Ethical Hacking Training at InfoSec Institute

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Computer Forensics Computer-Forensics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Encrypted Disks

from [Corey Watts-Jones] Network Security [Permanent Link]
Subject: RE: Encrypted Disks
Date: Thu, 7 Oct 2004 11:24:53 -0400 
Slightly related to this, is anyone aware if IDE Batch clone machines change
the information in any way? We use one at work to batch image drives and I
was wondering if from a forensic standpoint, this would be an effective tool
to use. It's far quicker than imagine a drive attached to a working box, I
find.

-----Original Message-----
From: Jerry Shenk [mailto:jshenk@decommunications.com] 
Sent: Wednesday, October 06, 2004 5:14 PM
To: 'Bowes, Ronald (EST)'; forensics@securityfocus.com
Subject: RE: Encrypted Disks

If you don't image the disk first, people could argue that the testing
can't be duplicated and therefore, your method is unverifiable.  You may
be able to get what you need to prove a case but you're taking a big
risk.  Another serious problem is that you really don't know what you're
doing with the encryption...not knocking you, I wouldn't know either.
If you work with the original, you have no way to verify that you're
'doing it right'.  

Even if you want to do it the way the "powers that be" insist on, you
STILL should image it first.  That way, you can always dump the image
back to an identical drive and duplicate your decryption steps.  Then
you have a copy of the original.

....and maybe this is all too late;)

One parting shot....imaging the drive is only gonna take a couple hours
and it at least buys you some insurance.

-----Original Message-----
From: Bowes, Ronald (EST) [mailto:RBowes@gov.mb.ca] 
Sent: Tuesday, October 05, 2004 9:26 AM
To: forensics@securityfocus.com
Subject: RE: Encrypted Disks


It seems that the majority of advice posted on and off the mailing list
is
to take an image of the drive directly, and work with the image.  I'm
unsure
if that will work for two reasons:
a) The encryption software also does checksums, and I'm not sure if an
image
of the disk will still pass the checksums or not
b) If an image of the disk decrypted could even be used as evidence,
since
it's not technically a real copy of the disk.

I think the Power That Be decided it would be best to decrypt the
original
disk with the software and then turn it off/dd it, or to turn it on and
do a
hot-copy.  Neither is incredibly appealing, but we think those are the
best
ways to ensure the disk is as good as evidence as possible.  Of course,
we're going to document every change we make to our little notebook, so
if
it comes to that, we can tell them exactly what we did.

Thanks for all your advice, and I'll let you know how it turns out!

Ron Bowes

-----Original Message-----
From: Danny De Cock [mailto:godot@ace.ulyssis.org] 
Sent: Tuesday, October 05, 2004 7:33 AM
To: Craig, Tobin
Cc: Bowes, Ronald (EST); forensics@securityfocus.com
Subject: RE: Encrypted Disks

On Tue, 5 Oct 2004, Craig, Tobin wrote:


What is to stop you from imaging the encrypted disk, using the

password to

the password which is asked for at boot time is not the password with 
which the hard disk data has been encrypted...

it only gives access to the de/encryption keys...

if you are given the password, I guess you should ask someone with
crypto 
expertise to decrypt these keys (this requires an analysis of the 
safeguard documentation/code to see which method is used to encode the 
keys with the password), and subsequently to decrypt the hard disk
data...

cu, danny.


unencrypt the image you made, then imaging that?  It's an extra step

or 

two, but worth taking the time over.  You can use a hard drive imager 
(logicube, image master, etc) to do the imaging, which means you don't



even have to worry about boot processes until later.

TC


------------------------------------------------------------------------
----
-
expert in just too late deliveries and applied cryptography
------------------------------------------------------------------------
----
-
mail: decockd:at:esat:dot:kuleuven:dot:ac:dot:be
http://godot.be
       godot:at:advalvas:dot:be
http://godot.studentenweb.org
       godot:at:godot:dot:be      web:
http://www.esat.kuleuven.ac.be/~decockd

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com



-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com




-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
[More with this subject...]


<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Forensic Copy of Files off a CD..., Jack Seward
Next by Date:  RE: Encrypted Disks, George M. Garner Jr.
Previous by Thread:  RE: Encrypted Disks, Jerry Shenk
Next by Thread:  RE: Encrypted Disks, George M. Garner Jr.
Indexes:  [Date] [Thread] [Top] [All Lists]