Any recommendations for imaging a drive with TrueCrypt whole disk encryption? I have the password. I tried to boot the image in a virtual machine but it blue screens. Same results with a restored image in a forensic machine. I didn't have the suspect's machine at that time.
I'm considering putting a restored image in the suspect's machine and if it boots, decrypting the drive and imaging it. Based on the suspects statements unallocated space is going to be important in this case.
Any thoughts or suggestions?
With the caveat that I've never tried this with a whole disk encrypted hard drive…
Can't you just attach the physical drive (or copy of the drive) via write blocker to your examiner box and mount it in TrueCrypt? Then image the mounted drive?
I mean just doing a full disk copy first, not imaging it then trying to mount the image…
Tom
Any recommendations for imaging a drive with TrueCrypt whole disk encryption? I have the password. I tried to boot the image in a virtual machine but it blue screens. Same results with a restored image in a forensic machine. I didn't have the suspect's machine at that time.
Any thoughts or suggestions?
When you say "it blue screens", is it a real blue screen, or an error like "Read error on xxx"? I vaguely remember a case of a coworker, where the subject had altered his logon message into something like "Fatal disk read error".
Everyone tought the disk was faulty, until someone typed in the password.
Roland
CdtDelta
I'll give it a shot and get back to you. I was thinking I may have issues getting unallocated space if truecrypt decrypts files as you access them, "on the fly". I'll see if PDE or VFS will get me there.
I'll also try connecting the decrypting the restored drive to a machine with truecrypt installed and decrypting the entire drive to get the unallocated.
digintel
I'm entering the truecrypt password and the OS starts booking but then gets a BSOD. Looks real. The user was not very sophisticated but you never know.
Thanks
Rick
Well wait, if you are using PDE or VFS you won't be altering the data on the TrueCrypt drive. All the writes will be going to a cache file. So it would be similar to using a write blocker physically connected to the drive.
Tom
CdtDelta
I used PDE to mount it and TrueCrypt to decrypt it. TrueCrypt would only allow me to decrypt the logical volume and I had to choose the, "Mount Partition using system encryption without preboot authorization", option.
All is well.
Take care.
Rick
Using
You could perhaps combine that with the information in
I only used the UBCD4WIN environment in a non-forensic setting before, so I did not need to take the steps to ensure a forensically sound environment. I was faced with a laptop that had full disk encryption. I knew the Truecrypt password and merely needed to access the files in the volume.
You may also find your answer in
With some hacking and some testing, you should be able to achieve your goal, or at least get explain-ably close.
… and, of course, you'll post a follow-up with the outcome )
I checked out the links and I'll give it a try once my desk clears a little. I could try unebutin with the boot disk and run it from a flash drive. I'll shoot you an email when I get it working.
Clone the HD and placed the clone back in the S-1 machine. Boot, enter key, and image to an external HD.