With the increase in data theft, it is increasingly becoming a requirement in the corporate environment to implement whole disk encryption to protect valuable company assets. This presents a challenge for the forensic community, and sometimes a dead end for an investigation. Forensic tools are slowly gaining ground and get little help from the encryption manufacturers.
There are two types of whole disk encryption: Hardware and Software. Seagate has coined the term Full Disk Encryption for their hardware based solution. Currently, Seagate offers the Momentus model drive which is a 2.5 inch laptop hard drive in 30Gb-160Gb capacity range aimed at corporate users. The Momentus drive supports and enhances the Trusted Platform Module (TPM) microchip. The drive also has its own wiping utility built in for easy reissuing or sale of the laptop or drive without having to use a third party or tool to destroy the data on the drive. The encrypted drive is accessed by simply entering a password. The drive encryption cannot be turned off, thus ensuring that the user does not make the laptop vulnerable by mistake. If the laptop is left on after authenticating, the drive can be accessed which is a plus for Forensics but can pose a security issue for the end user. There has been talk of Hitachi releasing an encrypted drive later this year to compete with the Seagate model.
BitLocker is a function available in Microsoft’s Vista Enterprise and Ultimate versions only. BitLocker encrypts the entire Windows volume on a laptop or desktop computer. If the computer has Trusted Platform Module (TPM) Bitlocker utilizes it to lock the encryption keys that protect the data on the volume. Microsoft has created BitLocker so that TPM is not a requirement for disk encryption. TPM is an embedded microchip usually installed on the motherboard that communicates with the rest of the system by using a hardware bus. TPM releases the key that unlocks the encrypted partition only after comparing a hash of important operating system configuration values with a snapshot taken earlier. For enhanced security, a USB or Floppy and PIN can be used along with the TPM adding another step to the decryption process. As of this writing, the major forensic tools do not have a way around BitLocker; however, there are manual steps that can be taken to get around the encryption.
PGP offers several software encryption packages including one for whole disk encryption. PGP?s whole disk encryption product locks down the entire contents of a laptop, desktop, external drive, or USB flash drive (including boot sectors, system, and swap files), making it a good choice for company wide protection. PGP offers one time pass phrases, allowing access to the encrypted drive which is then reset after use. Access Data?s product Password Recovery Tool Kit is able to use brute force and retrieve a password from a PGP encrypted drive. It is very time consuming but can be done.
PC Guardian, now known as Guardian Edge, offers a whole disk encryption solution which requires a pre-boot password or smartcard to access the encrypted drive. The encryption allows for multiple use logons for one drive. All software deployments and updates are done through Group Policy Objects (GPO) in Active Directory.
Utimaco has Safe Guard Easy which is whole disk encryption software. Safe Guard Easy has a pre-boot authentication process which supports both passwords and eTokens. Safe Guard Easy encrypts and decrypts data on the fly. Like most other products it offers 128-bit and 256-bit Advanced Encryption Standard (AES) and 128-bit IDEA.
Guidance Software produces Encase Forensic, Enterprise and FIM. At the first of the year, Encase Version 6 was released to the public, as well as the EnCase Decryption Suite. The Decryption Suite supports the decryption of PC Guardian and Utimaco disk-based encryption products. Unfortunately the user name and password must be known in order to access the supported encryption types. According to Guidance technical support, they are planning support for Pointsec decryption in the very near future.
Conclusion
In conclusion, there are many types of Whole Disk Encryption on the market available to both consumers and businesses. We are seeing more and more encrypted drives in the field and this will only increase with time. With all technology, advances are being made every day. While there are some techniques and tools available now for some encryption types, that number will increase over time. Computer Forensics is an ever-evolving science, though still a relatively new field. Testing needs to be performed in the lab before being applied in the field, in order for investigators to know what they are facing before arriving at a client site.
Recent Comments