A while back, I posted about EnCase and PointSec — “Encase and PointSec – I’m Not Feeling the Love”. I wrote about my frustrations with the difficulties of decryption for a forensic exam. My main point was that EnCase and PointSec need to work together to provide forensic examiners a way to view the PointSec drive in EnCase simply by entering the PointSec password. I also detailed my process for decryption which involved the use of VMWare and a virtual image of the encrypted drive.
Since that post, it appears that the latest version of VMWare no longer natively recognizes a raw disk image. That means the process I outlined in the previous blog will not always work. I have had limited success using an application called “LiveView” to convert a raw image to a VMDK file.
While I am sure there are other virtual tools, the fact is that my previous procedure takes WAY too much time, anyway. So, I am making a case here for decrypting the original drive in the original hardware, when available. Now before everyone starts screaming about evidence integrity, let’s take a look at what I am proposing:
First, consider that the decryption process – while it changes every bit on the drive – really does not alter any of the original data OR METADATA during the process. To decrypt, here is the procedure:
1. Create a bootable floppy disk using the recovery file. The floppy will contain a decryption application built for the specific drive being decrypted.
2. Verify that the boot order goes to the floppy drive first.
3. Boot on the floppy and enter the ID and password requested and follow the prompts.
4. The drive is decrypted but does not reboot automatically.
5. After decryption, shut down and image the decrypted drive using normal imaging tools and processes.
I submit that this process, as long as it is well documented and followed carefully, will provide the investigator with the drive exactly as was the last time the user touched it, with the one exception that it has been decrypted. Every file will be just as it was, including the MAC times and other metadata. The unallocated space will be as the user left it. It is a win/win. And until PointSec (Checkpoint) and EnCase (Guidance Software) learn how to work things out, this is an easier process than one requiring imaging, then a virtual machine decryption, and another acquisition.
Of course, if one does not have the administrative password and the recovery file, then there are other issues to deal with. But as long as we are working in an organization that controls administrative access to PointSec encryption so that we have access to the administrative IDs and passwords, we are home free.
An image could be taken of the drive previous to decryption, although I am not convinced that has any value if we are going to be working with the decrypted drive from that point forward. It seems to me to be of more value to hash and image the drive after it is decrypted, then work – as always – with the image, not the original drive.
Just trying to make life easier…
J. Michael Butler, GCFA Gold #00056, is an Information Security Consultant employed by a fortune 500 application service provider who processes approximately half of the $5 trillion of residential mortgage debt in the US. He is a certified computer forensics specialist. In addition, he authored the enterprise wide security incident management plan and information security policies for his corporation. He can be reached at jmbutler_1 at hotmail dot com.