Ethical Hacking Training at InfoSec Institute

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Computer Forensics Computer-Forensics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Encrypted Disks

from [Bowes, Ronald (EST)] Network Security [Permanent Link]
Subject: RE: Encrypted Disks
Date: Tue, 5 Oct 2004 08:25:31 -0500 
It seems that the majority of advice posted on and off the mailing list is
to take an image of the drive directly, and work with the image.  I'm unsure
if that will work for two reasons:
a) The encryption software also does checksums, and I'm not sure if an image
of the disk will still pass the checksums or not
b) If an image of the disk decrypted could even be used as evidence, since
it's not technically a real copy of the disk.

I think the Power That Be decided it would be best to decrypt the original
disk with the software and then turn it off/dd it, or to turn it on and do a
hot-copy.  Neither is incredibly appealing, but we think those are the best
ways to ensure the disk is as good as evidence as possible.  Of course,
we're going to document every change we make to our little notebook, so if
it comes to that, we can tell them exactly what we did.

Thanks for all your advice, and I'll let you know how it turns out!

Ron Bowes

-----Original Message-----
From: Danny De Cock [mailto:godot@ace.ulyssis.org] 
Sent: Tuesday, October 05, 2004 7:33 AM
To: Craig, Tobin
Cc: Bowes, Ronald (EST); forensics@securityfocus.com
Subject: RE: Encrypted Disks

On Tue, 5 Oct 2004, Craig, Tobin wrote:


What is to stop you from imaging the encrypted disk, using the password to


the password which is asked for at boot time is not the password with 
which the hard disk data has been encrypted...

it only gives access to the de/encryption keys...

if you are given the password, I guess you should ask someone with crypto 
expertise to decrypt these keys (this requires an analysis of the 
safeguard documentation/code to see which method is used to encode the 
keys with the password), and subsequently to decrypt the hard disk data...

cu, danny.


unencrypt the image you made, then imaging that?  It's an extra step or 
two, but worth taking the time over.  You can use a hard drive imager 
(logicube, image master, etc) to do the imaging, which means you don't 
even have to worry about boot processes until later.

TC


----------------------------------------------------------------------------
-
expert in just too late deliveries and applied cryptography
----------------------------------------------------------------------------
-
mail: decockd:at:esat:dot:kuleuven:dot:ac:dot:be
http://godot.be
       godot:at:advalvas:dot:be
http://godot.studentenweb.org
       godot:at:godot:dot:be      web:
http://www.esat.kuleuven.ac.be/~decockd

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
[More with this subject...]


<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Shred. Was: Securely wiping..., Glenn_Everhart
Next by Date:  RE: Forensic Copy of Files off a CD..., Jerry Shenk
Previous by Thread:  RE: Encrypted Disks, Danny De Cock
Next by Thread:  RE: Encrypted Disks, Jerry Shenk
Indexes:  [Date] [Thread] [Top] [All Lists]