With data breaches and data security pushed into the news on seemingly daily basis, we expect today’s digital investigators to be faced with encryption technology more frequently. For those with something to hide, the use of strong encryption has been widely promoted. For those with data they would like to protect, the use of strong encryption is becoming more commonplace by the day. Most enterprises know full disk and file-level encryption is a necessity if you have something worth protecting. Underlining the trend, Windows 8.1 has designs in place to enable BitLocker encryption by default when appropriate hardware is present. One of the strengths of EnCase over the years have been the ability to identify encryption and decrypt evidence in place, exposing data for investigation, without altering its contents.
If you’ve ever peered into the abyss of encrypted unallocated clusters, you’ll know that it is not always obvious what type of encryption you are dealing with. There are times when the data at rest is not able to be automatically decrypted by EnCase. To that end, the helpful Technical Services Engineers at Guidance Software have put together this helpful primer, to aid and help you identify a variety of different types of encryption in the wild. Take a look and let us know if you have questions or your own unhelpful encrypted clusters staring back at you.
Most full disk encryption products make amendments to either the Master Boot Record (MBR) or the Volume Boot Record (VBR) to point to and execute its code, in order to allow decryption of the data. Some products may replace these entirely. In each case, there is often an identifier added that relates to the encryption product used. Below are the identifiers used for the encryption products supported by EnCase. Those not supported may follow a similar pattern.
Check Point Full Disk Encryption
At sector offset 90 of the VBR, the product identifier "Protect" can be found. Hex value "50 72 6F 74 65 63 74"
For details on how to use EnCase to decrypt Check point Full Disk Encryption, please see https://support.guidancesoftware.com/node/3464 (registration required)
GuardianEdge Encryption Plus/Anywhere/Hard Disk Encryption and Symantec Endpoint Encryption
At sector offset 6 MBR, the product identifier "PCGM" can be found. Hex value "50 43 47 4D"
McAfee Safeboot/Endpoint Encryption
At sector offset 3 MBR, the product identifier "Safeboot" can be found. Hex value "53 61 66 65 42 6F 6F 74"
For details on how to use EnCase to decrypt McAfee Endpoint Encryption, please see https://support.guidancesoftware.com/node/3463
For details on how to use EnCase to decrypt McAfee Safeboot, please see https://support.guidancesoftware.com/node/1551
Microsoft Bitlocker/Bitlocker to Go
For Windows Vista, at sector offset 0 of the VBR for the Bitlocker partition, the product identifier "ëR|¬-FVE-¬FS-" can be found. Hex value "EB 52 90 2D 46 56 45 2D 46 53 2D"
For Windows 7/8, at sector offset 0 of the VBR for the Bitlocker partition, the product identifier "ëX¬|-FVE-FS-" can be found. Hex value "EB 58 90 2D 46 56 45 2D 46 53 2D"
For details on how to use EnCase to decrypt Microsoft Bitlocker/Bitlocker To Go, please see https://support.guidancesoftware.com/node/3737 (registration required)
Sophos Safeguard Enterprise and Safeguard Easy
For Safeguard Enterprise, at sector offset 119 of the MBR, the product identifier "SGM400" can be found. Hex value "53 47 4D 34 30 30 3A"
For Safeguard Easy, at sector offset 144 of the MBR, the product identifier "SGE400" can be found. Hex value "53 47 45 34 30 30 3A"
For details on how to use EnCase to decrypt Sophos Safeguard Easy/Enterprise, please see https://support.guidancesoftware.com/node/1558
Symantec PGP Whole disk Encryption
At sector offset 3 MBR, the product identifier "ëH|PGPGUARD" can be found. Hex value "EB 48 90 50 47 50 47 55 41 52 44"
For details on how to use EnCase to decrypt Symantec PGP, please see https://support.guidancesoftware.com/node/1863
WinMagic SecureDoc Full Disk Encryption
At sector offset 246 MBR, the product identifier "WMSD" can be found. Hex value "57 4D 53 44"
For details on how to use EnCase to decrypt WinMagic SecureDoc, please see https://support.guidancesoftware.com/node/1794
Apple FileVault
At sector offset 0 of the container, the product identifier "encrdsa" can be found. Hex value "65 6E 63 72 63 64 73 61"
For details on how to use EnCase with Apple FileVault 1, please see https://support.guidancesoftware.com/node/3739
Dell Data Protection (Credant Mobile Guardian)
As Credant Mobile Guardian encrypts the files and folders and doesn't encrypt the system files, the MBR and VBR do not appear to be modified. EnCase searches for the CredDB.CEF file to determine if any of the files are encrypted with Credant Mobile Guardian.
For details on how to use EnCase to decrypt Credant Mobile Guardian, please see https://support.guidancesoftware.com/node/1554
Microsoft Encrypting File System
As the Microsoft Encrypting File System (EFS) encypts files and folders and doesn't encrypt system files, the MBR and VBR do not appear to be modified. Files that have been encrypted with EFS will have a corresponding EFS stream which is visible in EnCase. This will be the name of the file with $EFS appended.
You may be able to run a search (GREP, for example) to search for the hex values above, or for the $EFS, to help determine which product has been used. It is not possible to determine from these the exact version.
We hope you find this reference list helpful and welcome your comments, questions or suggestions below.
Graham Jenkins is a Technical Services Engineer at Guidance Software. His industry experience includes five years as a Senior Technical Support Analyst at Sophos.
No comments :
Post a Comment