Encase and encryption

pma111
pma111 used Ask the Experts™
on
1) A couple of questions, is there any master list of what full disc encryption products the latest version of encase forensics "supports"?

2) What is the defintion in laymans management speak of support, i.e. if our security team get a PC in and find the drive is encrypted, how does the encase support kick in. For example if you just image that drive (never done this but seen one guy do it, it seems they attach it to a write blocker, file > add device > local device) and pick the neccesary drive, and then "acquire". But arent you just imaging then a drive of encrypted non human readable data, how does the encase support "decrypt" that drive so the image you acquire can be analyzed?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
1) A detailed list of supported products for the Encase Decryption Suite (EDS), an add-on module, is available in the compatibility matrix: https://support.guidancesoftware.com/node/2607
You will need to register for an account on the portal in order to view it.
It mentions support for the following disk encryption products:
Bitlocker, Guardian Edge, SafeGuard, SafeBoot, SecureDoc and PGP

Updates since the matrix was created are summarized below based on information from the support portal and/or readme notes.

6.17 adds GuardianEdge Hard Disk and Symantec Endpoint Encryption Support for
GEHD 9.2.2 and SEE 7.0.2
GEHD 9.3.0 and SEE 7.0.3

6.18 adds support for
Windows 7 BitLocker and BitLocker to Go Support
PGP 10 Whole Disk Encryption (Windows, Mac OS 10.5 & 10.6)
GEHD 9.4.0 and SEE 7.0.4
GEHD 9.5.0 and SEE 7.0.5
GEHD 9.5.1 and SEE 7.0.6

6.19 adds support for McAfee Endpoint Encryption 6.0

6.19.4 adds support for Sophos SafeGuard Enterprise (Sophos SGN) and
Easy Versions 5.50 and 5.60


2) Each type of decryption product interacts with EDS differently. For some products, you may need an executable or dll file from the server associated with the encryption product. For other products, you just need to supply a name and key. After you meet the requirements,  you will be able to browse and search through the data in EnCase as if it were not encrypted. The support portal and EnCase documentation for each version will provide the detailed requirements. A sample of what may be required can be found here:
http://digfor.blogspot.com/2011/07/safeboot-with-encase-or-ftk_18.html

Author

Commented:
Thanks. So if you buy encase forensic off the shelf does it come with the decryption modules or is that an add on you have to pay for on top of....
The latest version 7 comes with EDS and other modules included:
http://www.guidancesoftware.com/forensic.htm#tab=2

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial