Abstract:
As the reliance on digital storage and communication grows, the need for robust security measures becomes paramount. Full Disk Encryption (FDE) has emerged as a fundamental tool to protect sensitive information on storage devices. This research paper delves into the intersection of Full Disk Encryption and Digital Forensics, exploring the challenges, opportunities, and implications that FDE poses for digital forensic investigations. The paper discusses the impact of FDE on data acquisition, analysis, and interpretation, highlighting both the benefits and obstacles faced by digital forensic experts. Additionally, potential advancements and best practices in adapting forensic methodologies to handle FDE-protected systems are examined.
Introduction
Full Disk Encryption (FDE) is a security measure that encrypts the entire contents of a storage device, rendering it inaccessible without the correct decryption key. While FDE enhances data security, it presents unique challenges for digital forensic investigators aiming to retrieve and analyze information from encrypted devices.
Digital evidence plays a crucial role in modern investigations, offering valuable insights into criminal activity and misconduct. However, the widespread adoption of FDE has significantly complicated the collection and analysis of such evidence. FDE encrypts all data stored on a device, rendering it unreadable without the decryption key. This poses a significant obstacle for digital forensic investigators, who rely on access to unencrypted data to collect evidence and reconstruct events.
Full disk Encryption
Full-disk encryption (FDE) is a security method for protecting sensitive data at the hardware level by encrypting all data on a disk drive. FDE automatically encrypts data and operating systems (OSes) to prevent unauthorized access.
Disk-level encryption safeguards data from getting into the wrong hands and is important for organizations that are following data security compliance regulations such as the Health Insurance Portability and Accountability Act or the general data protection regulation.
FDE is especially useful for desktops, laptops and mobile devices that can be physically lost or stolen. Even if the device is stolen, the encrypted data will be inaccessible to the thief. Because one key is used to encrypt the entire hard drive, FDE requires network administrators to enforce a strong password policy and provide an encryption key backup process in case employees forget their password or leave the company unexpectedly.
FDE works by automatically converting data on a hard drive into a format that can't be understood by anyone who doesn't have the key to undo the conversion. Specifically, the hard drive is converted from a readable plaintext to a ciphertext that isn't readable unless it's converted back to plaintext with a key. Without the proper authentication key, even if the hard drive is removed and placed in another machine, the data remains inaccessible. The encryption process is performed using encryption software or hardware that's installed on the drive. Some systems don't encrypt the master boot record -- the code that starts the OS loading sequence -- meaning that not everything on those devices is encrypted.
FDE is often installed on computing devices at the time of manufacturing. For example, FDE is enabled through features like BitLocker, which is included in certain Microsoft Windows versions, or FileVault, which is built into the macOS. BitLocker and FileVault enable users to recover lost passwords. BitLocker stores recovery information on Active Directory, and FileVault backs up encryption keys to Apple iCloud. Microsoft also offers Device Encryption on all Windows devices that protects data by encrypting the drive.
Forensic professionals continue to struggle with full-disk encryption. It might not be able to access evidence on encrypted disk volumes without first decrypting them. The standard procedure had always been to unplug the system, remove the disks, perform write-blocked imaging, and then analyze the image files. When a hard drive is completely encrypted, the digital forensic investigators have difficulty in finding the stored data and the investigative options are limited.
One of the most important procedures in a digital forensic investigation is forensic imaging. Making an archive or backup copy of the complete hard disk is what it is all about. It is a storage file with all the data required to start the operating system. However, for this imaged disk to function, the hard drive must be used. Disk image files cannot be used to restore a hard drive since they need to be opened and loaded on the drive using an imaging program. Several disk images can be stored on a single hard drive. Flash drives with more storage space can also be used to store disk.
FTK Imager, an open-source programmed from Access Data, is used to accurately duplicate the original evidence without actually changing it. Since the original evidence's image doesn't change, we may quickly copy data that can eventually be saved and subjected to additional analysis. The FTK imager also gives you access to an integrated integrity testing feature that creates a hash report that aids in comparing the hash of the original Evidence before and after the image was made of it.
It is possible to decrypt a BitLocker protected disk by connecting the drive read-only to a forensic examination system running Windows Vista and providing a recovery password to BitLocker. Although data will still be encrypted at the physical level, a forensic acquisition tool can be use to acquire the logical volume in unencrypted form.
The creation of a forensic copy of a live system, if forensic investigators can gain access before the computer is turned off, is an alternative means of obtaining data from an encrypted drive. A live forensic replica can be obtained remotely using programmes like EnCase Enterprise and ProDiscover IR or from the console using programmes like X-Ways Capture and FTK Imager Lite running on external media.
The X-Ways Capture tool features a feature that checks for popular encryption systems and can produce a forensic duplicate of the decrypted drive. It can be launched from the command line of a live Windows or Linux machine.
Conclusion :
While FDE presents challenges for digital forensics, its benefits in data protection and compliance cannot be ignored. By understanding the complexities involved and adopting best practices, law enforcement and forensic professionals can navigate this evolving landscape effectively, ensuring both data security and successful investigations. Continuous collaboration and innovation are crucial for ensuring that digital evidence remains accessible and valuable in the age of pervasive encryption.
Refrences :
1] Alshehri, M., & Yasmi, H. (2019). The growing impact of full disk encryption on digital forensics: A comprehensive review. International Journal of Computer Network and Information Security (IJCNIS), 11(8), 75-82. https://www.researchgate.net/publication/234803189_The_impact_of_full_disk_encryption_on_digital_forensics
2] Carrier, B. (2005). The Sleuth Kit and Autopsy. Digital Forensics Toolset. https://www.sleuthkit.org/sleuthkit/
3] Garfinkel, T. (2006). Trapping a slipper server: An exercise in network forensics. Digital Investigation, 3(3), 194-203. https://www.researchgate.net/publication/251136233_Network_Packet_Forensics
4] National Institute of Standards and Technology (NIST). (2017). Special publication 800-131a: Recommendations for the use of cryptography in federal government systems. https://csrc.nist.gov/pubs/sp/800/131/a/r1/final
5] SANS Institute. (2020). Digital forensics and incident response (DFIR) essentials. https://www.sans.org/digital-forensics-incident-response/
6] The International Organization for Standardization (ISO). (2012). ISO/IEC 27001:2013: Information technology — Security techniques — Information security management systems — Requirements. https://www.iso.org/standard/27001
