Computer Forensics and Self-Encrypting Drives

In my last blog on computer forensics I addressed the question: does software Full Disk Encryption (FDE) Thwart Computer Forensics?   To recap, a software encrypted drive could prevent effective forensics. However, if you have enterprise key management and forensics software that can interface with it to get the media encryption key (MEK) then it doesn’t have to be any more challenging than doing forensics on an unencrypted drive.

So what about forensics and self-encrypting drives (SEDs)?   Is that a problem? Well it can be. There is no TCG Opal command to extract the MEK from a SED so it cannot be backed up. Unlike software FDE if a crypto-erase is performed on a SED the MEK is regenerated and the data is gone forever. This is, of course, a problem for forensics but exactly what most want when they crypto erase a drive. (I see this as an advantage of SEDs over software FDE.)

The more common use case is that the SED is seized from the user but the drive is locked.   There is a 128 MB MBR shadow that is in plain text but the rest of the drive looks like it has no data on it.   All LBA’s (Logical Block Addresses) above 128 M appear to have only 0s as data.   In a standalone system if the user doesn’t give the forensics examiner his password then the examiner is out of luck. All they see is a blank drive. However with enterprise ‘key’ management the SED authentication credentials are stored in a secure central data base.   With proper authorization the forensic examiner can retrieve the credentials and unlock the drive. The reason way I refer to a ‘key’ management system which takes care of the credentials is because the SED credentials can be 256 bit random numbers and have the same strength as an AES 256 bit key.

All this is good in theory but SEDs are relatively new compared to software FDE and forensics software has not had knowledge of SEDs built into it. In my last blog on forensics I noted that Guidance Software (The leader in Forensics Software) added SecureDoc support to the 64 bit version of EnCase with more enhancements to come next year. Well, in the winter months, together we tackled the problem of enabling forensics on WinMagic managed SEDs.   The solution is somewhat similar to software FDE with a significant exception; once EnCase unlocks the SED the fact that the underlying SED is encrypted is completely transparent to everyone, even EnCase. (Transparency is another advantage of SEDs over software FDE.)

WinMagic and Guidance jointly demonstrated EnCase unlocking a WinMagic managed SED at the CEIC (Computer and Enterprise Investigations Conference) last month in Las Vegas.  It was well received although SEDs are still new to some, I expect that the upcoming release of EnCase this summer will include the enhancement demonstrated at CEIC.   From my perspective this is another step toward the ecosystem fully supporting SEDs and them eventually becoming ubiquitous.

Previous Post
Tales from the Crypt: Burying Open-source Encryption
Next Post
Enlightenment at Gartner Security & Risk Management Summit

Related Posts

All for One

As a specialized software company that focuses on data encryption and security with strengths in key management and overall encryption management, it’s extremely important to maintain strong relationships with OEMs. (more…)
Read more

Steak and Security

Last week we held an event in New York City inviting customers and prospective customers to come and learn more about WinMagic. I really enjoy events like these and being able to present to an engaged audience of senior IT…
Read more

Continuous Improvement

This week we’ll be using a lot of our social media channels to tease the upcoming release of the latest updates to SecureDoc and this blog is no exception. (more…)

Wrapping up FOSE

As you saw last week, we were pretty busy at FOSE meeting people, shaking hands and talking about data-at-rest security. It was an interesting show to say the least. (more…)
Read more

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.

Menu