Jad Saliba of Magnet Forensics encountered this dilemma and wrote a tool that takes the guesswork out of the decision to perform a live acquisition or shut the system down and pull the drive. His free tool, Encrypted Disk Detector (EDD) has been available for a couple of years, and has been a staple of our forensic acquisition curriculum in the SANS FOR408 Windows Forensics In-Depth course. It does an excellent job of recognizing disks and volumes encrypted by Symantec PGP, TrueCrypt, Microsoft Bitlocker, and most recently, McAfee SafeBoot.

6 months ago  /  0 notes  /  Source: forensicmethods.com