Ethical Hacking Training at InfoSec Institute

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Computer Forensics Computer-Forensics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Encrypted Disks

from [Jim W] Network Security [Permanent Link]
Subject: RE: Encrypted Disks
Date: Mon, 04 Oct 2004 17:57:01 -0500

I agree with Joel about first making a forensic image of the raw encrypted drive and only working on the image. Because of the encryption I would use either DOS or Linux to try to avoid it's asking for the password.

Then I would connect the drive with the image as the second disk in a forensic system and boot from the primary disk. This should allow you to mount individual partitions from the image and not change/lose anything from it (which would happen if you booted from it).

Good luck and let us know what worked!

    Jim W
    LateralGroup

At 08:22 PM 10/4/2004 +0200, you wrote:

One (although not perfect) thought is to image the encrypted drive and then
perform a logical restore.  You can then logically boot the second hard
drive without fear of altering the original. This gives you a basic idea of
what the user was up to. If you have EnCase FIM or Enterprise, you can then
do a live image. If you don't have access to EnCase, you can do a logical
backup with dd (if Linux) or Windows Backup.

-----Original Message-----
From: Bowes, Ronald (EST) [mailto:RBowes@gov.mb.ca]
Sent: Friday, October 01, 2004 10:02 PM
To: forensics@securityfocus.com
Subject: Encrypted Disks


We have to do a forensic investigation on a laptop who's harddrive is
encrypted with Utimaco's  SafeGuard
(http://www.utimaco.com/content_products/sg_easy.html).  We have the
password to get by the encryption at boot, but we don't want to actually
start it and contaminate data.

Does anybody know how we could get by this encryption and image the
unencrypted disk without contaminating any of the data?

Thanks,
Ron Bowes


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service. For more
information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com


---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.772 / Virus Database: 519 - Release Date: 10/1/2004


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.772 / Virus Database: 519 - Release Date: 10/1/2004



-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

[More with this subject...]


<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Forensic Copy of Files off a CD..., Jason Coombs PivX Solutions
Next by Date:  Re: Encrypted Disks, KC Ferguson
Previous by Thread:  RE: Encrypted Disks, Joel A. Folkerts
Next by Thread:  Re: Encrypted Disks, KC Ferguson
Indexes:  [Date] [Thread] [Top] [All Lists]