1) unprotected .e01 evidence files
2) password-protected .e01 evidence files (which can also be opened without the password)
3) fully AES-encrypted .e01 evidence files
are all possible
Just ask yourself this. If one control fails, e.g. physical security, does your solution still offers sufficient protection for the data you're trying to protect?
1) unprotected .e01 evidence files
2) password-protected .e01 evidence files (which can also be opened without the password)
3) fully AES-encrypted .e01 evidence files
are all possible
1 and 2 are unencrypted. The password adds no protection what so ever.
3 are you talking about the FTK imager variant, if so how strong is the key derivation? If you're talking about encrypted Ex01 files, how strong is the key derivation?
The other issue that hasn't been broached is interoperability when using encryption. For instance, my TD1 doesn't support encryption, so I cannot encrypt evidence when acquiring using the TD1. I do that as often as possible, even when in the lab so I don’t tie up a computer for imaging. Using TrueCrypt would be possible after imaging, but that adds another step. Cellebrite doesn’t appear to support any encryption when creating an image of a phone either.
TrueCrypt works well on most systems, but it does add another layer of complexity when going from EnCase or FTK on Windows to BlackLight on Mac or SANS SIFT or other Linux tools.
Encrypted Ex01 is basically a non-starter for me. FTK 4.0.2 supports it, but not BlackLight or SIFT (as far as I know). I’m not going to limit what tools I can use so I can use encryption.
So, I use physical security where encryption isn’t practical. Access to my lab is restricted to just me, and when I’m not working on an image, the drive is stored in a safe inside my lab. In my opinion, this is a good balance between security and usability.
X-Ways does real 256 bit AES encryption on E01s, but I don't know what other tools can read them.
ive never encrypted anything to store my images, nor do the RCFLs that i know of.
if i had to send an e01 to someone and it had to be secure, i would throw it in a truecrypt container and send the password out of band.
I've used Xways to encrypt E01 images before and it works fine but you need Xways on the other end to read it so it's not always practicle.
Dizi do you check the new drives prior to wiping them? A quick look with Xways/Encase/FTK at will tell you if there is any data, new drives are usually all zeros so 5 second check could save several hours wiping )
I've used Xways to encrypt E01 images before and it works fine but you need Xways on the other end to read it so it's not always practicle.
Dizi do you check the new drives prior to wiping them? A quick look with Xways/Encase/FTK at will tell you if there is any data, new drives are usually all zeros so 5 second check could save several hours wiping )
Drives are wiped. I was thinking of using Wiebetech Encryptorin line which gives a full AES 256 bit encryption. I will decrypt when transferring to anlysis machine.
Om