I'm interested in everyones response regarding full disk encryption, from a forensic stand point. I have worked for a few places that are starting to deploy full disk encryption for laptops. Although it defentily has it upside, from a forensic stand point it looks like a nightmare. I'm interested in procedures from a legal and a forensic stand point. I've been thinking how to develope procedures for recovering fully encrypted drives. Here are my rambling thoughts regarding full disk encryption.
Make a forensic copy of the encrypted drive. Review the encrypted drive to ensure there is no additional evidence in the slack space, once that is complete then make a additional copy of the drive and decrypt it (assuming you have the keys and the ability to do this). Review as part of a normal forensic case. I'm a little curius as to how the courts will look at this.
I would like to here everyones thoughs regarding this, but please also remember what or how the Courts will look at this. Thank you in advance for you thoughts.
Have you considered live acquisition?
I am not sure I fully understand the question… It's a little late in the day and I have starred at this monitor a bit too long.
Are you asking if we decrypt a drive of a dead system what the courts will think of this?
I wanted some clarification before I answered and hit way off the mark.
I didn't consider Live acquision, which may be a solution, but normally I would say we wouldn't have the change for it. Live acquision is very depented and truthfully I've never used it or seen it done. But my guess would be it would be even slower over the WAN. It's doesn't seem like the Forensic world has thought about full disk encryption very much. Sorry this maybe a uneducated statement, but I'm seeing a trend toward moving this way.
To BraneRift
I'm asking about a drive that has full disk encryption. We are now in the process of using full disk encryption as a standard for our laptop to ensure data security. My question to the world is what Forsenic Procedures are there for recovering from that type of media.
If the drives have full encryption and the password is not know it would be very difficult if not impossible to find any meaningful data, I would suggest that you have administrator access passwords for all encrypted laptops as part of the overall policy.
Alan
I fully understand that without access you will not be able to review. We have a corp key that can unlock the drives, but the question is from a legal stand point what would be the proper procedures to Forensiclycapture the drive?
We don't use EFS, but full disk encryption, such as PGP full disk, there are mulitable vendors that have this type of product. We would have a key to decrypt the drive thats not the issue. It's more to the point of having to access the drive to decrypt it. If you look at a encrypted Hard Drive it's basiclly a flat file for each partistion, which gets mounted upon booting. With the daily release of companies lossing data, I think it's only going to be a matter of time until this becomes a standard for laptops.
So I'm wondering about procedures for Forensic recovery assuming we have the master key. I wondering "Forensicly" what would be the proper method to recover it. Would you copy the encrypted drive as your evidence drive then decrytped a copy of that to review or would you decrypt and then make a copy for a evidence drive.
I don't think this has been brought before the courts yet, again this maybe my uneducated guess.
i agree, i would image the suspect drive first then play with it in the lab later. PRTK will attack pgp disk, however it fully depends on the strength of the key specified by the user, as everyone has said though - don't wait on that one forever. Other considerations are removable media in the area of the computer itself, sometimes people store passwords etc. all over the place, being an investigator before a geek can come into play at this point.
the other consideration is that full disk encryption is a SERIOUS performance loss. Mac OS-X now comes standard with features like encrypting your /home or secure virtual memory but until you start seeing drive encryption rolling out on the drive (physically) or on the computer itself it is really of no concern.
there is also the consideration if this were a criminal matter (or strong evidence in civil) an order can be rendered which states they must surrender all passwords associated with the computer or they could be held contempt which will leave them in jail for >* years P
We don't use EFS, but full disk encryption, such as PGP full disk, there are mulitable vendors that have this type of product. We would have a key to decrypt the drive thats not the issue. It's more to the point of having to access the drive to decrypt it. If you look at a encrypted Hard Drive it's basiclly a flat file for each partistion, which gets mounted upon booting. With the daily release of companies lossing data, I think it's only going to be a matter of time until this becomes a standard for laptops.
So I'm wondering about procedures for Forensic recovery assuming we have the master key. I wondering "Forensicly" what would be the proper method to recover it. Would you copy the encrypted drive as your evidence drive then decrytped a copy of that to review or would you decrypt and then make a copy for a evidence drive.
I don't think this has been brought before the courts yet, again this maybe my uneducated guess.
I would think (since I have never come across full disk encryption yet) that it would be no different than anything else we do. We never change the original evidence on individual file we decrypt, so one would think that it should be the same for the entire drive. Copy the drive, decrypt (or attempt to), then proceed with the examine. This is they way I would handle this situation. Always maintain that original evidence even if you have the code to unlock it.
yep.
technology will always change, however our principal methodologies will always remain the same.
hey! that's my new quote! LOL
I would think (since I have never come across full disk encryption yet) that it would be no different than anything else we do. We never change the original evidence on individual file we decrypt, so one would think that it should be the same for the entire drive. Copy the drive, decrypt (or attempt to), then proceed with the examine. This is they way I would handle this situation. Always maintain that original evidence even if you have the code to unlock it.