Does Full Disk Encryption Software Thwart Computer Forensics

First, what is Computer Forensics?   According to Wikipedia, , Computer forensics is, “a branch of digital forensic science pertaining to legal evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the information.”   In short it is like data recovery, but with additional guidelines and practices designed to create a legal audit trail” that could be used in court if need be.

So can FDE interfere with computer forensics?  Absolutely, if the disk is fully encrypted with AES software and the media encryption key (MEK) is protected with a really hard to guess password or multifactor authentication, an examiner will have an insurmountable challenge to overcome.   However, an enterprise can maintain the ability to perform computer forensics AND protect the confidentiality of their mobile data with FDE if they have:

  1. Good Key Management, esp. of the MEK
  2. Forensics Software that can utilize the MEK outputted from the Key Management system

Key Management:

In the case of SecureDoc, the SES (SecureDoc Encryption Server) stores the MEK (itself encrypted) in the central data base in case of emergency.    Should the MEK be required by the forensic examiner, it can be retrieved by an authorized SES administrator in the form of an emergency disk and a password protected key file.  Note, I am not talking about the normal password recovery or challenge response recovery mechanism.  The computer which is being investigated may have had its Windows OS trashed and damage to the boot logon program, making it unbootable.   The only option may be to read and analyze the remaining data fragments on the drive directly, but those are encrypted.

Forensics Software:

This is where you need really good forensics software that can process the emergency disk, key file, and password supplied by the SES Administer to analyze an acquired encrypted image of the drive on the fly as if it had never been encrypted at all while maintaining  the forensic integrity of the resulting “facts and opinions about the information”.   Fortunately Guidance Software,, which is recognized globally as the world leader in e-discovery and other digital investigations, has had this capability in its EnCase suite of digital forensics products for more than 5 years now. WinMagic and Guidance Software continue to work together.  In November 2013 Guidance Software added SecureDoc support to the 64 bit version of EnCase with more enhancements to come next year.

Previous Post
The Market Consolidation Continues
Next Post
Happy Holidays from WinMagic