Detecting and Collecting Whole Disk Encryption Media
Content
C o l l ec t i n W h ol e D i s k Encryption . . , Technology echnolo gy Pathways, Pathw ays, Founder & CTO [email protected] 619619-435 -435435-0906 -0906 / 888888 -894 -894894-5500 -5500
Copyright © 2005, Technology echnolo gy Pathways, LLC
• Discuss the benefits for usin live com uter forensic investigation techniques to detect, examine, and collect whole disk encryption. • Atte Attende ndees es will will be be int intro rodu duced ced to the the com compo pone nents nts of a , identifying whole disk encryption.
Copyright © 2005, Technology echnolo gy Pathways, LLC
• • • • • • • •
Evolution of Personal Encr tion Whol Whole e Disk Disk Encr Encryp ypti tion on Pr Prod oduc ucts ts WDE Fu Functionalit WDE Id Identification WDE Collection Evol Evolut utio ion n of of Dig Digit ital al Evid Eviden ence ce Dy Dyna nami mics cs Tool O tions Demo Copyright © 2005, Technology echnolo gy Pathways, LLC
Identification & Collection of Encrypted Disks
Copyright © 2005, Technology Pathways, LLC
• • File level application encryption apps • • Virtual volume encryption (PGP, etc.) products for file level encryption alone Today users and businesses require many types of . Copyright © 2005, Technology Pathways, LLC
• with differing benefits. – Transport encryption (protect data in transit) – File encryption (data at rest system on) – Container encryption (protect data at rest system off) – Whole disk encryption (protect data at rest system off)
• Each approach has differing levels of impact to per ormance an comp ex ty.
Copyright © 2005, Technology Pathways, LLC
• Encryption provide pre-boot protection of data encr ted at rest onl • Authentication and Authorization mechanisms var . • If the system is live, the data is accessible in an unencr ted state • Recovery keys often provide no-password access Copyright © 2005, Technology Pathways, LLC
• • top an
in
– The disk can be collected in an unencrypted state – Artifacts allowing for password recovery can be collected
Copyright © 2005, Technology Pathways, LLC
• – Identify and/or Collect
• Possible Exceptions: ’ analyze it) – Find the recover boot disk some allow ull recover without password or provide vendor tech support backdoor) Copyright © 2005, Technology Pathways, LLC
• • PGP Encrypted Disk Collection •
oa s: – Identify whole disk encryption in use – Collect disk live in unencrypted state – Collect user artifacts useful in password recovery
Copyright © 2005, Technology Pathways, LLC
Copyright © 2005, Technology Pathways, LLC
Questions? Technology Pathways provides comprehensive, affordable computer forensic tools for Law Enforcement, orpora e an overnmen .
Coronado, Ca. 92118
FAX:
619-435-0465
www.TechPathwa s.com
ProDiscover solutions include: investi ations, incident res onse, computer forensics, and electronic discovery.
live systems over networks and has been accepted in criminal and civil proceedings. Copyright © 2005, Technology Pathways, LLC
Copyright © 2005, Technology echnolo gy Pathways, LLC
• Discuss the benefits for usin live com uter forensic investigation techniques to detect, examine, and collect whole disk encryption. • Atte Attende ndees es will will be be int intro rodu duced ced to the the com compo pone nents nts of a , identifying whole disk encryption.
Copyright © 2005, Technology echnolo gy Pathways, LLC
• • • • • • • •
Evolution of Personal Encr tion Whol Whole e Disk Disk Encr Encryp ypti tion on Pr Prod oduc ucts ts WDE Fu Functionalit WDE Id Identification WDE Collection Evol Evolut utio ion n of of Dig Digit ital al Evid Eviden ence ce Dy Dyna nami mics cs Tool O tions Demo Copyright © 2005, Technology echnolo gy Pathways, LLC
Identification & Collection of Encrypted Disks
Copyright © 2005, Technology Pathways, LLC
• • File level application encryption apps • • Virtual volume encryption (PGP, etc.) products for file level encryption alone Today users and businesses require many types of . Copyright © 2005, Technology Pathways, LLC
• with differing benefits. – Transport encryption (protect data in transit) – File encryption (data at rest system on) – Container encryption (protect data at rest system off) – Whole disk encryption (protect data at rest system off)
• Each approach has differing levels of impact to per ormance an comp ex ty.
Copyright © 2005, Technology Pathways, LLC
• Encryption provide pre-boot protection of data encr ted at rest onl • Authentication and Authorization mechanisms var . • If the system is live, the data is accessible in an unencr ted state • Recovery keys often provide no-password access Copyright © 2005, Technology Pathways, LLC
• • top an
in
– The disk can be collected in an unencrypted state – Artifacts allowing for password recovery can be collected
Copyright © 2005, Technology Pathways, LLC
• – Identify and/or Collect
• Possible Exceptions: ’ analyze it) – Find the recover boot disk some allow ull recover without password or provide vendor tech support backdoor) Copyright © 2005, Technology Pathways, LLC
• • PGP Encrypted Disk Collection •
oa s: – Identify whole disk encryption in use – Collect disk live in unencrypted state – Collect user artifacts useful in password recovery
Copyright © 2005, Technology Pathways, LLC
Copyright © 2005, Technology Pathways, LLC
Questions? Technology Pathways provides comprehensive, affordable computer forensic tools for Law Enforcement, orpora e an overnmen .
Coronado, Ca. 92118
FAX:
619-435-0465
www.TechPathwa s.com
ProDiscover solutions include: investi ations, incident res onse, computer forensics, and electronic discovery.
live systems over networks and has been accepted in criminal and civil proceedings. Copyright © 2005, Technology Pathways, LLC
