Can you provide any information about where PointSec talks about support for EnCase of FTK? I searched their website and couldn't find a reference to it. Is there a whitepaper or any additional info?
Thanks
Vito
EnCase Decryption Suite*
* Support for Microsoft® Encrypting File System (EFS) encrypted files and folders, including domain-authenticated accounts.
* Support for decryption of PC Guardian® and Utimaco® disk-based encryption products.
* Support for Outlook® PST passwords, (Except Outlook 2004).
* Enables the automatic decryption and analysis of the Windows registry protected storage area for Internet Explorer®.
I'm interested in everyones response regarding full disk encryption, from a forensic stand point. I have worked for a few places that are starting to deploy full disk encryption for laptops. Although it defentily has it upside, from a forensic stand point it looks like a nightmare. I'm interested in procedures from a legal and a forensic stand point. I've been thinking how to develope procedures for recovering fully encrypted drives. Here are my rambling thoughts regarding full disk encryption.
Make a forensic copy of the encrypted drive. Review the encrypted drive to ensure there is no additional evidence in the slack space, once that is complete then make a additional copy of the drive and decrypt it (assuming you have the keys and the ability to do this). Review as part of a normal forensic case. I'm a little curius as to how the courts will look at this.
I would like to here everyones thoughs regarding this, but please also remember what or how the Courts will look at this. Thank you in advance for you thoughts.
My Thoughts
Our company utilizes full disk encryption on all our laptops. I think its very important now-a-days with everyone thinking that they can walk out of a company with their laptops containing sensitive information. I do not want someone from the Social Security Admin going home with my information laying on an unencrypted drive.
Without full disk encryption (on the fly), encrypting data takes time and knowledge. IT in most places spend enough time teaching people how to print. Imagine them having to teach people to encrypt their files. And then, you are leaving that task up the employee who may or may not encrypt the data. I think it is important to have the full drive encryption to prevent these situations. Its most secure.
Now from a forensics stand point. IT SUCKS! hahah I do internal collections sometime for our company's office of general council. We have to do ESI collections in response to litigation matters. Having to deal with full disk encryption really sucks. We have procedures to handle the situation, so I'm not saying we do not have a solution in our case, but the decryption process is time consuming. We utilize Safeboot. I did hear that EnCase is in the process of adding support for Safeboot so that you can decrypt the drive on the fly, with the login credentials or decryption file. Waiting on that to come out. Hopefully it will speed things up.
I think the replies here have missed the point completely. The question comes back to this
Does he make an image of the encrypted drive and then decrypts the drive to analyze?Or
Does he decrypt the drive and then makes the image?
Andy
Image then Decrypt!
In my personal experience, the decryption of some full disk encrypted drives does not always run smoothly, sometime they will crap out in the middle of decrypting and then in those cases you are screwed unless you have made an image. Its best practices to always image first, for any computer forensic situation. You never want to tamper with the original evidence. Create an image (working copy), and decrypt that one.