We agree on that, George. That's exactly what I'm saying....don't boot
the drive and try to decrypt it....if he does that, at best he's
modified the evidence and at worst, he screws it up and destroys
everything. We're arguing on the same side on this one.
-----Original Message-----
From: George M. Garner Jr. [mailto:gmgarner@erols.com]
Sent: Thursday, October 07, 2004 2:29 PM
To: 'Bowes, Ronald (EST)'
Cc: forensics@securityfocus.com
Subject: RE: Encrypted Disks
Jerry,
From the previous discussion I am assuming that the laptop already is
powered down. In that case, the prudent course of action is indeed to
"image" the encrypted drive and work from a copy, or better from a copy
of
the copy. I would not power the laptop back up with the drive in its
bay
except under truly exceptional circumstances. Once you take that step
you
have passed a point of no return.
a) The encryption software also does checksums, and I'm not sure if an
image of the disk will still pass the checksums or not <
From an imaging tool's perspective an encrypted drive is no different
than
an unencrypted drive (assuming that Ultimaco does not modify the
firmware on
the hard drive). An imaging tool simply copies raw un-interpreted bytes
from one location to another. If the imaging tool works then the
checksums
should match.
Of course it is always possible that Ultimaco's software looks at the
bios
information on the drive firmware to verify that the information has not
been copied from the original drive. (That would be truly clever.)
However, the drive bios information is simply a piece of software
configuration stored in the drive's memory. You can change it with the
appropriate tools and the drive's manufacturer should be able to help
you
out in that regard. If you obtain another drive of the same make and
model
you should be able to make it look like the original drive as far as
Ultimaco's software is concerned.
I notice that Ultimaco has an "Easy bootable rescue image" posted on
their
web site. While they do not state what operating system it uses it is
almost certainly one for which there already is imaging software
available.
Perhaps you can image the encrypted drive, restore the image to a drive
of
the same make and model, etc., add imaging software to Ultimaco's "Easy
bootable rescue image" and use the modified rescue disk to decrypt and
copy
the restored image. That way if something goes wrong you can always
make
another copy and try again.
Ultimaco's software is available. Make an encrypted disk of your own
using
Ultimao's product and test proposed acquisition methods. If a method is
found to alter the original in some respect, document what those changes
are
and relate them to the question that you are trying to determine. Even
if a
method is found to alter the original in some respect, the changes may
not
be material to the issue sub judice. Even if the changes are found to
be
material, you may be able to validate your inferences using other
evidence
gathered in a different way.
The worst thing from an evidentiary perspective is not to know what you
have. As long as your methods are well-thought-out, well-documented and
well-tested the trier of fact will be in a position to sort fact from
fiction and to give your evidence its proper weight.
The best evidence rule is not an impossible evidence rule. Interpreting
the
rule otherwise would result in every terrorist or drug dealer on the
globe
using Ultimaco's software.
Regards,
George.
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
