Notifications
Clear all

Encrypted drives

18 Posts
8 Users
0 Likes
1,144 Views
hogfly
(@hogfly)
Posts: 287
Reputable Member
Topic starter
 

As a matter of methodology….does anyone encrypt their target drives or acquired images?

 
Posted : 17/07/2009 2:29 am
(@kovar)
Posts: 805
Prominent Member
 

Greetings,

I generally wipe my acquisition drives, fill it 99% full with a TrueCrypt volume, and acquire into the TrueCrypt volume. The remaining 1% is for putting unencrypted notes on the drive.

This approach will not work with hardware imagers. I use a ThinkPad or Mac Book Pro with an eSATA card and an eSATA-SATA writeblocker running EnCase to do most of my acquisitions.

-David

 
Posted : 17/07/2009 3:29 am
hogfly
(@hogfly)
Posts: 287
Reputable Member
Topic starter
 

David,
Would you say that it is industry standard to encrypt?
Do you think your acquisition/processing times are impacted?

 
Posted : 17/07/2009 4:58 am
(@kovar)
Posts: 805
Prominent Member
 

Greetings,

I don't think I am in a position to say if it is an industry standard or not. However, due to regulation, bad publicity, and lawsuits, corporations are certainly getting more careful about transporting data in the clear. But if a corporation is doing acquisitions internally and the drives are never going off site, they may decide not to use encrypted media. How many people in the industry are doing acquisitions and then transporting the images outside of the building or network?

There is certainly more prep time required using software encrypted drives though this can be addressed by preparing drives while equipment is otherwise idle. There is a performance hit, although likely small, and much smaller than encrypting the images using EnCase during the acquisition.

Another issue is that this method will not work with hardware imaging solutions so you have fewer imaging options.

-David

 
Posted : 17/07/2009 5:10 am
(@echo6)
Posts: 87
Trusted Member
 

Would you say that it is industry standard to encrypt?
Do you think your acquisition/processing times are impacted?

The thing I like about truecrypt is;
1) It is open source
2) It is supported on Windows, Mac and Linux.

Hmm, I've never really tested it on acquisition/processing times. I have LUKS on my Linux laptop and FreeOTFE is supposed to support LUKS. I hate having to be tied to any one OS when I need to access the data. TBH on the Operating Systems I have utilised FDE I can't say I've really noticed a performance hit.

I'm begining to see a lot of organisation insisting upon encryption for laptops and removable media. As for using it for protecting forensic images, can't say I see many doing it but you do raise an interesting point.

In some circumstances it may not be appropriate or feasible during acquisition, e.g. live data collection.

 
Posted : 17/07/2009 9:12 pm
(@gkelley)
Posts: 128
Estimable Member
 

Very interesting question. We do the majority of our imaging using Voom Hardcopy devices as they provide speed that our clients usually want. In some situations we use a boot disk like Helix.

Use of encryption would render the Hardcopy devices unusable. I would think that similar devices such as Logicube's devices would be put in the same situation.

 
Posted : 23/07/2009 10:59 pm
hogfly
(@hogfly)
Posts: 287
Reputable Member
Topic starter
 

@echo6 Agreed it is a good solution, though very time consuming. As David points out, it adds quite a bit of overhead in drive preparation.

Greg - Great points. Hardware duplicators are rendered useless - except for the solo III - ICS sells a hardware level disk cypher unit.

The thing I keep coming back to is chain of custody versus encryption. Is anyone willing to bet their chain of custody will always be 100%? What about in states(for those in the US that is) that have data encryption laws?

 
Posted : 24/07/2009 12:47 am
CdtDelta
(@cdtdelta)
Posts: 134
Estimable Member
 

So just so I'm clear, are you talking about encrypting them while you are acquiring or afterwards?

 
Posted : 24/07/2009 1:51 am
(@ronanmagee)
Posts: 145
Estimable Member
 

The thing I keep coming back to is chain of custody versus encryption. Is anyone willing to bet their chain of custody will always be 100%? What about in states(for those in the US that is) that have data encryption laws?

Chain of custody may be one thing but if you're travelling global and don't have data encrypted it may be inspected by airport staff - just check out the advisory for Saudia Arabia here. I'm not sure how you record that one on the chain custody, especially if the confiscate the drive.

 
Posted : 24/07/2009 4:12 am
(@gkelley)
Posts: 128
Estimable Member
 

Greg - Great points. Hardware duplicators are rendered useless - except for the solo III - ICS sells a hardware level disk cypher unit.

Forgot about that one, thanks for the reminder.

The thing I keep coming back to is chain of custody versus encryption. Is anyone willing to bet their chain of custody will always be 100%? What about in states(for those in the US that is) that have data encryption laws?

What specific encryption laws you are talking about? With respect to chain of custody, are you talking about being able to state that the data hasn't altered or that the data hasn't leaked? With the former, that is done through documentation and verification of hashes. With the latter, it is more difficult, but we prevent leakage with strict rules regarding transportation of the data as well as where it is stored - in a controlled access room within our offices.

I do think, though, that encryption is something that the industry needs to start considering.

 
Posted : 24/07/2009 4:45 am
Page 1 / 2
Share: