image encrypted drives we need to boot the suspect computer from a USB stick with McAfee recovery utilities, then enter a date-based code generated by an application into the McAfee recovery utilities and one of
* username and password
* XML file
The XML file is generated by the McAfee ePO server, but if the computer with the encrypted drive hasn't been in touch with the ePOserver for ~30 days then the ePO server can't generate the XML file
However we (not the outsourced provided) discovered that if you boot from the same USB stick as above, and obtain the Key Check Value from Disk Information, then the McAfee server can generate the required XML file.
Under a previous support arrangment we had Bitlocker, there was a different procedure but again it was recoverable.
So if the drive you have came from a corporate environemnt where they use McAfee (or Bitlocker), and you have access to the suspect computer, you can access the drive (Bitlocker was better for us in that we didn't need the host computer)
In terms of defensibility, as long as you document what you've done my understanding is that the above is OK
HTH
Peter
If you are concerned about altering the data on the original drive, you can use your imaging tool to create a clone of the original drive. You could also try restoring the image you created to a wiped drive. Put your new cloned/image restored drive into the computer and power it on. This might help you in determining the software used to encrypt the drive. If you cannot determine what software was used to encrypt the drive, and you have the login credentials, you could log in and then create an image of the drive in its decrypted state.