One (although not perfect) thought is to image the encrypted drive and then
perform a logical restore. You can then logically boot the second hard
drive without fear of altering the original. This gives you a basic idea of
what the user was up to. If you have EnCase FIM or Enterprise, you can then
do a live image. If you don't have access to EnCase, you can do a logical
backup with dd (if Linux) or Windows Backup.
-----Original Message-----
From: Bowes, Ronald (EST) [mailto:RBowes@gov.mb.ca]
Sent: Friday, October 01, 2004 10:02 PM
To: forensics@securityfocus.com
Subject: Encrypted Disks
We have to do a forensic investigation on a laptop who's harddrive is
encrypted with Utimaco's SafeGuard
(http://www.utimaco.com/content_products/sg_easy.html). We have the
password to get by the encryption at boot, but we don't want to actually
start it and contaminate data.
Does anybody know how we could get by this encryption and image the
unencrypted disk without contaminating any of the data?
Thanks,
Ron Bowes
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service. For more
information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.772 / Virus Database: 519 - Release Date: 10/1/2004
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.772 / Virus Database: 519 - Release Date: 10/1/2004
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
