User avatar
pclab
Forum Moderator
Posts: 1753
Joined: Tue Jan 13, 2015 4:55 pm
Contact: Website Facebook

Spotting Full Disk Encryption

Mon Sep 26, 2016 9:29 am

With data breaches and data security pushed into the news on seemingly daily basis, we expect today’s digital investigators to be faced with encryption technology more frequently. For those with something to hide, the use of strong encryption has been widely promoted. For those with data they would like to protect, the use of strong encryption is becoming more commonplace by the day. Most enterprises know full disk and file-level encryption is a necessity if you have something worth protecting. Underlining the trend, Windows 8.1 has designs in place to enable BitLocker encryption by default when appropriate hardware is present. One of the strengths of EnCase over the years have been the ability to identify encryption and decrypt evidence in place, exposing data for investigation, without altering its contents.

If you’ve ever peered into the abyss of encrypted unallocated clusters, you’ll know that it is not always obvious what type of encryption you are dealing with. There are times when the data at rest is not able to be automatically decrypted by EnCase. To that end, the helpful Technical Services Engineers at Guidance Software have put together this helpful primer, to aid and help you identify a variety of different types of encryption in the wild. Take a look and let us know if you have questions or your own unhelpful encrypted clusters staring back at you.

Most full disk encryption products make amendments to either the Master Boot Record (MBR) or the Volume Boot Record (VBR) to point to and execute its code, in order to allow decryption of the data. Some products may replace these entirely. In each case, there is often an identifier added that relates to the encryption product used. Below are the identifiers used for the encryption products supported by EnCase. Those not supported may follow a similar pattern.

Check Point Full Disk Encryption

At sector offset 90 of the VBR, the product identifier "Protect" can be found. Hex value "50 72 6F 74 65 63 74"



For details on how to use EnCase to decrypt Check point Full Disk Encryption, please see https://support.guidancesoftware.com/node/3464 (registration required)

GuardianEdge Encryption Plus/Anywhere/Hard Disk Encryption and Symantec Endpoint Encryption

At sector offset 6 MBR, the product identifier "PCGM" can be found. Hex value "50 43 47 4D"



McAfee Safeboot/Endpoint Encryption

At sector offset 3 MBR, the product identifier "Safeboot" can be found. Hex value "53 61 66 65 42 6F 6F 74"



For details on how to use EnCase to decrypt McAfee Endpoint Encryption, please see https://support.guidancesoftware.com/node/3463

For details on how to use EnCase to decrypt McAfee Safeboot, please see https://support.guidancesoftware.com/node/1551

Microsoft Bitlocker/Bitlocker to Go

For Windows Vista, at sector offset 0 of the VBR for the Bitlocker partition, the product identifier "ëR|¬-FVE-¬FS-" can be found. Hex value "EB 52 90 2D 46 56 45 2D 46 53 2D"



For Windows 7/8, at sector offset 0 of the VBR for the Bitlocker partition, the product identifier "ëX¬|-FVE-FS-" can be found. Hex value "EB 58 90 2D 46 56 45 2D 46 53 2D"



For details on how to use EnCase to decrypt Microsoft Bitlocker/Bitlocker To Go, please see https://support.guidancesoftware.com/node/3737 (registration required)

Sophos Safeguard Enterprise and Safeguard Easy

For Safeguard Enterprise, at sector offset 119 of the MBR, the product identifier "SGM400" can be found. Hex value "53 47 4D 34 30 30 3A"



For Safeguard Easy, at sector offset 144 of the MBR, the product identifier "SGE400" can be found. Hex value "53 47 45 34 30 30 3A"



For details on how to use EnCase to decrypt Sophos Safeguard Easy/Enterprise, please see https://support.guidancesoftware.com/node/1558

Symantec PGP Whole disk Encryption

At sector offset 3 MBR, the product identifier "ëH|PGPGUARD" can be found. Hex value "EB 48 90 50 47 50 47 55 41 52 44"



For details on how to use EnCase to decrypt Symantec PGP, please see https://support.guidancesoftware.com/node/1863

WinMagic SecureDoc Full Disk Encryption

At sector offset 246 MBR, the product identifier "WMSD" can be found. Hex value "57 4D 53 44"



For details on how to use EnCase to decrypt WinMagic SecureDoc, please see https://support.guidancesoftware.com/node/1794

Apple FileVault

At sector offset 0 of the container, the product identifier "encrdsa" can be found. Hex value "65 6E 63 72 63 64 73 61"



For details on how to use EnCase with Apple FileVault 1, please see https://support.guidancesoftware.com/node/3739

Dell Data Protection (Credant Mobile Guardian)

As Credant Mobile Guardian encrypts the files and folders and doesn't encrypt the system files, the MBR and VBR do not appear to be modified. EnCase searches for the CredDB.CEF file to determine if any of the files are encrypted with Credant Mobile Guardian.

For details on how to use EnCase to decrypt Credant Mobile Guardian, please see https://support.guidancesoftware.com/node/1554

Microsoft Encrypting File System

As the Microsoft Encrypting File System (EFS) encypts files and folders and doesn't encrypt system files, the MBR and VBR do not appear to be modified. Files that have been encrypted with EFS will have a corresponding EFS stream which is visible in EnCase. This will be the name of the file with $EFS appended.



You may be able to run a search (GREP, for example) to search for the hex values above, or for the $EFS, to help determine which product has been used. It is not possible to determine from these the exact version.

From:
Digital Forensics Today Blog
www.pclab.com.pt
facebook.com/PCLAB.Assistencia.Tecnica

osity
Data Recovery Noob
Posts: 3
Joined: Wed Dec 14, 2016 5:33 pm

Spotting Full Disk Encryption

Mon Oct 05, 2020 6:27 pm

Nice info, thanks for the post.

User avatar
Jared
Forum Admin
Posts: 3827
Joined: Mon Jan 12, 2015 12:32 pm
Location: Providence, RI
Contact: Website Facebook Twitter Skype YouTube Google+

Spotting Full Disk Encryption

Mon Oct 12, 2020 3:36 pm

I've moved this topic to the "Data Recovery Tutorials" section. Nice resource! Thanks for sharing. :D

User avatar
pclab
Forum Moderator
Posts: 1753
Joined: Tue Jan 13, 2015 4:55 pm
Contact: Website Facebook

Spotting Full Disk Encryption

Tue Oct 13, 2020 3:36 am

It's been here since 2016 haahhaha
www.pclab.com.pt
facebook.com/PCLAB.Assistencia.Tecnica

User avatar
Jared
Forum Admin
Posts: 3827
Joined: Mon Jan 12, 2015 12:32 pm
Location: Providence, RI
Contact: Website Facebook Twitter Skype YouTube Google+

Spotting Full Disk Encryption

Thu Oct 22, 2020 8:31 am

Yes, but since it was woken up by a comment I realized it should have been moved to an easier to find spot.

User avatar
abedalkareem
Experienced DR Tech
Posts: 217
Joined: Mon Aug 31, 2015 12:57 pm
Location: Amman - Jordan
Contact: Website

Spotting Full Disk Encryption

Sun Oct 25, 2020 6:04 am

many thanks for the valuable information Nuno

Return to “Data Recovery Tutorials”

Who is online

Users browsing this forum: No registered users and 0 guests