What is to stop you from imaging the encrypted disk, using the password to
unencrypt the image you made, then imaging that? It's an extra step or two,
but worth taking the time over. You can use a hard drive imager (logicube,
image master, etc) to do the imaging, which means you don't even have to
worry about boot processes until later.
TC
___________________________
Tobin Craig, MRSC, CISSP, SCERS
Program Director, Computer Crimes and Forensics
Department of Veterans Affairs
Office of Inspector General
801 I Street NW
Washington DC 20001
Tel: 202 565 7702
Fax: 202 565 7630
___________________________
-----Original Message-----
From: Bowes, Ronald (EST) [mailto:RBowes@gov.mb.ca]
Sent: Friday, October 01, 2004 3:02 PM
To: forensics@securityfocus.com
Subject: Encrypted Disks
We have to do a forensic investigation on a laptop who's harddrive is
encrypted with Utimaco's SafeGuard
(http://www.utimaco.com/content_products/sg_easy.html). We have the
password to get by the encryption at boot, but we don't want to actually
start it and contaminate data.
Does anybody know how we could get by this encryption and image the
unencrypted disk without contaminating any of the data?
Thanks,
Ron Bowes
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
