The impact of full disk encryption on digital forensics
暂无分享,去创建一个
The integration of strong encryption into operating systems is creating challenges for forensic examiners, potentially preventing us from recovering any digital evidence from a computer. Because strong encryption cannot be circumvented without a key or passphrase, forensic examiners may not be able to access data after a computer is shut down, and must decide whether to perform a live forensic acquisition. In addition, with encryption becoming integrated into the operating system, in some cases, virtualization is the most effective approach to performing a forensic examination of a system with FDE. This paper presents the evolution of full disk encryption (FDE) and its impact on digital forensics. Furthermore, by demonstrating how full disk encryption has been dealt with in past investigations, this paper provides forensics examiners with practical techniques for recovering evidence that would otherwise be inaccessible.
[1] Ewa Huebner,et al. Computer Forensic Analysis in a Virtual Environment , 2007, Int. J. Digit. EVid..
[2] Eoghan Casey,et al. What does "forensically sound" really mean? , 2007, Digit. Investig..
[3] Eoghan Casey. Practical Approaches to Recovering Encrypted Digital Evidence , 2002, Int. J. Digit. EVid..
[4] Eoghan Casey,et al. Tool review - remote forensic preservation and examination tools , 2004, Digit. Investig..