Doing it the HARD way!
Perhaps you remember my previous blog on EnCase and PointSec, which included my plea for Guidance Software and CheckPoint to work together to create a seamless way to decrypt drives without having to go through 20 or 30 steps to get there. I even wrote, out of desperation, A Case for Decryption of the Original, because it would save time consuming steps and not change the data relevant to an investigation.
Time for an update. As noted in my last blog on decrypting the original, VMWare no longer recognizes a raw disk as a valid disk image. Images have to be converted before VMWare will recognize them.
Here is a new and "improved" method that will result in a COMPLETE decrypted image without changing the original. It is more painful because more steps are involved, but it works. (Today). That being said, I STILL want PointSec, now called "End Point Security," to work with Guidance to create a driver that could be used to directly access the disk image and decrypt it in EnCase. This can't be rocket science, right? Let me add an encrypted image to the case, key in a password, and access the data.
- Use Helix or your other favorite method to acquire a raw image of the drive to be decrypted. (There is an open source version of Helix you can download for free, or you can purchase Helix Pro in order to have support, if your prefer.) [Watch for my upcoming blog on using dcfldd to acquire a raw image.]
- Use Live View to convert the raw image to a VMDK file. (You will have to have the correct versions of VMWare to read the VMDK. Live View will inform you what version of VMWare you should be running.)
- Acquire the PointSec recovery file from the administrator. (This whole process assumes that you have the administrator ID and password for an administrative install of PointSec. If you don't have that, you are reduced to a manual brute force attack. Good luck!)
- Using the PointSec recovery file, create Recovery Media. (Believe it or not, you need a real floppy disk to do this. Can't just create a raw floppy image. Go figure.)
- Create a raw image of the floppy disk in a file on the Windows hard drive using the following command:
dcfldd if=\.\A: of=filename.img
(requires you have dcfldd installed — available from sourceforge.com
If you use linux, refer to the floppy drive device (if=/dev/fd0 or as appropriate for your system) as the input file instead of the above syntax.)
- Copy the resulting floppy image to your VMWare server where you intend to decrypt the image.
- Open VMWare
- Select the VM created by Live View, but do NOT start the machine. (Note that you will not have to create a new virtual machine. Live View handles all that. But also note that Live View creates a snapshot and other files as well, which cannot be read directly into EnCase Forensic. That is why we must do the final acquisition with Helix in this process.)
- Add a floppy drive to the VM configuration and select the image created above as the floppy virtual drive. Make sure it will "Connect on Power On" so that the machine will boot to the floppy
10. Edit the CD Rom settings and set it to use an ISO image. Point to a copy of the Helix ISO image. (This is for acquiring the decrypted drive later, but will not be used for the decryption step.)
11. Start the Virtual Machine — it will boot to the floppy image.
12. Enter the requested PointSec administrator credentials and start the decrypt process. The VMDK image will be decrypted.
13. Once you have entered the credentials, the program begins decrypting the hard drive image, posting a % complete message as it goes.
14. Once decrypted, reboot the VM
15. Hit escape ONE TIME during boot to get Boot Menu. (If you hit escape too many times, VMWare will blow by the boot menu, but not to worry, because we have left the floppy image set up as the boot drive. That way the decrypted image will not boot and will, therefore, remain unchanged for maintaining Chain of Custody.)
16. Select CD-Rom from the boot menu to boot to the Helix CD-Rom.
17. Run Helix from the CD.
18. Insert a USB drive with enough spare space to receive the image from the "target" machine. You will mount it later. Helix is able to mount NTFS in read/write mode, so your portable drive can be formatted using NTFS.
19. Once Helix has booted up, use the VMWare toolbar option: VM/Removable Devices/USB Devices to select the USB drive for writing the acquired decrypted image.
20. Open a Terminal Session by clicking on the terminal icon in the Helix tool bar.
21. Execute the following command in order to get root prompt: sudo su —
22. Execute the following command in order to determine drive designations: fdisk —l [note that is dash lower case L, not I or 1]
23. Once the USB drive has been added to the VM, if it is formatted using NTFS, use the following command to mount the drive:
mount —t ntfs-3g /dev/sdx1 /media/sdx1 —o force
(substitute correct letter for x based on the results of your fdisk —l listing)
24. Create a directory on the USB drive to receive the image.
25. Change to the directory you just created.
26. Execute the following command in order to record disk parameters for the case: fdisk —l > fdisk.txt
27. Use the following command to acquire the image:
dcfldd if=/dev/sdx of=filename.img conv=noerror,sync hash=md5 hashlog=filename.img.md5
28. Once completed, for the record, do the following command to save the history of commands into file:
history > history.txt, then save the mount config in case anyone asks about that with:
mount > mount.txt
29. Now you have a raw, decrypted image that can be read into EnCase and properly acquired for analysis. Using this method, the original disk is untouched, and the only change to the disk image is that it was decrypted. This preserves proper Chain of Custody and avoids contamination of the evidence.
Whew, that was way too painful. In my next blog, I will share a method of "slaving" the target drive so that it can be acquired directly into EnCase with the hard disk left in its original state. Still not as easy as it ought to be, but much easier than the VMWare method. The only caveat is that the "Slave" method will allow us to image the decrypted partition(s), but will not allow decryption of the entire hard drive. So at some point, it may be necessary to use the method in this post, not the "Slave" method.
J. Michael Butler, GCFA Gold #00056, is an Information Security Consultant employed by a fortune 500 application service provider who processes approximately half of the $5 trillion of residential mortgage debt in the US. He is a certified computer forensics specialist. In addition, he authored the enterprise wide security incident management plan and information security policies for his corporation. He can be reached at jmbutler_1 at hotmail dot com.