What can be obtained from an encrypted hard drive?

Well, with all due respect ) , I also happened to hear about flying pigs and donkeys, besides of course elephants… 😯

IF a disk is properly and fully encrypted you can recover 0 data.

Of course there may be tens of flawed encryption methods that specifically have a specific way out or workaround, that may have originated some legends

Residual magnetic energy (actually more generally "data remanence")
https://en.wikipedia.org/wiki/Data_remanence
is definitely "pure fantasy", all the real world experiment lead to believe that there is no way to recover anything after a single wiping pass.
IF there were some possibilities on very old hard disks, since the advent of perpendicular recording there are simply NO chances, JFYI
http//www.forensicfocus.com/Forums/viewtopic/t=9172/

jaclaz

What jaclaz said is spot on.

I'd like to add, why don't you test it?

Full disk encryption isn't some high end, expensive endeavor. Why take the word of strangers on the internet when you can easily test this yourself? It's one thing to say, "I heard…". It's much better to be able to say, "I tested…".

Terry

By way of example of what jaclaz and twjolson are saying I've made you two TrueCrypt containers. One using a full format and one using a quick format. This isn't full disk encryption but the theory is the same. The password to both is 'password', although you don't need it.

You should however be able to recover a screenshot of your post from the quick container. So go and have a play with that.

https://drive.google.com/file/d/0B8TAd-a2ErHUTW1vQmZFaUlIR2c

File bad-encryption-example.zip
CRC-32 abf46f0a
MD5 0bc6f947f49fb69395515447267424c1
SHA-1 33a044e41d77009bdb1965002fac55fd2b305325

Well, with all due respect ) , I also happened to hear about flying pigs and donkeys, besides of course elephants… 😯

IF a disk is properly and fully encrypted you can recover 0 data.

Of course there may be tens of flawed encryption methods that specifically have a specific way out or workaround, that may have originated some legends

Residual magnetic energy (actually more generally "data remanence")
https://en.wikipedia.org/wiki/Data_remanence
is definitely "pure fantasy", all the real world experiment lead to believe that there is no way to recover anything after a single wiping pass.
IF there were some possibilities on very old hard disks, since the advent of perpendicular recording there are simply NO chances, JFYI
http//www.forensicfocus.com/Forums/viewtopic/t=9172/

jaclaz

Your replies are a bit on the unfriendly side. I will assume that is just your style and you do mean to be helpful.

There are two reasons why I ask this

Firstly, I'm a beginner with a copy of EnCase and few other forensic programs I'm learning my way around. I'm not a specialist police forensic examiner.

Second, I saw something in my local paper about a pedophile who was communicating with underage boys online. When they seized his hard drive it stated they found it was encrypted and set to self delete. I assumed as people have been quick to say in this thread that meant it was game over in terms of the hard drive unless they could get the password.

BUT it then went on to say that police specialists were able to recover enough evidence from the hard drive to prove he'd been communicating with underage people online and some images of CP.

Of course I'm pleased to hear that in this case but I'm curious about the forensic point of view what could have happened here.

Second, I saw something in my local paper about a pedophile who was communicating with underage boys online. When they seized his hard drive it stated they found it was encrypted and set to self delete.

This sounds as if it might refer to a HDD product with embedded encryption (such as the Hitachi BDE disks). Most can be configured to react to multiple failed authentication attempts by simply changing the bulk encryption keys, making the encrypted contents impossible to retrieve, unless there are some kind of back doors present.

Some office laptops come with these drives as options, and you may occasionally find second-hand or remaindered products that contain them, but typically without any password enabled, making them appear as unexpectedly slow hard drives. You can also buy them over the counter, as long as you know the product identification, or have a dealer who knows his products reasonably well.

You can also find similar functionality in pure software solutions. There has even been some discussion if LUKS (Linux encryption) should have a way to erase encryption keys, and so make contents permanently or temporarily unavailable. The Kali Linux distribution has an implementation – see for example https://www.kali.org/tutorials/nuke-kali-linux-luks/. This won't self-destruct – it requires a special password to trigger the key erasure, but it would be a fairly small matter of programming to add such feature.

Your replies are a bit on the unfriendly side. I will assume that is just your style and you do mean to be helpful.

Not at all unfriendly, rest assured, I am a bit grumpy, but usually this is done for your own good.

By spending a few words providing the background (which you just did as a reaction to my remark, which meas that it worked as intended) you transformed the "I heard" which is more than "vague" in something that makes sense ) , you have now cleared both the source of the information (your local newspaper) and how you are interested in the matter because you are new to the field and want to learn about it.

Now if you want to pursue this career the first thing that you will need to learn is about documenting exactly your sources and be very, very detailed about the assumptions (if any) you make.

BUT if this is all you have

Second, I saw something in my local paper about a pedophile who was communicating with underage boys online. When they seized his hard drive it stated they found it was encrypted and set to self delete. I assumed as people have been quick to say in this thread that meant it was game over in terms of the hard drive unless they could get the password.

BUT it then went on to say that police specialists were able to recover enough evidence from the hard drive to prove he'd been communicating with underage people online and some images of CP.

you are introducing two implied assumptions
1) that the Police declared the truth (what actually happened)
2) that your local journalist actually understood what the Police said and reported it accurately

Even with those assumptions, you have not enough data, as hinted it is entirely possible that for whatever reasons the encryption wasn't setup properly, or that the Police was able to seize the computer "live", or that the specific manufacturer/model of either the computer or of the hard disk makes it possible to recover the encrypted data because of a specific flaw in the implementation of the encryption (be it hardware or software), there is no way to know for sure.

Of course I'm pleased to hear that in this case but I'm curious about the forensic point of view what could have happened here.

If you want a guess, the encryption was not "integral" or "whole hard disk encryption" and some data (once defused the assumed self deleting "trigger") were plainly available (i.e. not or never encrypted).

To actually "delete" ("self" or otherwise) takes TIME, when it comes to "deleting" we are actually talking about overwriting with values, even if an ATA Secure Erase was initiated, we are talking of tens of minutes, very likely more than one or two hours (depending on the hard disk size), so if the Police was so smart and quick to cut the power off the hard disk before the deletion took place, they could have well recovered partially the contents of the hard disk.

On the other hand if they had avoided the start of the self deleting "feature" and broken the encryption, they would have recovered integrally the data.
As said, there is no known way to break a proper encryption scheme, and even if there was one, it would not work with partial data.

jaclaz