Abstract— The incorporation of strong encryption into operating systems poses difficulties for forensic examiners, potentially precluding the recovery of any digital evidence from a computer. Because strong encryption cannot be bypassed without a key or passcode, forensic examiners may be unable to access data after a computer has been shut down and must decide whether to conduct a live forensic acquisition. Furthermore, with encryption becoming more integrated into operating systems, virtualization may be the most effective approach to performing a forensic examination of a system with FDE in some cases. The evolution of full disc encryption (FDE) and its impact on digital forensics is presented in this paper. Moreover, by demonstrating how full disc encryption has been handled in previous investigations, this paper provides forensics examiners with practical techniques for recovering otherwise inaccessible evidence. This paper then goes on to provide instructions for gathering items at the crime scene that may be useful for decrypting encrypted data, as well as for performing on-scene forensic acquisitions of live computer systems. These measures increase the likelihood of obtaining unencrypted digital evidence or capturing an encryption key or passphrase.

 Index Terms— Full Disk Encryption, Bitlocker, Live Forensic Acquisition, Digital Forensics.

 

 

                                                                                                I. INTRODUCTION

 

Data is encrypted and decrypted using symmetric and asymmetric encryption in the encryption process. Symmetric encryption refers to the use of the same key for both encrypting and decrypting data, while asymmetric encryption refers to the use of distinct keys.

Disk encryption uses symmetric encryption because the same key is used to encrypt and decrypt all of the data, making this method of encryption popular. Every single file saved on the operating system is encrypted using the encryption key in full-disk encryption. Since the data on the drive cannot be read by someone who has access to the computer or laptop, the enterprise should not be concerned about data breaches caused by lost or stolen equipment.

 Full disk encryption and file-level encryption are the two types of encryption available for encrypting data: Full disk encryption (FDE) – As the name says, FDE protects the entire volume and encrypts each and every file present on the system. File-level encryption (FLE) – FLE is file system level based encryption, it encrypts the data in individual files and directories. Use cases for of FDE can be categorized to several situations, like stolen mobile device or laptop, devices in repair, resold improperly wiped devices, virtual device in a multi-tenant environment, or a mobile device storage. In all of these scenarios, confidential data can leak out of the control of the owner.

Microsoft's full disc encryption tool, known as BitLocker, is frequently included in Windows editions to encrypt the complete operating system disc as well as additional drives mounted to your Windows PCs using BitLocker drive encryption.

 

                                                                                                    II. FULL-DISK ENCRYPTION

 

                All files stored on the drive (or drives), including the operating system and file system, are encrypted using full-disk encryption (FDE) or "whole disc" encryption techniques. Typically, this is carried out sector by sector. Every file that is written to the disc is encrypted by a filter driver that is loaded into memory at startup, and every file that is moved off the disc is decrypted. The user or the programmer creating the files are unaware of this because it happens automatically. All of the data on the drive (or drives), not only the card data, is encrypted, including the temporary files and swap space. The card data would be assuredly encrypted if implemented across all in-scope systems.

                Encryption/decryption is transparent. When information needs to be accessed, it can be saved off the system and is automatically decrypted. If a processing application is installed on the system, the use of encrypted data is also easy. End-user data encryption is required, which eliminates the need to decide what to encrypt and what not to. All of the data on the disc is encrypted, making it impossible for a thief to access it even if they use a different boot medium to access an encrypted system. Card information is thus secure even when the system is off [1].

                File-level encryption is more effective as a solution on large-volume storage systems, but FDE is better suited to protecting data on workstations and mobile devices. This truth is only shown by the well reported incidents in which database managers or analysts put thousands of clients at danger because a laptop was stolen after it had been used to download copious amounts of sensitive data from a storage device.

                Full Disk Encryption encrypts the entire disk, making it impossible to recover the data. Part of the software is a filter IO driver, which encrypts and decrypts all data to and from the boot drive in real time. When the machine is powered on, a username and password is required to decrypt system files needed to even begin booting the actual operating system. "Files are decrypted on the fly when requested by the system. The process is completely transparent to the user [2].

 

                                                                                                  III. ENCRYPTION OF DATA ON HARD DISKS

 

                BitLocker Drive Encryption, sometimes known as BitLocker, is a security and encryption feature for Microsoft Windows that comes with some more recent versions of Windows. Users can use BitLocker to encrypt all of the data on the drive that Windows is installed on, preventing theft or unwanted access.

                BitLocker uses a specialized chip called a Trusted Platform Module (TPM). The TPM stores Rivest-Shamir-Adleman encryption keys specific to the host system for hardware authentication. The TPM is installed by the original computer manufacturer and works with BitLocker to protect user data. In addition to a TPM, BitLocker can also lock the startup process until the user inputs a PIN or inserts a removable device like a flash drive that has a startup key. BitLocker also creates a recovery key for the user's hard drive -- in case the user forgets or loses their password [6].

                Windows users have the option of using Bitlocker and Mac users have the option of using Apple’s FileVault for storing and encrypting the data on the system. Both the softwares are inbuilt and present by default. Both Apple’s FileVault and Microsoft Bitlocker offer options for recovering lost passwords to the end user. On Bitlocker, recovery information can be stored on the Active Directory server and FileVault backs up encryption keys to Apple iCloud. Also, a local copy of the recovery key can also be created if a traditional method is not available.

                Full disk encryption for Windows platforms has also been made possible by a number of third-party FDE solutions, such as SafeBoot.com, Pointsec.com, Utimaco.com, PGP.com, and TrueCrypt.org. Version 9.6 of the PGP client now supports Mac OS. Some of these third-party FDE solutions intercept operation system access to the hard drive, unlock the decryption key using pre-boot authentication, and decrypt and encrypt data at the sector level. This prohibits illegal access to data, even by those with direct physical access to the hard drive, thanks to FDE's blocking of access to the operating system itself. While still offering the same level of sector protection, some FDE systems can also be connected with Windows authentication to provide a seamless single-sign-on approach.

                Full disk encryption is provided by hardware-based disk encryption solutions like FlagStone (www.flagstonerange.com) and DiskCrypt (www.enovatech.net), which make use of specialised controller cards and pre-boot verification. Manufacturers of hard drives like Seagate and Hitachi are developing units with integrated disk encryption. Full disk encryption has a significant impact on digital forensics and may make it more difficult to recover understandable data that will help with an investigation or make a forensically sound duplicate of a hard drive [4].

 IV. FORENSIC ACQUISITION OF FULLY ENCRYPTED DISKS

 

                Forensic professionals continue to struggle with full-disk encryption. It might not be able to access evidence on encrypted disk volumes without first decrypting them. The standard procedure had always been to unplug the system, remove the disks, perform write-blocked imaging, and then analyze the image files. When a hard drive is completely encrypted, the digital forensic investigators have difficulty in finding the stored data and the investigative options are limited.

                One of the most important procedures in a digital forensic investigation is forensic imaging. Making an archive or backup copy of the complete hard disk is what it is all about. It is a storage file with all the data required to start the operating system. However, for this imaged disk

to function, the hard drive must be used. Disk image files cannot be used to restore a hard drive since they need to be opened and loaded on the drive using an imaging program. Several disk images can be stored on a single hard drive. Flash drives with more storage space can also be used to store disk [5].

                FTK Imager, an open-source programmed from Access Data, is used to accurately duplicate the original evidence without actually changing it. Since the original evidence's image doesn't change, we may quickly copy data that can eventually be saved and subjected to additional analysis. The FTK imager also gives you access to an integrated integrity testing feature that creates a hash report that aids in comparing the hash of the original Evidence before and after the image was made of it[3].             Live acquisition of non-volatile data on a computer using FDE can be preserved with the use of a portable imaging tool such as AccessData’s FTK Imager as shown in Fig.5. In fig: 2 shows an encrypted Bitlocker volume mounted as drive letter “F:” and the screen in the fig: 5 shows a forensic duplicate of this decrypted volume being acquired using FTK Imager Lite [4].

                It is possible to decrypt a BitLocker protected disk by connecting the drive read-only to a forensic examination system running Windows Vista and providing a recovery password to BitLocker. Although data will still be encrypted at the physical level, a forensic acquisition tool can be use to acquire the logical volume in unencrypted form (see Figure 5) [3].

The creation of a forensic copy of a live system, if forensic investigators can gain access before the computer is turned off, is an alternative means of obtaining data from an encrypted drive. A live forensic replica can be obtained remotely using programmes like EnCase Enterprise and ProDiscover IR or from the console using programmes like X-Ways Capture and FTK Imager Lite running on external media, as shown in Figure 4.

The X-Ways Capture tool features a feature that checks for popular encryption systems and can produce a forensic duplicate of the decrypted drive. It can be launched from the command line of a live Windows or Linux machine.

 

V. CONSIDERATION OF CHOOSING FORENSIC DECRYPTION TOOL

 

 

                I.            GPU Acceleration

                This comprises using the graphics processing unit (GPU) of a computer to accelerate the performance of demanding activities. As a result, the time required to carry out forensic decryption on significant volumes of data is significantly decreased [7].

 

              II.            FDE Decryption

                Full Disk Encryption (FDE) is a security technique where all data on a hard drive is encrypted by default utilizing disk-level encryption without the requirement for users to carry out encryption themselves. Picking a program that can decrypt full-disk encrypted hard drives is crucial because many organizations utilize FDE [7].

 

            III.            Supported File Types

                Word documents, PDF files, archive files, and other file types can all be encrypted. As a result, various forensic decryption solutions only enable forensic decryption on specific file types. Therefore, while choosing a forensic decryption program, be sure that it supports the kind of files that you wish to decrypt [7].

 

            IV.            Detection of Encrypted Files

                It can oftentimes be challenging to search for all encrypted files that might provide the necessary information while performing forensic description on a large system. It will therefore save you a lot more time if you choose a forensic decryption software that can identify and display all the encrypted files in a system [7].

 

              V.            Un-traceability

                The ideal forensic decryption tool should not leave any traces after decryption. The targeted files should all remain unchanged, and no footprints of a decryption exercise should be left behind. This is because investigations often benefit from being untraceable to avoid raising suspicions and countermeasures to the exercise. As a result, untraceable forensic decryption is ideal [7].

 

 

                                                                                                  VI.  INVESTIGATIONS

 

Case Example: The UK prison system

In 2008, a consulting firm lost a lucrative contract with the UK prison system when an employee misplaced or lost a USB drive containing the personal information and release dates of more than 80,000 inmates. This case goes to show how physical security is just as important a part of data loss prevention as cyber tactics. The stick was lost when an employee went on vacation and left it in her unlocked desk drawer in an unsecured area of the company’s building. When she returned from her trip it was no longer there and no one had any idea what had happened to it.

As a result of this lost data, the consulting firm lost a big client and a lot of revenue, not to mention the hit to their reputation.

 

Case Example: In early October 2013, Adobe reported that hackers had stolen almost three million encrypted customer credit card records and login data for an undetermined number of user accounts. Days later, Adobe increased that estimate to include IDs and encrypted passwords for 38 million “active users.” Security blogger Brian Krebs then reported that a file posted just days earlier “appears to include more than 150 million username and hashed password pairs taken from Adobe.” Weeks of research showed that the hack had also exposed customer names, password, and debit and credit card information. An agreement in August 2015 called for Adobe to pay $1.1 million in legal fees and an undisclosed amount to users to settle claims of violating the Customer Records Act and unfair business practices. In November 2016, the amount paid to customers was reported to be $1 million.

 

Case Example: In November 2007, the government in the United Kingdom reported that two disks containing personal information details of 25 million citizens had been lost Healthcare and financial organizations, government entities, and higher education institutions have all experienced loss or theft of hard drives containing personally identifiable information (PII). In May 2007, the Transportation Security Administration (TSA) lost a hard drive containing approximately 100,000 employee bank account details, and in October 2007 two laptops containing names and social security numbers of almost 4,000 employees were stolen from the TSA [4].

 

 

 

 

                                                                                              VII.  CONCLUSION

 

      Full disc encryption is becoming more popular, which has far-reaching implications in digital forensics. FDE must be confronted at the crime scene by digital investigators, and search warrants must be prepared with FDE in mind by prosecutors.

      Despite the growing prevalence of FDE, forensic examiners are not without hope. Because the comprehensive protection provided by FDE can result in total data loss in the event of a problem, most FDE systems include an optional disaster recovery mechanism that forensic examiners may be able to use to recover data. Furthermore, FDE makes passwords more important to users because losing the password to unlock an FDE protected system prevents them from using their computer at all. As a result, password accessibility and convenience will become more important, providing forensic examiners with another possible approach to unlocking FDE. Individuals may keep the critical password with other important documents or save disaster recovery keys on removable media, emphasizing the importance of storing encryption keys on notes, thumb drives, hardware tokens, and other removable devices. In corporate environments, forensic examiners may be able to obtain decryption keys from system administrators and information security personnel to unlock a fully encrypted disk. Finally, research into new techniques and technology for breaking or bypassing full disc encryption is required. Without these safeguards in place, FDE will halt digital investigations.

 

 

References

 

 

 

• https://www.sciencedirect.com/topics/computer-science/disk-encryption
• https://arstechnica.com/gadgets/2008/05/check-point-offers-first-full-disk-encryption-for-mac/
• file:///D:/Priyanka%20Hadpad/Desktop/The_impact_of_full_disk_encryption_on_di.pdf
• https://serval.unil.ch/resource/serval:BIB_52974E4C51C4.P001/REF
• https://www.hackingarticles.in/comprehensive-guide-on-ftk-imager/
• https://www.techtarget.com/searchenterprisedesktop/definition/BitLocker
• https://geekflare.com/forensic-decryption-tools/