Thursday, 19 March 2009

Creating Encrypted Forensic Images

Recently we have been as by some of our clients to encrypt the forensic images we have collected before leaving their site. Below are two possible solutions to this.

Hardware Capture Method

Using a solo or talon create a standard dd image of the suspect hard drive.
As the drive is being imaged, using a forensic laptop, create a TrueCrypt volume on a new ntfs formatted hard drive. Make sure that the TrueCrypt volume size is large that the disk that is being imaged.

When the solo or talon has finished imaging robocopy the dd image to the mounted TrueCrypt volume.

Verify the the image can be opened without any errors.
Securely erase the images from the non encrypted drives using your local standard method.

Software Capture Method

Create a TrueCrypt encrypted hard drive formatted as NTFS.
This can be done in advance as it will take some time to format and encrypt a 500GB hard drive

Using FTK, EnCase, DD, etc.

Mount the TrueCrypt encrypted drive.
Connect the suspect drive to a write blocker.
Create a image of the drive as normal to the TrueCrypt mounted drive.
When complete robocopy image to another TrueCrypt encrypted "backup" hard drive.

I'd be interested to know how others are dealing with these requests. Has anyone used Seagate's Momentus 5400 FDE.2 drive to accomplish this before ?