Sciweavers

EUROSEC
2008
ACM

A methodology for the repeatable forensic analysis of encrypted drives

14 years 2 months ago
A methodology for the repeatable forensic analysis of encrypted drives
In this paper we propose a sound methodology to perform the forensic analysis of hard disks protected with whole-disk encryption software, supposing to be in possession of the appropriate encryption keys. We demonstrate how to create a forensically sound clone-copy of the seized media, and how to access the information contained in the media in a repeatable way, minimizing the usage of unverified and proprietary software. We discuss the impact of such encryption solutions on the capability of forensic analysis software to reconstruct deleted files. We propose and perform scientific tests for validating each step of our proposed procedure. Categories and Subject Descriptors K.5.m [Legal Aspects of Computing]: Miscellaneous-computer forensics; K.6.5 [Management of Computing and Information Systems]: Security and Protection-Unauthorized access (e.g., hacking, phreaking); E.5 [Files]: [Organization/structure] General Terms Documentation, Experimentation, Legal Aspects Keywords Computer fo...
Cory Altheide, Claudio Merloni, Stefano Zanero
Added 19 Oct 2010
Updated 19 Oct 2010
Type Conference
Year 2008
Where EUROSEC
Authors Cory Altheide, Claudio Merloni, Stefano Zanero
Comments (0)