Posted: Thu Jun 25, 2009 8:23 pm Post subject: Safeguard Easy - Removal of encryption
I want to image a hard disk that has Safeguard Easy.
I dont want to boot into the machine, but have the safeguard credentials.
I have a bootable cd from utimaco (safeguard provider).
I will do a /no reboot from the command line.
I want to then boot off my forensic cd and image the drive etc, or maybe do a dd etc.
Will the removal of the encryption affect mean it will no longer be admissable? or is it still OK etc.
Anyone else have experiences of Safeguard Easy and Forensics?
- Forensically wipe a hard drive that is the same size or greater than the evidence drive.
- Create a forensic clone from the evidence drive to the new drive (this will now give you forensic copy of the evidence drive).
- Decrypt the NEW drive using the credentials you have - i.e. remove the Safeguard encryption from it
- Image that decrypted NEW drive.
- DOCUMENT whatever you have done IN DETAIL
Save both drives as evidence. You have the original (encrypted) and the decrypted one in case someone wants to see it.
Just a thought - others in the forum may have other ideas for you to kick around.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum