pgp encase forensic

Hi I just wonder about if PGP is really so secure that it claims to be. When I read the product information for Encase ( it says that  "EnCase can analyze and acquire mounted encrypted volumes, such as PGP and DriveCrypt...."

According to this document:

It claims that it supports Encase for forensic "Support for Guidance® Software EnCase".

I wonder what that really means. As I have read, PGP has so strong encryption that its not possible to decrypt a WDE disk in a reasonable time. Same goes for Virtual encrypted disks. So how is that possible?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Well a few things ... this from wikipedia on the state of PGP security as of Nov 2009

"A more recent incident in December 2006 (see United States v. Boucher) involving US customs agents and a seized laptop PC which allegedly contained child pornography indicates that US Government agencies find it "nearly impossible" to access PGP-encrypted files. Additionally, a judge ruling on the same case in November 2007 has stated that forcing the suspect to reveal his PGP passphrase would violate his Fifth Amendment rights i.e. a suspect's constitutional right not to incriminate himself.[6][7]  The Fifth Amendment issue has been opened again as the case was appealed and the federal judge again ordered the defendant to provide the key.[8]

Evidence suggests that as of 2007, British police investigators are unable to break PGP,[9] so instead have resorted to using RIPA legislation to demand the passwords/keys. In November 2009 a British citizen was convicted under RIPA legislation and jailed for 9 months for refusing to provide Police investigators with encryption keys to PGP-encrypted files."

Now as for cracking any PGP encryption, one can always use social engineering attacks, as well as compromise a PC that has the disk mounted and/or intercept passwords as they are typed.   But for all practical purposes, unless the disk drive was property of some terrorist organization, I don't think it will be worth the time for any government agency, let alone individual or business to try to crack it.    Just use a really obscure key that is more secure than qwerty, 123456, or the word password  itself :)
>mounted encrypted volumes

The key word is 'mounted'.  When it is mounted, the volume is available to the user, even though the data itself is still encrypted.

In forensics, it is important to copy the data bit-for-bit, then make it read-only.  This maintains evidence handling rules, where the analysis may not alter the subject of the analysis.

So, a bitstream copy is write-blocked, backed up, then mounted for analysis.  If the encryption is unlocked with the corresponding keys, then contens of the encrypted volume can be analyzed...probably copied out to unencrypted storage for further analysis.
xcomiiiAuthor Commented:
Ah, that makes sense.
However, I just seem to dont understand the whole picture.

On this link: , Encase advertises itself to be able to decrypt WDE disks, and maybe they can but I have in my memory that the key used for WDE is 2048-bit, wouldn't that take centuries to decrypt?
Discover the Answer to Productive IT

Discover app within WatchGuard's Wi-Fi Cloud helps you optimize W-Fi user experience with the most complete set of visibility, troubleshooting, and network health features. Quickly pinpointing network problems will lead to more happy users and most importantly, productive IT.

btanExec ConsultantCommented:
Agree with aleghart. if keys are loaded upon user login, user protected files by the various security software will have it transparently decrypted on the fly for user convenience. Hence any imaging tool can just grab the artifacts as needed or meaning live forensic.

Also with ref to the link:

It mentioned that if it is not autologin, Encase can search for the password (that will release the encryption keys - typically symmetric ones), they will be commonly cached in known forensic repository in OS. Similarly it may apply to other security software especially if they support "wallet" (of password) that is supposed (or configured) to cache locally in the host. Apply for user certificate based authentication (for cached cert in local cert store).

But I believe if 2 factor authentication is used, it would not be straightforward for Encase. Need the user's smartcard etc. But as mentioned if it is "transparent mode", live forensic would be easier.

They did mentioned about brute force cracking using dictionary attack and for asymmetric type, it is not realistic and they are not targeting in that aspects (no need to also). But if weak crypto algo (DES) or short keys (56 bits) are used in symmetric encryption, it is already known that it can be cracked easily using rainbow table or/and also with CUDA hardware cracking system.
Well, in a few years, when quantum computing technology matures, they could easily crack 2048-bit encryption using shor's algorithm in no time at all.
Our kids, no doubt, will have an intel-based (more likely IBM or HP-based) quantum computer when they grow up, which could crack the 2048-bits in minutes .. so don't count on this "centuries" to decrypt idea.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Good point dlethe.  The practical aspect of keeping secrets is not "forever".  It's to delay access to critical information until it is tactically irrelevant.  It would be foolish to think that _any_ encryption method that is generated by a machine cannot be hacked.  If there is enough need and enough resources, it will be done eventually.

When a data source is known to be comprimised, and possibly going to be cracked, it's important to know what is stored therein.  Make it irrelevant before the "bad guys" can crack it and make use of it.

That's where the old fashioned idea of rotating or constantly changing passwords comes from.  In the real world, with general users, this is impractical.  But, more easily accomplished with two-factor authentication techniques that utilize a rotation of one-time passwords.  I have on on my keychain as a matter of fact.  $20 insurance.
btanExec ConsultantCommented:
Agree with both. Crypto are just mathematical equation with big number used, it make it undesirable for the effort to derive the outcome but of course not determined means and recent researches has spawn off hopes of shortening the process to solve those math eqn.

Even the perceived most secure quantum crypto implementation "may" be broken. See link

Having said that, digital forensic is to find as much supporting evidences to justify claims and hints in investigation processes. Cracking is just an option but not necessarily if there are other means to get what is needed e.g. on legal aspects, users may be requested (or demanded) to "open" up their "safe". Of course if we do not know, the "user" (or it is non-existence which is at time most of the case in cyber incident), all means may need to try out.

Just some thoughts
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Digital Forensics

From novice to tech pro — start learning today.