Announcement

Collapse
No announcement yet.

Encrypted Drives

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Encrypted Drives

    Does, or will, OSForensics support encrypted drives? Will there be functionality available to, with a legitimate key, to decrypt aquired drives?

  • #2
    How is the drive encrypted? e.g. Truecrypt, BitLocker, hardware based, Symantec Endpoint Encryption, PGPDisk, FileVault, etc...

    But regardless of the encryption method used it is likely that you'll need to use the original encryption program (eg. Truecrypt) to first decrypt the drive, before an investigation can take place.

    Comment


    • #3
      They are using McAfee Endpoint Encryption for PCs.

      Is it considered forensically sound to decrypt before imaging? ( Genuine question )

      In EnC*se, you can take an image of an encrypted drive and then using their Decryption Suite with add-ons you can then decrypt the image, as long as you have the correct keys, leaving the original drive in it's original state.

      Comment


      • #4
        Check Point Endpoint Security (FDE)

        I have successfully mounted and imaged a laptop with Check Point End Point Security full disk encryption. I have also indexed a case for a quick look of the hard drive. I use the checkpoint Full Disk Encryption Dynamic Mount Utility to mount the drive. Then I started the process I want; image or index. However when you attempt to do the hash you may receive an error.

        Comment


        • #5
          Is it considered forensically sound to decrypt before imaging? ( Genuine question )
          At some point the decryption needs to take place, so there is no alternative to doing this. But, if time allows, I think it makes sense to image the encrypted drive before doing anything. Then if there is ever any questioning about if the decryption was done correctly or the correct functioning of the decryption tool, you can repeat the process.

          Comment

          Working...
          X