The eMag Link Monthly Articles
July Edition
View previous articles
Whole Disk Encryption and Forensics
Project Management Bridges the Gap Between Legal Issues and Information Technology
Whole Disk Encryption and Forensics
With the increase in data theft, it is increasingly becoming a requirement in the corporate environment to implement whole disk encryption to protect valuable company assets. This presents a challenge for the forensic community, and sometimes a dead end for an investigation. Forensic tools are slowly gaining ground and get little help from the encryption manufacturers.
There are two types of whole disk encryption: Hardware and Software. Seagate has coined the term Full Disk Encryption for their hardware based solution. Currently, Seagate offers the Momentus model drive which is a 2.5 inch laptop hard drive in 30Gb-160Gb capacity range aimed at corporate users. The Momentus drive supports and enhances the Trusted Platform Module (TPM) microchip. The drive also has its own wiping utility built in for easy reissuing or sale of the laptop or drive without having to use a third party or tool to destroy the data on the drive. The encrypted drive is accessed by simply entering a password. The drive encryption cannot be turned off, thus ensuring that the user does not make the laptop vulnerable by mistake. If the laptop is left on after authenticating, the drive can be accessed which is a plus for Forensics but can pose a security issue for the end user. There has been talk of Hitachi releasing an encrypted drive later this year to compete with the Seagate model.
BitLocker is a function available in Microsoft's Vista Enterprise and Ultimate versions only. BitLocker encrypts the entire Windows volume on a laptop or desktop computer. If the computer has Trusted Platform Module (TPM) Bitlocker utilizes it to lock the encryption keys that protect the data on the volume. Microsoft has created BitLocker so that TPM is not a requirement for disk encryption. TPM is an embedded microchip usually installed on the motherboard that communicates with the rest of the system by using a hardware bus. TPM releases the key that unlocks the encrypted partition only after comparing a hash of important operating system configuration values with a snapshot taken earlier. For enhanced security, a USB or Floppy and PIN can be used along with the TPM adding another step to the decryption process. As of this writing, the major forensic tools do not have a way around BitLocker; however, there are manual steps that can be taken to get around the encryption.
PGP offers several software encryption packages including one for whole disk encryption. PGP’s whole disk encryption product locks down the entire contents of a laptop, desktop, external drive, or USB flash drive (including boot sectors, system, and swap files), making it a good choice for company wide protection. PGP offers one time pass phrases, allowing access to the encrypted drive which is then reset after use. Access Data’s product Password Recovery Tool Kit is able to use brute force and retrieve a password from a PGP encrypted drive. It is very time consuming but can be done.
PC Guardian, now known as Guardian Edge, offers a whole disk encryption solution which requires a pre-boot password or smartcard to access the encrypted drive. The encryption allows for multiple use logons for one drive. All software deployments and updates are done through Group Policy Objects (GPO) in Active Directory.
Utimaco has Safe Guard Easy which is whole disk encryption software. Safe Guard Easy has a pre-boot authentication process which supports both passwords and eTokens. Safe Guard Easy encrypts and decrypts data on the fly. Like most other products it offers 128-bit and 256-bit Advanced Encryption Standard (AES) and 128-bit IDEA.
Guidance Software produces Encase Forensic, Enterprise and FIM. At the first of the year, Encase Version 6 was released to the public, as well as the EnCase® Decryption Suite. The Decryption Suite supports the decryption of PC Guardian® and Utimaco® disk-based encryption products. Unfortunately the user name and password must be known in order to access the supported encryption types. According to Guidance technical support, they are planning support for Pointsec decryption in the very near future.
ConclusionIn conclusion, there are many types of Whole Disk Encryption on the market available to both consumers and businesses. We are seeing more and more encrypted drives in the field and this will only increase with time. With all technology, advances are being made every day. While there are some techniques and tools available now for some encryption types, that number will increase over time. Computer Forensics is an ever-evolving science, though still a relatively new field. Testing needs to be performed in the lab before being applied in the field, in order for investigators to know what they are facing before arriving at a client site.
Contact eMag today if you'd like to learn more.
Back to topProject Management Bridges the Gap Between Legal Issues and Information Technology
As technology has increasingly permeated the legal environment, the need to join information technology and legal issues has never been more critical. Increasingly, electronic discovery vendors have turned to project management as the bridge between these two worlds for electronic discovery.
Project management bridges the gap between legal issues and information technology to take processed/restored/culled data and provide meaning in the context of ongoing litigation matters. Instead of passing along 100 page spreadsheets with the results from keyword searches and custodian lists, project managers deliver reports that help inform the context and meaning of these mountains of information.
As technology has moved from boxes of paper documents filling the halls of law firms to terabytes of data representing email files, disaster recovery backups, and other forms of electronically stored information, the need has grown to give context and meaning to the ever-growing masses of information. Law firms and corporate legal departments, especially, have struggled to strike a balance in the interaction of IT professionals, paralegals, and attorneys in terms of who is handling the lion’s share of early discovery work. In many cases, paralegals and IT departments are handling most of the early stage discovery work, with attorneys becoming involved as a particular matter edges closer to the trial stage.
In order to juggle the intricate relationship between substantive law, discovery procedure, and information systems technology, E-Discovery companies have turned to project management as the bridge between these vastly different functional areas. An effective project manager serves as part E-Discovery consultant, sales engineer and analytical problem solver in this relatively new industry. Since requirements, and therefore expectations, of the end client are constantly changing, how a project manager consistently communicates status updates is a critical factor for success.
In addition to the day-to-day utility of project management assisting law firms, corporations, and government entities through the E-Discovery process, this critical function will increasingly serve as a differentiator in the larger Electronic Discovery marketplace. Organizations that are best able to bridge the gap between legal issues and information technology will ultimately become the standard against which others are judged.
Advances in technology and electronic discovery processing capabilities are increasingly commoditizing the legal services market, thus quality of service and ability to provide added value become a greater measure of the true value of litigation support and electronic discovery vendors. Ultimately, those organizations that are best able to create meaning out of massive amounts of data and drive the integration between procedure, technology, and substantive law will emerge at the top of the heap, and those who cannot will be left behind.
Project managers lead pre-job meetings that outline the expectations and deliverables to make sure that the client is on the same page with the production group and the sales team. From that point, regular updates are provided to the client as to the status of the job, as well as bringing up any potential issues to the client before they become critical stops. Project manager continually works with the client, production, and sales to solve any problems that arise, as well as potentially adjusting expectations and deliverables as those issues are resolved or worked around. Project managers work with the client to establish the best method for deliverables, whether hard drive, CD, through electronic transmission, or other mutually established format.
A good project manager will understand what the client needs not just for a particular task/job, but the larger needs of the clients in the long term, to recognize additional issues, future needs, or gaps between what the client may ask for and what the client’s true needs may be. A project manager is the true tie-in between what the client asks for and what that client really needs.
Back to topThis article may be re-published as long as the following resource box is included at the end of the article and as long as you link to the email address and the URL mentioned in the resource box:
Article by eMag Solutions. For more articles on eDiscovery and Data Restoration, subscribe to our e-mail Newsletter by sending a blank email to newsletter@emaglink.com or by going to http://www.emaglink.com.