One of the fun jobs we get in security is the recovery of digital forensic evidence from hard drives. There’s a real feeling of achievement when you have teased apart the hidden files, the slack space, and the partial fragments to reveal a clear picture that proves guilt or proves innocence. The practice had become relatively standardized, until recently.
Company’s and persons of interest have been increasingly using Full Disk Encryption to protect their interests, legitimate or suspect, and there’s a problem with this.
In at least one case, the encryption requires a partial boot from the evidence disk in order to obtain an unencrypted disk on which to perform forensics. That little bit about booting from the disk is where the trouble starts. Attorney’s hate it when we boot from the disk, especially into Windows, as its normally impossible to not change the disk, which can affect the admissibility of evidence. Various techniques and equipment have been brought into the practice to get around this simple effect of changing the source data, even if you can show no important data changed, because 1) its expensive to prove nothing important changed and 2) its terribly difficult to sway a jury regarding the changed data. Case evidence comes down largely (nearly entirely) on the “do not alter the source data” side of the house.
So booting off that disk is very problematic, but not impossible to work around, if you have the time and money to perform the science dance, and there’s a possibility of convincing a jury. Once enough case evidence exists to support the maneuver, it will be much more “jury friendly”.
One of the tricks we use to avoid altering the data is a write blocker; a bit of hardware that maintains the source disk read-only. We are currently running a series of tests to determine if write blockers can be used and if the hardware dependency of some encryption utilities affects the outcome.
What would be remarkably useful is a utility for mounting encrypted disks outside the normal system, as if they were a Volume in Truecrypt parlance and not an entire disk. As part of our investigation we are talking to manufacturers and looking for these utilities to be made available or created.
So far we’ve only had one case where it’s an issue, but anticipate many more and hopefully the issue will be resolved before something really important comes along.
This blog and it’s contents copyright 2009 Digital Trust, LLC. Republication of this post is permitted provided it is strictly on internal corporate messaging systems; no public re-use is permitted without licensing. Any republication or reuse is forbidden if the Digital Trust name is removed.