Encrypting Acquisition Drives?

If your lab is secure why bother. Encryption just slows everything down and adds little benefit unless you are sending data out of the lab. Or are working on something so sensitive that all possible precautions need to be taken - this is very rare in my experience.

Paul,

That is a good point. I was just toying with the notion. All evidence is locked in a secure evidence room.

Thanks,

Tom

We typically encrypt our destination drives with TrueCrypt. We're shipping evidence cross country on a regular basis, though, so there is definitely a need.

Any insight into the discrepancy between transfer times using encrypted vs. non-encrypted destination media?

We typically encrypt our destination drives with TrueCrypt. We're shipping evidence cross country on a regular basis, though, so there is definitely a need.?

My thoughts precisely, I only encrypt if the hard drive is being shipped by someone other than me, otherwise really no point.

> If your lab is secure why bother.
Because disks have a tendency to leave the lab, sooner or later.

> Any insight into the discrepancy between transfer times using encrypted vs. non-encrypted destination media?

HIghly depends on the solution. Software based encryption can have a significant performance impact.

You can also use hardware encryption e.g. those of Addonics http//www.addonics.com/
which offer an encryption solution with little to none speed impact.

We encrypt all acquisition drives with TrueCrypt as standard. There are two principal reasons for this

[1] We sometimes have to ship disks. Sure, I could encrypt them when I need to ship them, but usually there's some kind of urgency at that stage, so I'd rather they were ready to go.

[2] Some of what we acquire is considered to be 'Personal Data' within the meaning of relevant Data Protection laws. Our Data Processing agreements with out clients typically require us to take 'technical and organizational measures' to protect such data encrypting the data is one part of that.

I know of one company that sent a suposedly wiped disk to a police force who later discovered evidence of a previous case. If someone needs a drive to put evidence onto they get a new one shipped direct from the supplier.

If IIoC has ever been on a drive then it is marked as such and when it is retired it is destroyed.

I rarely need to send a drive with any sort of evidence to a third party - and the overhead to encrypt the data using truecrypt at this stage has never been an issue.

I do think managing risk is an important part of what we do, but don't (for a smaller company) see the need to encrypt every disk, just in case. If you feel a drive can inadvertantly leave the lab then perhaps your procedures need revisting )

We typically use E01 or TrueCrypt when shipping out somewhere else.

As far as within our office only (which is most of our volume), we do not encrypt because we keep all data within secured locations.

@Paul,

We don't trust the drives from manufacturers, as they can sometimes be refurbs with remnants of old user data. Instead, as a rule when we get a new drive in we wipe it with zeros start to end. I know you're thinking additional overhead, but we keep a stock of wiped drives on hand. If there is a sense of urgency we pull a new drive that we have already wiped off the shelf and just order another new one to replace that one.

-Dizi

@Dizi357

I'm just wondering what you mean by "E01 or TrueCrypt" since that boils down to a choice between 1) an unencrypted evidence file format or 2) a file system encryption scheme.

Are you saying that you sometimes just send out the E01 files of evidence that does not require any protection instead of choosing to spend the time to encrypt it first with TrueCrypt? If that's it, then what type of case is it that you send out unprotected?

In my own situation, I don't encrypt anything, but any transfer of evidence is done with a high level of physical security since I mostly work with classified material.

-Steve