[Forensics] Acquire a hard drive encrypted by McAfee SafeBoot version 6

Encrypted hard drive is a challenge to forensicator when performing an acquisition. At least, I always face to the challenge everyday. Some of my client request to acquire encrypted hard drives at the very last minutes or without technical information about the encryption. With limited timeframe, nothing is better than getting well-preparation in advance.

If a hard drive is merely taken out of the laptop/desktop case, connecting it to forensic workstation via write-blocker to create forensic image or even using forensic device such as Tableau duplicator to create forensic image. To do so, the data in the image is still in encrypted state, you can usually read unknown file system / read as unallocated space without actual data when it is mounted to forensic tools.

I had a chance to acquire a hard drive encrypted by McAfee SafeBoot version 6. As EnCase version 7 has a EnCase Decryption Suite that can help to detect a mounted media or forensic image if it is encrypted. If EDS detects the encryption by its supported encryption applications (such as McAfee SafeBoot), it prompts windows to ask for credentials to unlock the decryption. Note: Unlock means that you can read file structure in Tree pane. When you right-click the physical hard icon and select acquire to another E01, the latest E01 will contain data in decrypted state. I think this is an optimal method.

However, you might not be able to obtain the encryption recovery key or credentials easily for some reasons. Here is another method.

1. To ask the end-user to provide his windows login credential.
2. Lock in to windows OS.
3. Ensure the account is in local administrator group.
4. Download FTK imager - free edition at http://www.accessdata.com/support/product-downloads to a USB drive.
5. Run FTK on the USB drive and mount the hard drive as physical.
6. View the file structure in Tree pane, it's decrypted if you can read actual files. (export a file to the USB drive and open it with associated applications such as docx for Words)
7. Connect a new hard drive to store acquire image files.
8. Export drive image to E01 on FTK imager and store to the new hard drive.
9. Verify it and try to mount the E01 in other forensic tools.

Unfortunately, using this method with FTK imager to image Microsoft Bitlocker enabled drive doesn't work. I'll explain in another article.

Disclaimer: This article is used for reference. Please test it before you apply to actual scenario and the author has no liability to cause any damages.