SANS Digital Forensics and Incident Response Blog: Tag - Virtual

23 Jan 2009

PointSec Decryption - A Case for Decryption of the Original

1 comments Posted by jmbutler1
Filed under Computer Forensics, Digital Forensic Law, Drive Encryption, Evidence Acquisition, Evidence Analysis

By J. Michael Butler

A while back, I posted about EnCase and PointSec — "Encase and PointSec - I'm Not Feeling the Love". I wrote about my frustrations with the difficulties of decryption for a forensic exam. My main point was that EnCase and PointSec need to work together to provide forensic examiners a way to view the PointSec drive in EnCase simply by entering the PointSec password. I also detailed my process for decryption which involved the use of VMWare and a virtual image of the encrypted drive.

Latest Blog Posts

Investigating WMI Attacks
February 09, 2019 - 4:53 AM

Investigate and fight cyberattacks with SIFT Workstation
January 11, 2019 - 8:49 PM

Gamble? Not with your future
January 11, 2019 - 6:32 PM

Latest Tweets @sansforensics

Join @chadtilbury to learn about Investigating WMI Attacks, [...]
February 16, 2019 - 7:15 PM

Blog by @EricRZimmerman: KAPE v0.8.1.0 released! #DFIR
February 16, 2019 - 7:05 PM

I have not encountered a Mac class this in-depth that covers [...]
February 16, 2019 - 4:01 PM

Latest Papers

Evidence of Data Exfiltration via Containerised Applications on Virtual Private Servers
By Seth Enoka

Using Image Excerpts to Jumpstart Windows Forensic Analysis
By John Brown

Windows 10 as a Forensic Platform
By Ferenc Kovacs

"The class provided in-depth, real world, hands-on information."
- Robert Dale Drollinger, General Dynamic

"This course ROCKS! You can not call yourself a Forensics expert without taking the course from Rob Lee!."
- Ernie Hernandez, Prosoft

"This course is valuable to Law Enforcement professionals that conduct computer crime investigations."
- Reggie Harris, Federal Agent - DPE, OIG