![]() ![]() We are suggesting a way for securing access to evidence during incident response by analyzing the live system for signs of full-disk encryption. Not only does it lock experts out of evidence stored on encrypted volumes that have been mounted during the acquisition, but depending on the type of protector used to secure the volume the evidence may become completely inaccessible once the disk is removed from the original computer. The classic workflow had always involved pulling the plug, taking the disks out, write-blocked imaging and subsequent analysis of the image files. Accessing evidence stored on encrypted disk volumes may not be possible without breaking the encryption first. The Challengeįull-disk encryption is an ongoing challenge for forensic experts. ![]() In December 2021, we added BestCrypt Volume Encryption 4 и 5 to both Elcomsoft Encrypted Disk Hunter and Elcomsoft Distributed Password Recovery. What steps are required and how to tell if the system is using full-disk encryption? “We have a tool for that”. A timely detection of full-disk encryption or a mounted crypto container allows experts take extra steps to secure access to encrypted evidence before pulling the plug. The wide spread of full-disk encryption makes live system analysis during incident response a challenge, but also an opportunity. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |