Hello
I have been working on a case with very intelligent suspect. So I have a few questions to all the experts of forensics
Symantec Endpoint Protection on boot
Is it possible to bypass it?
Can I recover data from the image?
How to check a file whether it is encrypted or not?
what steps I can perform?
I have an Image of a drive so how can I boot it in a virtual environment?
Thanks Everyone.
Waiting for your comments.
Hello
I have been working on a case with very intelligent suspect. So I have a few questions to all the experts of forensicsSymantec Endpoint Protection on boot
Is it possible to bypass it?
Can I recover data from the image?
I don't understand these two questions, particularly since they are presented together. How does the first question pertain to the second one?
How to check a file whether it is encrypted or not?
what steps I can perform?
I'd start by looking at it. I'd also look to see what type of file it is…
I have an Image of a drive so how can I boot it in a virtual environment?
Depends upon the OS in question. If you're looking at a Windows system, then perhaps LiveView would be a good choice.
HTH.
You might want to check out
http//
Of note….
"Integrated with forensic data recovery tools to retrieve data from crashed or evidential hard drives (Guidance EnCaseĀ® Forensics)"
Looks like Symantec got all palsy with Guidance…wonder if they have the same tools for FTK? lol
It would be interesting to see what a SEP encrypted/protected drive looks like in the raw. PointSec has a signature approx 32330 bytes into the disk with the word "Protect!"…that's how I can tell I'm dealing with a PointSec drive before I waste my time trying to carve files from it.
It is not possible to bypass the encryption at all. To 'bypass' the encryption implies getting access to the data on the drive without having to go through the Symantec decryption process.
This is not possible. Therefore your intelligent suspect should not try to imply that someone else accessed his encrypted laptop without also acknowledging that the person also knew his credentials.
Yeah, EnCase integrates just fine if you have an enterprise key store. If you don't have access to the backup keys, not so much.
Symantec Endpoint Protection on boot
Is it possible to bypass it?
Can I recover data from the image?
You will need the relevant credentials to access the content of the disk.
How to check a file whether it is encrypted or not?
what steps I can perform?
If whole disk encryption is in place all files will be encrypted. If you're looking for encrypted files on an unencrypted disk then EnCase and FTK both have options for identifying protected files, or you could try opening the relevant files in a software capable of reading it.
I have an Image of a drive so how can I boot it in a virtual environment?
Live View generally works for me.
Hi,
Quick question - do you mean Symantec Endpoint Protection or Endpoint Encryption ? They are different products.
Encryption you'd hope, generally, that you couldn't bypass, as that would be pretty pointless.
However the end-point protection is an advanced AV/HIDS thingy which would start on boot ( see http//
Let us know how you get on, saves someone else asking later -)
Good Luck !
Well thanks a lot.
It is symantec encryption I am talking about. I have managed to image the file so will it be possible to recover data? So as you all said its impossible without credentials.
My second question was that I want to test a file which has no extension and I have checked it with a Tool " TRid " given at filext.com. It is enable to associate with any know extension. So how can try it out?
Thanks
Adnan
My second question was that I want to test a file which has no extension and I have checked it with a Tool " TRid " given at filext.com. It is enable to associate with any know extension. So how can try it out?
File signature analysis seems like the most sensible approach, although it will only work for file types with a signature and where the tool you're using is aware of the signature.
However, this approach won't work for all file types. TrueCrypt containers are a good example, although there are other tools which can identify files likely to be TrueCrypt containers based on other features (e.g. TCHunt).