I think the replies here have missed the point completely. The question comes back to this
Does he make an image of the encrypted drive and then decrypts the drive to analyze?
Or
Does he decrypt the drive and then makes the image?
Andy
As per the forensic procedures he should first image the drive and then decrypt the image copy .
If you stick with standard forensic procedure you will probably get stuck with an encrypted image and no file system.
I noticed a big concern here is what the legal system would say about it. They don't know yet and can only expect you to do whatever it takes to collect the evidence and preserve its integrity. No matter how you had to collect it.
Harlan has eluded to the primary procedure for imaging an encrypted drive which is a live acquisition. I don't know about you guys, but I have not seen a function in EnCase or FTK that asks you for a password or private key certificate so that it can show you the decrypted file system.
Our rollout team is also working on this issue and have asked me to help them verify the integrity of the encryption. The two main vendors that we have looked at is PointSec and Utimaco.
PointSec has a procedure in place for clients who use EnCase or FTK. This procedure allows for the system to be booted from a CD and a drive acquisition completed of the decrypted drive.
Utimaco has worked with Guidance Software and their EFS module (New in Ver. 6) has native support for handling drives encrypted with their software.
The only other tip I can give you from my playing with these two vendors is if you are going to do a live acquisition, you will want to grab the logical volume. If you make a physical drive image then what you will get is an image of an encrypted drive and no way to access the drives unless you restore the image to another drive and boot it up in the same computer. Unless the computer encrypted with PointSec or Utimaco is authenticated on a domain or through the local SAM, you won't get anything from it.
In time procedures for doing this will change or become common place, but until then, you may want to consider doing a standard image, then followup with a live acquisition and/or logical volume image.
PS On another note. When your company starts encrypting all the laptop hard drives, you can expect a handful of the drives to die on you during the encryption process. It seems that the process can really stress a hard drive and the weak ones will fail.
Good Luck,
Bp
This has been a very informative thread and very interesting.
First my vote. Image the drive before trying to decrypt it. Always use the copy to do whatever is needed. I see it the same way as a password protected file (just bigger and more difficult). As someone stated (loosely), the technology changes, Forensically sound procedures do not.
I am currently a "security" analyst at a large company in which we evaluated many of the full disk encryption products and decided on Pointsec for about 600 laptops. Of course, the "toolbox" of forensic tools were thrown at each of them. I was unaware that Pointsec had worked with AccessData and Guidance about decryption. I would love for someone to post or provide more information as it concerns me a bit. Pointsec does have the "system" to create a boot floppy or CD to decrypt the drive. I do know that the AccessData support forums on PRTK has a thread explaining how to extract the aspects of the disk to throw into PRTK. My success with testing the ability to break the encryption on three different products was zilch when attacking it for a week on each on what I considered "weak" passwords. My opinion at this point, excluding Bitlocker because I haven't tested, is that the odds of breaking the enryption are very slim for small Forensic labs. The larger labs have multiple attackers (DNA from AccessData for Example) may have more luck. When all else fails, ask them for the password wink
Thanks to the origionator and the contributors for a great topic!
Wilber999 - I think it would be interesting to hear the reasons you selected Pointsec. I would like to know what capabilities you thought were beneficial, i.e. E-Key management, performance, ease of use, etc..
When I started evaluating the key features of what we were looking for
- Centralized Management and updating
- Remote Password Reset
- SSO (future need)
- SMS deployable
- Future RSA integration
- Long term experience and sound customer base
We then used Gartner to determine their take on the field leaders and spoke to existing customers and security providers for their opinion. I was also enthused when I found that Checkpoint was about to acquire the company so their would be more captial for R&D. There support and SEs were very knowledgeable and helpful also. And the company was American based (I apologize if this offended anyone). Taking that information and the price breaks for volume that we received, Pointsec was an easy choice.
Now PDA encryption, completely different story. While it is a completely different thread, My opinion is that PDA encryption seems to be about 3 times as complex as laptopm full disk encryption. I had little success with full encryption and do not like folder encryption.
Pointsec does appear to have some good features.
Thanks for the info.
Encase Version 6 will decrypt Safe Guard easy as long as you have their decryption suite. I have tested it and it works perfectly. It prompts for the user name and password and then decrypts.
You are unable to do a "live" acquisition of a safe guard easy encrypted drive.
You are unable to do a "live" acquisition of a safe guard easy encrypted drive.
The logical volume is encrypted? or is it the physical drive?
Thanks,
Nik
Physical drive. Safeguard decrypts in memory and then presents the data to you. I have been able to robocopy data out unencrypted but that's only when the USB decryption is not turned on.