imaging encrypted drives and empty space
One of my peers in an other division is planning to 'image' whole-disk encrypted drives (BitLocker, TrueCrypt, Utimaco, et al).
He plans to decrypt, image, then re-crypt the drives.
I was wondering - when drives are decrypted - does the encryption software short-cuts and does not write out the "empty" space?
It would make perfect sense not to do so, from the perspective of the software. If there is 30GB of usable data on a 250GB fully encrypted drive, why decrypt the "empty" space, when there is nothing normally on there?
What about slack space? If the block sizes change from the encrypted version to the non-encrypted version, that clearly be destroyed.
Any experience with various solutions?
I am asking because I suggested that in this case, it is better to bring up the machine, note the changes and image it in encrypted but within the OS… These machines that are always in use, that is, they are off and on frequently - state changing.
Usually full disk encryption would encrypt all of the disk including free space. If you encrypt a drive partition something like truecrypt would provide you with an option to either encrypted everything on the disk or to encrypt the data and provide a wipe of the free space (to save time). When the free space is then used it would be encrypted on the fly. If you were to image such a partition then both the encrypted data and the free space would be available (however, the free space would have been wiped).
If you are imaging a full drive encryption such as truecrypt you can image the drive as normal. Mount it in a virtual machine and decrypt and image it via the virtual machine. That way you preserve fully the original disk (although it's likely to be a pain - most disk encryption is). If you do not wish to do this and it is not of concern (as you state the system has been in use etc. and the implications of booting are acceptible) then you could boot and image if that was appropriate.
If the machine is implementing some form of chip/BIOS full disk encryption. Booting into something like the Helix CD and performing the acquisition via a mount in read only mode will probably be the best option.
In the event you have something implementing chip based software encryption then run out of the door ) You may then start to think again about live imaging given the fact as you state the computer has been in use throughout.
I am particularly interested in decryption i.e. deinstall of a full disk encryption solution - and the resulting process of "empty space".
I understand that most FDE would encrypt empty space too. My issue is when decryption happens. . . will the software "decrypt" the encrypted but empty space, or take a short cut and just write blank out 'to save time'?
Obviously everything depends on the algorithm implemented, however, in general FDE would encrypted and decrypted space on the disk regardless of what is stored. Hence, if you were to decrypt a drive and then image it, you would image the full disk including the unallocated clusters as per their actual storage (the encryption algorithm wouldn't generally write out the unallocated areas as blank space since it would take more time for the file table lookup).
Of course you may have issues in terms of gaining access to certain space on a drive if a person is implementing a hidden OS partition in something like Truecrypt.
If it's full-disk encryption and not an encrypting filesystem, it's likely that the disk-encryption layer has no real knowledge of what filesystem is on top of it. (For example, device-layer encryption on Linux is so.) It has no knowledge of which space is free and which isn't, so the whole thing is encrypted (and it'll all be decrypted).