SANS Digital Forensics and Incident Response Blog: Tag - Virtual

23 Jan 2009

PointSec Decryption - A Case for Decryption of the Original

1 comments Posted by jmbutler1
Filed under Computer Forensics, Digital Forensic Law, Drive Encryption, Evidence Acquisition, Evidence Analysis

By J. Michael Butler

A while back, I posted about EnCase and PointSec — "Encase and PointSec - I'm Not Feeling the Love". I wrote about my frustrations with the difficulties of decryption for a forensic exam. My main point was that EnCase and PointSec need to work together to provide forensic examiners a way to view the PointSec drive in EnCase simply by entering the PointSec password. I also detailed my process for decryption which involved the use of VMWare and a virtual image of the encrypted drive.


Tags: Chain of Custody, Decryption, EnCase, LiveView, metadata, PointSec, Raw Image, Virtual, VMDK, VMWare
Share

Categories
Recent Posts
Archives
Links
Latest Blog Posts

A few Ghidra tips for IDA users, part 1 - the decompiler/unreachable code
April 16, 2019 - 2:59 PM

A few Ghidra tips for IDA users, part 0 - automatic comments for API call p [...]
April 16, 2019 - 2:40 PM

SANS Threat Hunting and Incident Response Summit 2019 Call for Speakers – D [...]
April 08, 2019 - 7:31 PM

Latest Tweets @sansforensics

The Summit was awesome. It had tons of very relevant topics [...]
April 20, 2019 - 8:40 PM

Every analyst must have the core skills necessary to investi [...]
April 20, 2019 - 2:20 PM

Want to write better? Check out #SEC402 in NYC with @lennyze [...]
April 20, 2019 - 2:20 PM

Latest Papers

Evidence of Data Exfiltration via Containerised Applications on Virtual Private Servers
By Seth Enoka

Using Image Excerpts to Jumpstart Windows Forensic Analysis
By John Brown

Windows 10 as a Forensic Platform
By Ferenc Kovacs

"The class provided in-depth, real world, hands-on information."
- Robert Dale Drollinger, General Dynamic

"Forensics is a lot more than just imaging a drive."
- Joseph Fresch, Guaranty Bank

"Rob Lee is a master of the subject matter. The material is presented in a way that is understandable. Rob is also charismatic enough to make the course enjoyable."
- Erik Ketlet, JP Morgan Chase