Self-encrypting drives represent a very specific problem for digital investigators. The direction of technology is clear: within the next few years, strong encryption will be baked into the silicon of every hard drive from every major manufacturer. Self-encrypting drives (SED) offer greater data security than traditional full-disk encryption in that the data stored is always encrypted at rest and the keys to decrypt the data never leave the device, which means they cannot be practically brute-forced through traditional means.
SEDs render “cold boot” and “evil maid” attacks useless and offer instant encryption and crypto-erase when a drive needs to be repurposed. SEDs are very attractive, but present significant obstacles to traditional disk-based forensics. In this post, we’ll walk through how EnCase 7.10 works with WinMagic SecureDoc to enable forensic investigation of self-encrypting drives.
Always Encrypted, Not Always Locked
In a locked state, the data at rest on a SED is not usable to an investigator. SED security measures prevent a full disk image of the actual data stored. Even if a full image could be taken, since the data encryption key never leaves the SED, there is no way to decrypt the data without the original hardware. The SED must be unlocked to extract the actual data. Unlocking requires authentication, which is performed independent of an operating system.
Since the encryption is hardware-based, to an investigator, unlocking is functionally equivalent to decryption. While SED manufacturers adopt the Trusted Computing Group’s OPAL specification, the way a SED is unlocked is specific to each encryption management vendor.
WinMagic SecureDoc and EnCase
Products like WinMagic SecureDoc manage software-based encryption and SEDs. Working in close partnership with WinMagic, Guidance Software has delivered an ability to unlock SED drives managed by WinMagic SecureDoc. One of the major obstacles to deploying encryption across an enterprise is to maintain the ability to investigate the resulting protected data. EnCase 7.10 and SecureDoc together provide first-of-a-kind visibility into the data within a SED.
Earlier this year, Guidance and WinMagic jointly presented a proof-of-concept of this technology at CEIC 2014. Subsequently, Garry McCracken on the SecureSpeak blog shared more info on how SEDs work in addition to helpful info on full disk encryption. Now that EnCase 7.10 has been released, investigators can see how EnCase may be used to unlock a SecureDoc managed SED.
Decrypted and Write- Blocked
When a SED is configured with pre-boot authentication, only the 128MB OPAL “MBR Shadow” volume is visible to the OS. In Windows Disk Manager, this volume is presented as a smallish volume labeled “WINMAGIC.”
Naturally, Windows Explorer doesn’t yield any more info.
Next, let’s take a look in EnCase 7.10. We’ll add a physical device to our case:
When we open the device from the Evidence tab, SecureDoc’s MBR Shadow volume is recognized by EnCase, and we are prompted to provide a SecureDoc Recovery Key and Password.
Once we enter the path to recovery key and the password, the SED is unlocked by EnCase and the contents of the encrypted volume are presented to the investigator.
The volume’s file system is parsed just like any unencrypted volume and can be investigated just like any other drive. Decryption is taken care of transparently by the SED hardware. This unlocked state persists until the device is physically disconnected from the Examiner machine.
There is one more wrinkle to this technology: while the drive is unlocked in EnCase, the Windows OS still sees only the Shadow MBR!
Since the OS can’t see the contents of the unlocked volume, it can’t touch or tamper with the contents of the actual data of interest. While not explicitly enabled via hardware bridge (i.e. Tableau Forensic Bridges), the contents are effectively—and I will add, serendipitously—write-blocked.
While SEDs have been around for some time, they have only recently begun to attract more attention. It may be argued that the need for data privacy has never been greater, and the demand for SEDs across enterprises and individuals is strong. Guidance Software and WinMagic understand that a major part of data protection is not just preventing access, but also allowing authorized use. I’d love to hear your experiences working with SEDs, or your thoughts on where you see this technology headed for investigations. Please feel free to comment below, or reach me on Twitter @kenm_encase.