Does, or will, OSForensics support encrypted drives? Will there be functionality available to, with a legitimate key, to decrypt aquired drives?
Announcement
Collapse
No announcement yet.
Encrypted Drives
Collapse
X
-
How is the drive encrypted? e.g. Truecrypt, BitLocker, hardware based, Symantec Endpoint Encryption, PGPDisk, FileVault, etc...
But regardless of the encryption method used it is likely that you'll need to use the original encryption program (eg. Truecrypt) to first decrypt the drive, before an investigation can take place.
-
They are using McAfee Endpoint Encryption for PCs.
Is it considered forensically sound to decrypt before imaging? ( Genuine question )
In EnC*se, you can take an image of an encrypted drive and then using their Decryption Suite with add-ons you can then decrypt the image, as long as you have the correct keys, leaving the original drive in it's original state.
Comment
-
Check Point Endpoint Security (FDE)
I have successfully mounted and imaged a laptop with Check Point End Point Security full disk encryption. I have also indexed a case for a quick look of the hard drive. I use the checkpoint Full Disk Encryption Dynamic Mount Utility to mount the drive. Then I started the process I want; image or index. However when you attempt to do the hash you may receive an error.
Comment
-
Is it considered forensically sound to decrypt before imaging? ( Genuine question )
Comment
Comment