SANS Digital Forensics and Incident Response Blog: Tag - Chain of Custody

PointSec Decryption - A Case for Decryption of the Original

By J. Michael Butler

A while back, I posted about EnCase and PointSec — "Encase and PointSec - I'm Not Feeling the Love". I wrote about my frustrations with the difficulties of decryption for a forensic exam. My main point was that EnCase and PointSec need to work together to provide forensic examiners a way to view the PointSec drive in EnCase simply by entering the PointSec password. I also detailed my process for decryption which involved the use of VMWare and a virtual image of the encrypted drive.

Keeping Evidence Safe for Litigation

You have an incident. You have collected hard drives, USB drives, thumb drives, and PDAs. You made bit for bit images of all of them. Now, what do you do with the originals to ensure chain of custody?

First, make sure they are all stored inside static free bags, such as those in which hard drives are packaged when new. It is possible to obtain static free evidence bags, but the easiest thing to do is to use a plain static free bag to wrap the device, then store the device, bag and all, inside an ordinary plastic evidence bag. Such bags are available from companies that sell them to law enforcement.1 Just Google "Evidence Bags" for lots of choices. Here are the bags we use in my organization: