The growing impact of full disk encryption on digital forensics

[Eugen Leitl]

http://www.sciencedirect.com/science/article/pii/S1742287611000727

The growing impact of full disk encryption on digital forensics

Eoghan Caseya, Corresponding Author Contact Information, E-mail The
Corresponding Author, Geoff Fellowsb, Matthew Geigerc, Gerasimos Stellatosd

a	cmdLabs, 1101 E. 33rd Street, Suite C301, Baltimore, MD 21218, United
States

b	LG Training Partnership, United Kingdom

c	CERT, United States

d	CACI International, United States

Received 16 March 2011; revised 17 September 2011; Accepted 24 September
2011. Available online 6 November 2011.

Abstract

The increasing use of full disk encryption (FDE) can significantly hamper
digital investigations, potentially preventing access to all digital evidence
in a case. The practice of shutting down an evidential computer is not an
acceptable technique when dealing with FDE or even volume encryption because
it may result in all data on the device being rendered inaccessible for
forensic examination. To address this challenge, there is a pressing need for
more effective on-scene capabilities to detect and preserve encryption prior
to pulling the plug. In addition, to give digital investigators the best
chance of obtaining decrypted data in the field, prosecutors need to prepare
search warrants with FDE in mind. This paper describes how FDE has hampered
past investigations, and how circumventing FDE has benefited certain cases.
This paper goes on to provide guidance for gathering items at the crime scene
that may be useful for accessing encrypted data, and for performing on-scene
forensic acquisitions of live computer systems. These measures increase the
chances of acquiring digital evidence in an unencrypted state or capturing an
encryption key or passphrase. Some implications for drafting and executing
search warrants to dealing with FDE are discussed.

Keywords: Digital forensics; Full disk encryption; Hard drive encryption;
Volatile data; Memory forensics