I have imaged a drive that has PGA whole disk encryption and made a clone. I have the key and I can boot a cloned drive to the user login. I do not have the user login password so I cannot image the drive, live. How can I get past this? I have at my disposal, X-Ways. I have the free download of FTK imager, but it does not appear to handle this. I've attempted some boot CDs with forensic tools, but they are prevented from booting by PGP. I've attempted connecting with a crossover cable, but had no success in connecting to it. ANy help would be appreciated.
John
Wallingford, CT USA
Is there a particular reason you want to image the drive live? I believe you can image it offline with certain tools (e.g. Elcomsoft Forensic Disk Decryptor).
No particular reason to image live. I looked at Elcomsoft Forensic Disk Decryptor, but for the source for the key, the possibilities are 1. Memory dump 2. Hiberfile.sys 3. Saved key. All I have is the key in text form.
Thanks for the response.
John
Well, if I were you, I would just ask *them*… they might have a product like that, too.
The best process I found for encrypted volumes, including PGP whole disk encryption (PGP) is slaving.
Take an encrypted target drive, remove it from the target machine.
Connect removed target drive to a master machine through write-blocker as a secondary, or even an external USB device.
The master machine has to have the en/decryption software installed. In this case PGP.
The OS drivers would recognize the slaved target drive as encrypted with PGP and ask for the pass.
In my experience, this is the same with BitLocker, Safeboot, Utimaco, etc.
I received the same suggestion from an associate. I installed PGP desktop and a cloned drive to my forensic machine through a write blocker. I started PGP desktop. It immediately recognized the drive. I keyed in the license key and it opened the drive!! It worked exactly as you described. Thanks!!
John
Minor note - in some instances the cloned slave would not work, as some volume encryption tools "sign" the encryption with the device details such as serial number and similar to prevent exactly this scenario, cloning.
If you have the key, EnCase Forensic with the Encryption Decryption Suite (part of EnCase 7) - should function.
Loading the image or previewed drive into entries, EnCase should prompt you for the PGP credentials. From here on in you will be able to examine the device in a decrypted state. Used it recently, was given the PGP pass-pharse and was able to extract files of relevance - via a writeblocker - without even imaging it!
If you do not wish to remove the drive from the machine - EnCase Portable has similar functionality.
If you have the key, EnCase Forensic with the Encryption Decryption Suite (part of EnCase 7) - should function.
Loading the image or previewed drive into entries, EnCase should prompt you for the PGP credentials. From here on in you will be able to examine the device in a decrypted state. Used it recently, was given the PGP pass-pharse and was able to extract files of relevance - via a writeblocker - without even imaging it!
If you do not wish to remove the drive from the machine - EnCase Portable has similar functionality.
Hommy is your method also facilitates to make an unencrypted image of a PGP encrypted drive once it decrypted on Encase7 ? I am asking you this because there are still many limitation in Encase7 in terms of features that still encourage to review the image on Encase6. ?