Law-enforcement technologyOvercoming full disk encryption in digital investigations
The increasing use of full disk encryption (FDE) can significantly hamper forensic digital investigations, potentially preventing access to all digital evidence in a case
The increasing use of full disk encryption (FDE) can significantly hamper forensic digital investigations, potentially preventing access to all digital evidence in a case. Researchers say that the practice of shutting down an evidential computer is not an acceptable technique when dealing with FDE, or even volume encryption, because it may render all data on the device inaccessible for forensic examination.
To address this challenge, there is a need for more effective on-scene capabilities to detect and preserve encryption prior to pulling the plug. In addition, to give digital investigators the best chance of obtaining decrypted data in the field, prosecutors need to prepare search warrants with FDE in mind.
A paper published in Digital Investigation describes how FDE has hampered past investigations, and how circumventing FDE has benefited certain cases. The paper goes on to provide guidance for gathering items at the crime scene that may be useful for accessing encrypted data, and for performing on-scene forensic acquisitions of live computer systems. “These measures increase the chances of acquiring digital evidence in an unencrypted state or capturing an encryption key or passphrase,” the authors say.
They also discuss some implications for drafting and executing search warrants to dealing with FDE.
— Read more in Eoghan Casey et al., “The growing impact of full disk encryption on digital forensics,” Digital Investigation (6 November 2011) (doi:10.1016/j.diin.2011.09.005)