Would it still be considered forensically sound if you removed the encryption from a laptop to create an image? Has anyone come across this and if so what are the accepted procedures to go about acquiring a forensic image of an encrypted drive? Seems to me like a catch-22, you don't want to modify the drive but need to in order to create the image…
What is it encrypted with? EnCase (and others) can sometimes decrypt the image if you have the credentials. If not, image the drive with the encryption, then boot and capture a live image.
It isn't an actual case, it was just something that came up in discussion with some of my colleagues and I wanted to get some other opinions.
See, I was unaware that forensic tools had the ability to decrypt the drive with the credentials. But that would appear to me to be the best practice. The other solution of imaging the drive encrypted then booting into the image to capture the live image also seems viable. Thanks for the tips!
In my opinion, it depends - since not all encryption schemes have integration with forensically sound tools. For example EnCase has a module that will read Symantec Endpoint Encrypted Hard drives in a forensically sound manner, but in cases like Pointsec Endpoint Encryption the only way to get at the unencrypted data is to decrypt the drive first with a Pointsec provided tool.
I will typically take an image of the encrypted drive in the normal fashion, with documentation / validation. Then take a copy of the image/drive to work with for the decryption component (Pointsec is easiest to deal with by using Bart PE within a Virtual Machine of the disk image). That way you can document any changes from mounting the image for acquiring the plain text content, while maintaining the untainted original drive so you can replicate the findings.
So that's two for creating an image of the encrypted version of the drive, then copying that and working off the copy. Thanks for the comment piratefrog.
This comes up in corporate world all the time.
As it is said before, it depends on the encryption/decryption tool.
If the decryption process takes short-cuts, for example does not decrypt the empty space, then the decrypted image is not sound in my opinion.
In cases where I am not familiar with the encryption/decryption solution, I live image the logical drive of the machine, and take copious notes.
I know whole disk encryption tools TrueCrypt, Sophos/Utimaco Safeguard, McAfee SafeBoot, and BitLocker do decrypt empty space.
What is it encrypted with? EnCase (and others) can sometimes decrypt the image if you have the credentials.
Imagine this scenary You only use free/open tools and have created a AFF image from a bitlocker encrypted HD… The court will accept this procedure
- restore the AFF image to another drive
- attach the HD to your forensic computer as external drive
- open the drive with the recovery key
- make a new image from the decrypted HD
I come across this all the time.
In order to remove the encryption you are changing the "original" which is against the fundamentals of forensics - at least on the face of it.
In this scenario the most important aspect is that everything you do is verifiable.
I firstly take a copy of the original hard drive, using something like a data solo - its quicker than taking an image and restoring, and then put the original back into storage.
Then working on the copy, I remove the encryption, the most common I come across is Checkpoint and there is a work around for it in the corporate environment which allows you to mount the drive and you are then able to obtain a forensic image.
I come across this all the time.
In order to remove the encryption you are changing the "original" which is against the fundamentals of forensics - at least on the face of it.
In this scenario the most important aspect is that everything you do is verifiable.
I firstly take a copy of the original hard drive, using something like a data solo - its quicker than taking an image and restoring, and then put the original back into storage.
Then working on the copy, I remove the encryption, the most common I come across is Checkpoint and there is a work around for it in the corporate environment which allows you to mount the drive and you are then able to obtain a forensic image.
I've had to do PointSec drives. Not dealt with Checkpoint, but would guess it's a similar process.
I image the encrypted drive (whole of disk). I then convert the dd file to a VM with ProDiscover Basic, using the VM converter tool…which doesn't actually change the dd file, just creates a VM config file for it. Now trying to boot the VM will fail because the OS runs into hardware/driver issues, and I get the mighty BSOD. However, once you get past the initial PointSec login screen (yes…you need a valid PS login and password), you can activate the alternate boot menu. I select a virtual CD pointing at a modified BartPE ISO with the PointSec driver and plugins, and also an imaging tool like FTK Imager.
Getting the BartPE and the VM all set up can be a pain in the proverbial, but once it's done, it can be used repeatedly on new drives…with certain limitations.
You can then carve out the decrypted partitions on the disk and send the output to a second virtual disk that you have added to the VM. It's not a forensically sound as I would like, but PointSec has to load drivers to decrypt the data, and even the act of logging on at boot time changes the disk it as it writes a success/fail log to the drive. However, this is happening on the copy, not the original.
Using the backup copy of the captured drive, I can always start the analysis again, and the notes are good enough to make everything repeatable.