Thursday, July 16, 2009

Drive encryption

Target drive encryption is not a standard practice...the question is..should it be?

First some assumptions.
  • The source drive is not encrypted
Now let's evaluate some scenarios.

1) You're an intrusion examiner. You are investigating PII data theft and the computer you happen to be imaging for the case contains 200,000 SSN's. You're imaging the data that's handled by the custodian and the PII of 200,000 individuals nationwide. This now legally makes you the custodian of the data. Your image isn't encrypted..there's only 1 tool I know of that encrypts the images. If the target drive gets stolen, say goodnight to your livelihood. Errors and Omissions insurance won't cover the cost of notification and credit monitoring and lawsuits.

Should you encrypt the drive?

2) You're a forensic examiner. You are investigating a IP theft case. You image a drive from a laptop. The data on the drive is considered to be worth millions to the company. You are now in possession of this very important data that belongs to someone else.

Should you encrypt the drive?

Asset theft is a pretty common occurrence and they tend to be opportunistic. backup tapes, hard drives, laptops, usb keys, blackberries...all have been stolen/lost.

As forensic examiners we are the custodians for a lot of other people's stuff. We compile images of a lot of private information and store them in an unencrypted format. The questions in my mind are does chain of custody trump the need for full disk or image encryption? Should target drives/images being encrypted as an industry standard?

What do you think?

2 comments:

Anonymous said...

Hi Hogfly,

What tool do you use to encrypt images? In terms of Encase Image files, what about password protecting the first E01 file, wouldn't this provide a fair amount of protection?

du212 said...

I think it should. Especially as that target data is almost always in transit between a client site and lab site.

At the simplest level one could implement HDAT drive locking. This is not drive or data encryption.

The next step could be to preconfigure a hard drive with a truecrypt volume and write your acquisition data to that volume.

Finally one could use hardware technology such as ImageMasster Disk Cypher.