Re: [sleuthkit-users] dealing with whole disk encryption
Brought to you by:
carrier
From: Jan M. <jan...@nr...> - 2010-08-14 17:54:24
|
Hi Marc, First of all, thanks for the reply. Yes, apparently there is some tool named SafeTech that they use. Let me get this straight - you mean image to another identical drive, decrypt that, image it, work on the image? I'll have to find a disk, don't think SafeTech can decrypt images (or can it?). Thanks again, Jan "Mark W. Jeanmougin" <ma...@gm...> schrieb: >Jan, > >The only times I've dealt with WDE has been in corporate cases. >Someone in the IT department has always been able to provide a >decryption routine. I've always imaged the original, encrypted drive, >then done the decryption, then imaged that. > >If you've got the passwords for McAfee's SafeBoot, then I think I would: > >1. Image the encrypted drive. > >2. Run the decryption process. > >3. Image the plaintext drive. > >4. Work from a copy of the image made in #3. > >Does that answer your question? > >MJ > > >On Sat, Aug 14, 2010 at 13:19, jan...@nr... ><jan...@nr...> wrote: >> one question - is there any current canonical way of dealing with whole disk >> encryption when acquiring images apart from using FTK or Encase? I'd like to >> stick to Sleuthkit and Autopsy. >> >> The last time I had to manage hard disk encryption the system was still up >> and accessible and I could image via FAU's dd. >> >> Now, I am facing a machine with a locked session and SafeBoot. Anyone have >> any ideas or experience to share? >> >> Passwords are available. |