Sunday, July 31, 2011

The Mighty Lion

Snow Leopard 10.6 wasn't much of a problem from the forensics perspective and left paws imprints all over the snow. It had no TRIM enabled by default and FileVault was not particularly difficult to deal with. Advanced users could install TRIM for their SSD drives by using TRIM Enabler 1.1 but this wasn't wide spread. Apple OS X Lion 10.7 came and the game has changed.

The new OS adds support for the TRIM command and it is turned ON by default. TRIM allows OS-level garbage collection and also assists with wear-levelling and fragmentation, as well as reducing write amplifications and improves random writes speed. Basically if an operating system supports TRIM, delete really does mean delete, not just flagging space as available.

OS X Lion also introduces "FileVault 2", which instead of merely encrypting user home folders, now offering "Full Disk Encryption". Upon upgrading existing users are offered to upgrade to "FileVault 2". Old FileVault, lets call it "FileVault 1" is also supported but only for existing users of "FileVault 1". The new encryption method uses XTS-AES 128-bit encryption. When "FileVault 2" is enabled, a user is presented with the option to create a recovery key.

WARNING: You will need your login password or a recovery key to access your data. A recovery key is automatically generated as part of this setup. If you forget both your password and recovery key, the data will be lost.


Recovery key: CCQP-DDA3-XDSF-5656-UHGX-MTN8


Additionally, Apple now provides with an option to store the recovery key with them, which I am sure will be useful for both, forgetful users and law-enforcement.

Monday, July 18, 2011

Safeboot with EnCase or FTK

Both (current versions) of EnCase and FTK work with Safeboot Full Disk Encryption 4.x.
EnCase has to be 32 bit version (not 64 bit). According to Guidance Software support people Safeboot 4.1 or higher versions are not supported by EnCase. In reality Safeboot 4.1 decryption works just fine with EnCase 6.18 as long as one follows the detailed instructions.

FTK 3 officially supports SafeBoot Version 4.x and Version 5.x as well as McAfee Endpoint Encryption Version 6.x. There is no '32 bit only' limitations because there is no need to install SafeBoot Tool or anything extra.


Access to the SafeBoot server is requred when working with both EnCase and FTK.There is no need to export/copy out any files for decrypting with FTK. For Safeboot versions 4.x and 5.x the decryption key can be obtained by runing SbAdmCl.exe command line tool. It's location can vary from version to version on the Safeboot server.

SbAdmCl.exe -AdminUser:admin -AdminPwd:password -command:GetMachineKey -Machine:Machinename

To extract decryption keys for a group of computers the same command can be issued with  -Group:* instead of -Machine:Machinename

The command should return 32 bit Encryption Key(s) that can be entered in FTK when the encrypted evidence files are added to the case.

In McAfee Endpoint Encryption Version 6.x the key is exported from the server by using ePO (ePolicy Orchestrator). Check "Exporting the recovery information file from ePO" section of McAfee EETech User Guide for details. Once the .xml file is exported, a base64 key located between < key > and < / key >  needs to be copied, decoded and converted to hex. The easiest way to accomplish the task is to utilise this online "Base64 -> hexadecimal string decoder", which should produce the decryption key required by FTK.

UPDATE: 16 August 2011
 EnCase Version 6.19 just has been released. The new version now provides support for McAfee Endpoint Encryption 6.0.