±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 36290
New Yesterday: 4 Visitors: 164

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Encrypted drives

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2, 3  Next 
  

hogfly
Senior Member
 

Encrypted drives

Post Posted: Jul 17, 09 02:29

As a matter of methodology....does anyone encrypt their target drives or acquired images?  
 
  

kovar
Senior Member
 

Re: Encrypted drives

Post Posted: Jul 17, 09 03:29

Greetings,

I generally wipe my acquisition drives, fill it 99% full with a TrueCrypt volume, and acquire into the TrueCrypt volume. The remaining 1% is for putting unencrypted notes on the drive.

This approach will not work with hardware imagers. I use a ThinkPad or Mac Book Pro with an eSATA card and an eSATA-SATA writeblocker running EnCase to do most of my acquisitions.

-David
_________________
CISSP, CCE, EnCE, Licensed Private Investigator (CA) 
 
  

hogfly
Senior Member
 

Re: Encrypted drives

Post Posted: Jul 17, 09 04:58

David,
Would you say that it is industry standard to encrypt?
Do you think your acquisition/processing times are impacted?  
 
  

kovar
Senior Member
 

Re: Encrypted drives

Post Posted: Jul 17, 09 05:10

Greetings,

I don't think I am in a position to say if it is an industry standard or not. However, due to regulation, bad publicity, and lawsuits, corporations are certainly getting more careful about transporting data in the clear. But if a corporation is doing acquisitions internally and the drives are never going off site, they may decide not to use encrypted media. How many people in the industry are doing acquisitions and then transporting the images outside of the building or network?

There is certainly more prep time required using software encrypted drives though this can be addressed by preparing drives while equipment is otherwise idle. There is a performance hit, although likely small, and much smaller than encrypting the images using EnCase during the acquisition.

Another issue is that this method will not work with hardware imaging solutions so you have fewer imaging options.

-David
_________________
CISSP, CCE, EnCE, Licensed Private Investigator (CA) 
 
  

echo6
Senior Member
 

Re: Encrypted drives

Post Posted: Jul 17, 09 21:12

- hogfly
Would you say that it is industry standard to encrypt?
Do you think your acquisition/processing times are impacted?


The thing I like about truecrypt is;
1) It is open source
2) It is supported on Windows, Mac and Linux.

Hmm, I've never really tested it on acquisition/processing times. I have LUKS on my Linux laptop and FreeOTFE is supposed to support LUKS. I hate having to be tied to any one OS when I need to access the data. TBH on the Operating Systems I have utilised FDE I can't say I've really noticed a performance hit.

I'm begining to see a lot of organisation insisting upon encryption for laptops and removable media. As for using it for protecting forensic images, can't say I see many doing it but you do raise an interesting point.

In some circumstances it may not be appropriate or feasible during acquisition, e.g. live data collection.  
 
  

gkelley
Senior Member
 

Re: Encrypted drives

Post Posted: Jul 23, 09 22:59

Very interesting question. We do the majority of our imaging using Voom Hardcopy devices as they provide speed that our clients usually want. In some situations we use a boot disk like Helix.

Use of encryption would render the Hardcopy devices unusable. I would think that similar devices such as Logicube's devices would be put in the same situation.
_________________
Greg Kelley, EnCE, DFCP
Vestige, Ltd
www.vestigeltd.com 
 
  

hogfly
Senior Member
 

Re: Encrypted drives

Post Posted: Jul 24, 09 00:47

@echo6: Agreed it is a good solution, though very time consuming. As David points out, it adds quite a bit of overhead in drive preparation.

Greg - Great points. Hardware duplicators are rendered useless - except for the solo III - ICS sells a hardware level disk cypher unit.

The thing I keep coming back to is chain of custody versus encryption. Is anyone willing to bet their chain of custody will always be 100%? What about in states(for those in the US that is) that have data encryption laws?  
 

Page 1 of 3
Page 1, 2, 3  Next