{[ promptMessage ]}

Bookmark it

{[ promptMessage ]}

Forensic Exam Encrypted Drives

Forensic Exam Encrypted Drives - A methodology for the...

Info iconThis preview shows pages 1–2. Sign up to view the full content.

View Full Document Right Arrow Icon
A methodology for the repeatable forensic analysis of encrypted drives * Cory Altheide IBM ISS Mountain View, CA [email protected] Claudio Merloni Secure Network S.r.l. Agrate Brianza, Italy [email protected] Stefano Zanero DEI - Politecnico di Milano Milano, Italy [email protected] ABSTRACT In this paper we propose a sound methodology to perform the forensic analysis of hard disks protected with whole-disk encryption software, supposing to be in possession of the appropriate encryption keys. We demonstrate how to cre- ate a forensically sound clone-copy of the seized media, and how to access the information contained in the media in a repeatable way, minimizing the usage of unverified and pro- prietary software. We discuss the impact of such encryption solutions on the capability of forensic analysis software to reconstruct deleted files. We propose and perform scientific tests for validating each step of our proposed procedure. Categories and Subject Descriptors K.5.m [ Legal Aspects of Computing ]: Miscellaneous— computer forensics ; K.6.5 [ Management of Computing and Information Systems ]: Security and Protection— Unauthorized access (e.g., hacking, phreaking) ; E.5 [ Files ]: [Organization/structure] General Terms Documentation, Experimentation, Legal Aspects Keywords Computer forensics, whole disk encryption, cybercrime, data recovery. 1. INTRODUCTION The concern for the security of data stored on lost or stolen laptops brings a growing number of organizations to the use * Proceedings of the ACM SIGOPS European Workshop on System Security (EUROSEC), Glasgow, Scotland, March 31, 2008 Mr. Altheide was with Google Inc. during part of the work described in this paper. Corresponding author. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. EUROSEC ’08 Glasgow, Scotland Copyright 2008 ACM 978-1-60558-119-4 ...$5.00. of whole-disk encryption software. This, in turn, creates a number of issues for the forensic analysis of such encrypted media. A first issue is, obviously, that if the keys cannot be retrieved such evidence is not accessible to the analyst. Previous research has addressed this problem, suggesting to capture the keys from memory with live forensics [14], or through other strategies [7]. However, even once the keys have been obtained, a proper, standard procedure must be adopted to properly execute a forensically sound analysis of the seized encrypted media. A common way to deal with this issue is to perform foren- sics in a live fashion [10], however in some legislative frame- works performing such an analysis may entail unwanted con- sequences, or may not be fully acceptable in a court of law because of the issue of repeatability. We found out that, on
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Image of page 2
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}