Computer Forensics and Self-Encrypting Drives

In my last blog on computer forensics I addressed the question: does software Full Disk Encryption (FDE) Thwart Computer Forensics?   To recap, a software encrypted drive could prevent effective forensics. However, if you have enterprise key management and forensics software that can interface with it to get the media encryption key (MEK) then it doesn’t have to be any more challenging than doing forensics on an unencrypted drive.

So what about forensics and self-encrypting drives (SEDs)?   Is that a problem? Well it can be. There is no TCG Opal command to extract the MEK from a SED so it cannot be backed up. Unlike software FDE if a crypto-erase is performed on a SED the MEK is regenerated and the data is gone forever. This is, of course, a problem for forensics but exactly what most want when they crypto erase a drive. (I see this as an advantage of SEDs over software FDE.)

The more common use case is that the SED is seized from the user but the drive is locked.   There is a 128 MB MBR shadow that is in plain text but the rest of the drive looks like it has no data on it.   All LBA’s (Logical Block Addresses) above 128 M appear to have only 0s as data.   In a standalone system if the user doesn’t give the forensics examiner his password then the examiner is out of luck. All they see is a blank drive. However with enterprise ‘key’ management the SED authentication credentials are stored in a secure central data base.   With proper authorization the forensic examiner can retrieve the credentials and unlock the drive. The reason way I refer to a ‘key’ management system which takes care of the credentials is because the SED credentials can be 256 bit random numbers and have the same strength as an AES 256 bit key.

All this is good in theory but SEDs are relatively new compared to software FDE and forensics software has not had knowledge of SEDs built into it. In my last blog on forensics I noted that Guidance Software (The leader in Forensics Software) added SecureDoc support to the 64 bit version of EnCase with more enhancements to come next year. Well, in the winter months, together we tackled the problem of enabling forensics on WinMagic managed SEDs.   The solution is somewhat similar to software FDE with a significant exception; once EnCase unlocks the SED the fact that the underlying SED is encrypted is completely transparent to everyone, even EnCase. (Transparency is another advantage of SEDs over software FDE.)

WinMagic and Guidance jointly demonstrated EnCase unlocking a WinMagic managed SED at the CEIC (Computer and Enterprise Investigations Conference) last month in Las Vegas.  It was well received although SEDs are still new to some, I expect that the upcoming release of EnCase this summer will include the enhancement demonstrated at CEIC.   From my perspective this is another step toward the ecosystem fully supporting SEDs and them eventually becoming ubiquitous.

Previous Post
Tales from the Crypt: Burying Open-source Encryption
Next Post
Enlightenment at Gartner Security & Risk Management Summit