Does anyone know of any tools that can be run in order to screen for encryption on live machines before shutting them down and seizing them?
I gather CERT has CryptHunter (available to LE only), and then of course there is the command line tool cipher.exe that is native to W2K and above.
I was wondering however if anyone had any tools or procedures to recommend.
And do any of you check for encryption before shutting down and imaging machines?
Does anyone know of any tools that can be run in order to screen for encryption on live machines before shutting them down and seizing them?
I gather CERT has CryptHunter (available to LE only), and then of course there is the command line tool cipher.exe that is native to W2K and above.I was wondering however if anyone had any tools or procedures to recommend.
And do any of you check for encryption before shutting down and imaging machines?
I check manually with lots of note taking and when in doubt, I do live acquisition first before pulling the plug or shutting the system down. The decision to shut down or power off depends on hardware/software configuration (raid etc) of the system to minimise the chance of corruption.
Here is a free program that seems to work well from the testing I've done
"Ever worry that the system you are seizing uses whole disk encryption? Use ZeroViewTM freeware to find out." Burn ZeroView to a CD then pop it into the CD drive of the suspect machine and it will load into memory only and display the contents of Sector 0 allowing you to determine if whole disk encryption is employed on the suspect system. Once you know, then you can take the appropriate steps to capture and preserve the data you need.
Here is a link where this can be downloaded
http//