I have come across a situation where the contents of HDD are being encyrpted on a run-time basis using a software (Not sure what the software is though). The contents can only be viewed by the creator and the administrtaor. I have a couple of questions here
1. If the disk is to be imaged, will I be able to view the data without the user credential / admin credentials
2. Do I need to get files decrypted before imaging to ensure all data is visible without any special credentials.
I am new to the group, hence I am not sure if someone has raised this issue before. Any help will be highly appreciated!!
From what you have just written, are you saying the software is encrypting the data when it is turned on rather than storing in as encrypted and decrypting when the software is run?
If that is the case then a standard image should get all the data.
If its the other way round (data encrypted but decrypted by software) then it may be more complicated.
Thanks for posting reply.
Encryption software is always running as a process in the background and new documents are getting encrypted as they are added, is what we understand. What are our chances of getting the data in this case.
Collect logical image. This is the safest option for you. While imaging the logical drive/partition make enquires about encryption software in use, password and check if this encryption is supported by your forensic tools. FTK and EnCase have a pretty good (not perfect) range of support for encrypted drives. If supported, you can later (if needed) collect the physical image of the drive and use your forensic tool to decrypt it. Decrypting the disk at the location may take several hours, so unless you have plenty of time the above option is probably the best.
BTW i think similar questions have been answered about 1 000 times on this forum, searching it might give you a much quicker unswers to you you question.