To respond to your concerns directly -
a) The image is a bit-for-bit copy of the original hard drive so the
encryption software will have no idea it is running on a different system.
b) It *is* technically a real copy of the data - it's an image...
At the end of the day, you have to do what you have to do to get the data.
I've come across similar challenges with great success in convincing the
jurors the practices were sound.
-----Original Message-----
From: Bowes, Ronald (EST) [mailto:RBowes@gov.mb.ca]
Sent: Tuesday, October 05, 2004 3:26 PM
To: forensics@securityfocus.com
Subject: RE: Encrypted Disks
It seems that the majority of advice posted on and off the mailing list is
to take an image of the drive directly, and work with the image. I'm unsure
if that will work for two reasons:
a) The encryption software also does checksums, and I'm not sure if an image
of the disk will still pass the checksums or not
b) If an image of the disk decrypted could even be used as evidence, since
it's not technically a real copy of the disk.
I think the Power That Be decided it would be best to decrypt the original
disk with the software and then turn it off/dd it, or to turn it on and do a
hot-copy. Neither is incredibly appealing, but we think those are the best
ways to ensure the disk is as good as evidence as possible. Of course,
we're going to document every change we make to our little notebook, so if
it comes to that, we can tell them exactly what we did.
Thanks for all your advice, and I'll let you know how it turns out!
Ron Bowes
-----Original Message-----
From: Danny De Cock [mailto:godot@ace.ulyssis.org]
Sent: Tuesday, October 05, 2004 7:33 AM
To: Craig, Tobin
Cc: Bowes, Ronald (EST); forensics@securityfocus.com
Subject: RE: Encrypted Disks
On Tue, 5 Oct 2004, Craig, Tobin wrote:
What is to stop you from imaging the encrypted disk, using the
password to
the password which is asked for at boot time is not the password with
which the hard disk data has been encrypted...
it only gives access to the de/encryption keys...
if you are given the password, I guess you should ask someone with crypto
expertise to decrypt these keys (this requires an analysis of the
safeguard documentation/code to see which method is used to encode the
keys with the password), and subsequently to decrypt the hard disk data...
cu, danny.
unencrypt the image you made, then imaging that? It's an extra step
or
two, but worth taking the time over. You can use a hard drive imager
(logicube, image master, etc) to do the imaging, which means you don't
even have to worry about boot processes until later.
TC
----------------------------------------------------------------------------
-
expert in just too late deliveries and applied cryptography
----------------------------------------------------------------------------
-
mail: decockd:at:esat:dot:kuleuven:dot:ac:dot:be
http://godot.be
godot:at:advalvas:dot:be
http://godot.studentenweb.org
godot:at:godot:dot:be web:
http://www.esat.kuleuven.ac.be/~decockd
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service. For more
information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.773 / Virus Database: 520 - Release Date: 10/5/2004
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.773 / Virus Database: 520 - Release Date: 10/5/2004
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
