Support Forums

We deploy Whole Disk Encryption on all of our laptops. Which is a great thing when it comes to protecting our data. But now I'm finding that Disk encryption and creating an image dont go nicely.

I need to examine a hard drive that is encrypted. And ProDiscover is having issues imaging the hard drive. I boot up off the PDServer Boot Disk and I do see the laptop via my ProDiscover console, but when I go to image the drive it says its 0 bytes.

What are some steps that I can take to get a forensic copy of this hard drive?

Tlang,

If you are booting the laptop to the PDServer Linux boot disk then you will not be able to image the drive unless you were in some way able to provide the pre-boot authentication to the notebook to decrypt the drive.

If however the system is up and running past the pre-boot authentication then you can use the Windows PDServer pushed out, or run on the system from CD/Thumbdrive to connect and image the drive in an unencrypted state in most whole disk encryption schemes we have tested.

I hope this is helpful. If not please provide more information on the whole disk encryption and the methodology you are using.

---

Regards,
Christopher L. T. Brown, CISSP

Sorry for the long delay.. and I want to thank you for your quick response. With the notion that the laptop is turned off at this point we do not want to boot into windows. So the linux boot disk would be best. We are currently using PGP and wonder if there was a way we can modify the linux boot disk to detect encryption and prompt for the users passphrase.

Tlang,

I think that hacking up the Linux Remote Agent Boot Disk might take a bit longer than you think. While this is a novel idea, and worth investigating, it isn’t a trivial task. As you have stated, the Linux boot disk would essentially need to re-implement the PGP boot loader and provide a way to load the key manually.

In our next dev cycle coming up we do have on the list to investigate providing a recovery key read capability for EFS and other forms of encryption. I’ll certainly add this conceptual approach to the list as it’s a good idea for exploration.

One thing you may want to try is creating a ‘DD’ image and the VMDK support file to later boot that image in VMWare. Of course this is booting the system, but VMWare offers some good snapshoot and protection capabilities.

Other than this for now imaging the system live is the best approach.

Regards,

 

---

Regards,
Christopher L. T. Brown, CISSP

Thanks for the reply and it sounds like something I wouldnt mind messing with.
But first I'll try the 'DD' image and import it into VMWare. Thanks for the idea. I'll reply and let you know my results