This preview shows pages 1–2. Sign up to view the full content.
This preview has intentionally blurred sections. Sign up to view the full version.View Full Document
Unformatted text preview: A methodology for the repeatable forensic analysis of encrypted drives * Cory Altheide IBM ISS Mountain View, CA email@example.com Claudio Merloni Secure Network S.r.l. Agrate Brianza, Italy firstname.lastname@example.org Stefano Zanero DEI - Politecnico di Milano Milano, Italy email@example.com ABSTRACT In this paper we propose a sound methodology to perform the forensic analysis of hard disks protected with whole-disk encryption software, supposing to be in possession of the appropriate encryption keys. We demonstrate how to cre- ate a forensically sound clone-copy of the seized media, and how to access the information contained in the media in a repeatable way, minimizing the usage of unverified and pro- prietary software. We discuss the impact of such encryption solutions on the capability of forensic analysis software to reconstruct deleted files. We propose and perform scientific tests for validating each step of our proposed procedure. Categories and Subject Descriptors K.5.m [ Legal Aspects of Computing ]: Miscellaneous computer forensics ; K.6.5 [ Management of Computing and Information Systems ]: Security and Protection Unauthorized access (e.g., hacking, phreaking) ; E.5 [ Files ]: [Organization/structure] General Terms Documentation, Experimentation, Legal Aspects Keywords Computer forensics, whole disk encryption, cybercrime, data recovery. 1. INTRODUCTION The concern for the security of data stored on lost or stolen laptops brings a growing number of organizations to the use * Proceedings of the ACM SIGOPS European Workshop on System Security (EUROSEC), Glasgow, Scotland, March 31, 2008 Mr. Altheide was with Google Inc. during part of the work described in this paper. Corresponding author. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. EUROSEC 08 Glasgow, Scotland Copyright 2008 ACM 978-1-60558-119-4 ...$5.00. of whole-disk encryption software. This, in turn, creates a number of issues for the forensic analysis of such encrypted media. A first issue is, obviously, that if the keys cannot be retrieved such evidence is not accessible to the analyst. Previous research has addressed this problem, suggesting to capture the keys from memory with live forensics , or through other strategies . However, even once the keys have been obtained, a proper, standard procedure must be adopted to properly execute a forensically sound analysis of the seized encrypted media....
View Full Document
- Spring '10
- The Iliad