Digital Forensics Report: Encryption Challenges and Solutions

Verified

Added on 2022/08/08

AI Summary

This report delves into the complexities of digital forensics, particularly concerning the impact of full volume encryption on investigative processes. It highlights the challenges faced by forensic examiners, such as the inability to easily create copies of hard drives or recover intelligible information. The report discusses the integration of strong encryption into operating systems and the necessity of live acquisition in certain scenarios. It differentiates between physical and logical disk imaging, and explores methods to bypass encryption, including password cracking tools like ophcrack and the use of FTK imager for evidence assessment. The report also covers encryption methods like bitlocker, Encrypt it, and TrueEncrypt, emphasizing the difficulties they pose to forensic investigations. The report concludes by emphasizing the importance of understanding these challenges and employing appropriate techniques to successfully extract and analyze digital evidence.

Running head: DIGITAL FORENSICS
DIGITAL FORENSICS
Name of the Student
Name of the University
Author Note

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

1DIGITAL FORENSICS
PART 1
The full volume encryption or the full disk encryption is a very strong encryption and
it is used in digital forensics. The influence of full volume encryption on digital forensics is
important (Vincze, 2016). This encryption can adversely influence the capability to develop
copy of the hard drive or to recover information those are intelligible to a forensic
investigation.
The integration of this strong encryption into the operating systems is developing
challenges for the examiners of forensics thereby, preventing the examiners from any of the
evidences those are digital from a system. This is because the strong encryption cannot be
circumvented without the use of key, the examiners of forensics may not be able to view the
data when the system is shut down and they must decide whether to execute a live acquisition
of forensics (Mehta & Rathod, 2018). Therefore, the examiners must take some precautions
when they are handling such strong encryption as when they require the credentials in order
to access the data and if these are not available then the examiner need to get a forensic image
of a system that is live while the contents are in the state those are not encrypted.
The difference between imaging a physical disk and imaging a volume disk are it is a
bit to bit copy of the whole hard disk or the partition and the imaging the volume disk is the
copy of the files those are referenced in the system of files (Stich et al.,2016). These are just
the files that are on the hard drive. If the physical image is obtained then the examiners have
everything. If the physical image is executed via processing software of forensics, it will find
out the files those are deleted and many more.
When imaging a disk that is live, there are differences between imaging a physical
disk and imaging a logical volume (Ham & James, 2020). If the examiners obtain the
physical image then they can access the logical data and the deleted files. Imaging the logical

2DIGITAL FORENSICS
volume means that the imaging is done of the files those are present on the hard drive of the
system.
PART 2
The information above states is to access the windows surface device that is running
of Windows 8. The user account is locked and the desktop cannot be seen and an app called
mSecure is running on the system. The computer system and the mobile devices need to be
searched and the stuffs of the systems are bit locked.
The first step is to open the account of the user and then view the desktop to see that
any files those are present on the system. The stuffs are encrypted by the bitlocker. Therefore,
the task is to unlock the bitlocker and access the files. In order to unlock the bitlocker,
password is to be produced but it is with the user so, password is to be cracked using the
password cracking tools such as ophcrack (Harbawi & Varol, 2017). Then the files can be
easily accessed. The files are to be searched for the clues in order to proceed with the
investigation. In order to get the evidence, a software known as FTK imager is used in order
to assess the electronic evidence those are present in the electronic files. FTK imager is an
imaging and data preview tool in order to evaluate the electronic evidence. After the evidence
has been collected from the files, the image of the physical disk need to taken if some clues
are present in the files that have been deleted by the criminal (Du, Le-Khac & Scanlon,
2017). A logical image also need to taken in order to evaluate the files in the hard drive.
The full volume encryption is used in order to lock the machine and the hard drive so
that the forensic officer cannot enter the machine and evaluate the files and the evidences
those are present in the electronic (Hasan, Awais & Shah, 2018). The criminal may have used
some software like Encrypt it or TrueEncrypt in order to encrypt the hard drive. The criminal
can also use full volume or full disk encryption and it becomes very difficult for the

3DIGITAL FORENSICS
investigating or the forensic officers to crack this encryption, as this encryption is very
strong.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

4DIGITAL FORENSICS
References
Du, X., Le-Khac, N. A., & Scanlon, M. (2017). Evaluation of digital forensic process models
with respect to digital forensics as a service. arXiv preprint arXiv:1708.01730.
Ham, J., & James, J. I. (2020). A Feature Comparison of Modern Digital Forensic Imaging
Software. arXiv preprint arXiv:2001.00301.
Harbawi, M., & Varol, A. (2017, April). An improved digital evidence acquisition model for
the Internet of Things forensic I: A theoretical framework. In 2017 5th International
Symposium on Digital Forensic and Security (ISDFS) (pp. 1-6). IEEE.
Hasan, S., Awais, M., & Shah, M. A. (2018, April). Full Disk Encryption: A Comparison on
Data Management Attributes. In Proceedings of the 2nd International Conference on
Information System and Data Mining (pp. 39-43).
Mehta, J. P., & Rathod, D. (2018). Towards Enablement Of Efficient Forensics Of Encrypted
Storage Devices Such As HDDs and SSDs.
Stich, D. G., DeVore, M. S., Cleyrat, C., Phipps, M. L., Wilson, B. S., Goodwin, P. M., &
Werner, J. H. (2016). Advancing 3D Single Molecule Tracking by Time-Gating and
Fast Simultaneous Spinning Disk Imaging for Contextual Information. Biophysical
Journal, 110(3), 632a-633a.
Vincze, E. A. (2016). Challenges in digital forensics. Police Practice and Research, 17(2),
183-194.