Difference between revisions of "Full Disk Encryption"

From ForensicsWiki
Jump to: navigation, search
(Software Solutions)
(Full Disk Encryption Analysis Tools)
 
(10 intermediate revisions by 2 users not shown)
Line 56: Line 56:
 
: http://www.checkpoint.com/products/datasecurity/pc/
 
: http://www.checkpoint.com/products/datasecurity/pc/
  
; [[dm-crypt]]
+
; [[DiskCryptor]]
: Transparent [[file system]] and [[swap]] encryption for [[Linux]] using the Linux 2.6 device mapper. Supports various [[ciphers]] and [[LUKS]] (Linux Unified Key Setup).
+
: Free solution provided under GNU General Public License.
: http://www.saout.de/misc/dm-crypt/
+
: http://diskcryptor.net/index.php/DiskCryptor_en
: http://clemens.endorphin.org/nmihde/nmihde-A4-ds.pdf
+
  
 
; [[FreeOTFE]]
 
; [[FreeOTFE]]
: Transparent on the fly encryption for [[Windows|MS Windows]] and [[Microsoft Windows Mobile|Windows Mobile]] PDAs. Also supports mounting [[Linux]] [[dm-crypt]] and [[LUKS]] volumes
+
: Transparent on the fly encryption for [[Windows|MS Windows]] and [[Microsoft Windows Mobile|Windows Mobile]] PDAs. Also supports mounting [[Linux]] [[dm-crypt]] and [[Linux Unified Key Setup (LUKS)|LUKS]] volumes
 
: http://www.FreeOTFE.org/
 
: http://www.FreeOTFE.org/
  
Line 76: Line 75:
 
: Supports hidden volumes and Pre-Boot Authentification.
 
: Supports hidden volumes and Pre-Boot Authentification.
 
: http://www.freebsd.org/cgi/man.cgi?query=geli&sektion=8
 
: http://www.freebsd.org/cgi/man.cgi?query=geli&sektion=8
 +
 +
; [[FileVault Disk Encryption]]
  
 
; Jetico BestCrypt
 
; Jetico BestCrypt
Line 83: Line 84:
 
: Transparent [[file system]] and [[swap]] encryption for [[Linux]] using the loopback device and [[AES]].
 
: Transparent [[file system]] and [[swap]] encryption for [[Linux]] using the loopback device and [[AES]].
 
: http://sourceforge.net/projects/loop-aes/
 
: http://sourceforge.net/projects/loop-aes/
 +
 +
; [[Linux Unified Key Setup (LUKS)]] or [[dm-crypt]]
 +
: Transparent [[file system]] and [[swap]] encryption for [[Linux]] using the Linux 2.6 device mapper. Supports various [[ciphers]] and [[Linux Unified Key Setup (LUKS)]].
 +
: http://www.saout.de/misc/dm-crypt/
  
 
; [[PGPDisk]]
 
; [[PGPDisk]]
Line 108: Line 113:
 
: Supports hidden volumes within TrueCrypt volumes (plausible deniability).
 
: Supports hidden volumes within TrueCrypt volumes (plausible deniability).
 
: http://www.truecrypt.org/
 
: http://www.truecrypt.org/
 
; [[DiskCryptor]]
 
: Free solution provided under GNU General Public License.
 
: http://diskcryptor.net/index.php/DiskCryptor_en
 
  
 
; [[vnconfig]]
 
; [[vnconfig]]
Line 117: Line 118:
 
: http://www.openbsd.org/cgi-bin/man.cgi?query=vnconfig&sektion=8
 
: http://www.openbsd.org/cgi-bin/man.cgi?query=vnconfig&sektion=8
  
==Exernal Links==
+
==Full Disk Encryption Analysis Tools==
[http://www.thinkwiki.org/wiki/Full_Disk_Encryption_(FDE) Wiki page for FDE on Thinkpads]
+
Due to continual updates and variances to full disk encryption software, there is varied coverage of each software by digital forensics tools. Additionally, each forensic tool may only support limited versions of the encryption software, as noted in the table below:
 +
 
 +
{| class="wikitable sortable" style="background:none; border:0;"
 +
|-
 +
! style="background:none; border:0;"|
 +
|-
 +
! Solution
 +
! Check Point (PointSec PC)
 +
! Credant Mobile Guardian
 +
! Dell Data Protection
 +
! GuardianEdge Encryption Plus/Anywhere
 +
! GuardianEdge Hard Disk Encryption
 +
! [[FileVault Disk Encryption]]
 +
! [[Linux Unified Key Setup (LUKS)]]
 +
! McAfee Endpoint (SafeBoot)
 +
! Microsoft BitLocker
 +
! Sophos SafeGuard Easy
 +
! Sophos SafeGuard Enterprise
 +
! Symantec/PGP Whole Disk
 +
! Symantec Endpoint
 +
! TrueCrypt
 +
! WinMagic SecureDoc
 +
|-
 +
! [[EnCase|EnCase Forensics v6]]
 +
| {{no}} || {{no}} || {{no}} || {{yes}} || {{yes}} || unknown || unknown || {{yes}} || {{yes}} || {{yes}} || {{yes}} || {{yes}} || {{no}} || {{no}} || {{yes}}
 +
|-
 +
! [[EnCase|EnCase Forensics v7]]
 +
| {{yes|}} 6.3.1 to 7.4, 8.0 || {{yes|}} 5.2.1, 5.3, 5.4.1, 5.4.2, 6.1 through 6.8, 7.3 || {{yes|}} 8.3 || {{partial|}}7 and 8 (No 64-bit support) || {{yes|}}9.1.5, 9.2.2, 9.3.0, 9.4.0, 9.5.0, 9.5.1 || unknown || unknown || {{yes|}} 4.x, 5.x, 6.x, 7.x || {{yes|}} Windows Vista, 7, 8, Server 2008 || {{yes|}} 4.5, 5.5, 5.6, 6.0 || {{yes|}} 4.5, 5.5, 5.6, 6.0 || {{yes|}} 9.8, 9.9, 10.0, 10.1, 10.2 || {{yes|}} 7.0.2 through 7.0.8, 8.0, 8.2 || {{no}} || {{yes|}} 4.5, 4.6, 5.x, 6.x
 +
|-
 +
! [[AccessData FTK v3]]
 +
| unknown || unknown || unknown || unknown || unknown || unknown || unknown || {{yes|}}4.x, 5.x, 6.x [http://digfor.blogspot.com/2011/07/safeboot-with-encase-or-ftk_18.html] || unknown || unknown || unknown || unknown || unknown || unknown || unknown
 +
|-
 +
! [[X-Ways]]
 +
| unknown || unknown || unknown || unknown || unknown || unknown || unknown || unknown || unknown || unknown || unknown || unknown || unknown || unknown || unknown
 +
|-
 +
! Other Applications
 +
| unknown || unknown || unknown || unknown || unknown || {{yes|}} [[libfvde]] || {{yes|}} [[libluksde]] || unknown || {{yes|}} [http://www.hsc.fr/ressources/outils/dislocker/ dislocker], [[libbde]] || unknown || unknown || unknown || unknown || unknown || unknown
 +
|}
 +
 
 +
==External Links==
 +
* [http://www.thinkwiki.org/wiki/Full_Disk_Encryption_(FDE) Wiki page for FDE on Thinkpads]
  
 
[[Category:Encryption]]
 
[[Category:Encryption]]
 
[[Category:Anti-Forensics]]
 
[[Category:Anti-Forensics]]
 
[[Category:Disk encryption]]
 
[[Category:Disk encryption]]

Latest revision as of 03:13, 30 October 2014

Full Disk Encryption or Whole Disk Encryption is a phrase that was coined by Seagate to describe their encrypting hard drive. Under such a system, the entire contents of a hard drive are encrypted. This is different from Full Volume Encryption where only certain partitions are encrypted.

Some examples of full disk encryption:

Hardware Solutions

Embedded into internal HDD

Hitachi Bulk Data Encryption ("BDE")
http://www.hitachigst.com/tech/techlib.nsf/techdocs/74D8260832F2F75E862572D7004AE077/$file/bulk_encryption_white_paper.pdf
  • FIPS 197 (Federal Information Processing Standard 197 certification issued by NIST)
  • AES-128
Seagate Full Disk Encryption ("FDE")
http://www.seagate.com/docs/pdf/marketing/PO-Momentus-FDE.pdf
Seagate's encrypted drives are only available as OEM products. Seagate provides no software to utilize encrypted drive features (such as key management). There is a proprietary Windows-only API, but it is not available to the public.
  • FIPS 140-2 (Federal Information Processing Standard 140-2 certification issued by NIST)
Toshiba Self-Encrypting Drives ("SED")
  • AES-256 (certification issued by NIST)

Supplemental Hardware / External Chassis

Addonics product lines
http://www.addonics.com/products/cipher/CPD256U.asp
Apricorn product lines
http://www.apricorn.com/products.php?cat_id=72
DigiSafe
http://www.digisafe.com/products/products_DiskCryptMobile.htm
Eracom Technology DiskProtect
http://www.eracom-tech.com/drive_encryption.0.html
iStorage DiskCrypt Mobile
http://www.istorage-uk.com/diskcryptmobile.php
Network Appliance (Decru)
http://www.netapp.com/ftp/decru-fileshredding.pdf
http://www.netapp.com/us/products/storage-security-systems/
http://www.forensicswiki.org/images/6/6f/Securing_Storage_White_Paper.pdf (Decru white paper)

Software Solutions

beCrypt
http://www.becrypt.com/our_products/disk_protect.php
BitArmor DataControl
FDE tool that protects fixed and removable media.
BitLocker
Part of Windows Vista that uses AES 128 or 256 bit encryption
CGD
Cryptographic Device Driver. Provides transparent full disk encryption for NetBSD.
Supports various ciphers: AES (128 bit blocksize and accepts 128, 192 or 256 bit keys), Blowfish (64 bit blocksize and accepts 128 bit keys) and 3DES (uses a 64 bit blocksize and accepts 192 bit keys (only 168 bits are actually used for encryption).
http://www.netbsd.org/docs/guide/en/chap-cgd.html
Checkpoint Full Disk Encryption
http://www.checkpoint.com/products/datasecurity/pc/
DiskCryptor
Free solution provided under GNU General Public License.
http://diskcryptor.net/index.php/DiskCryptor_en
FreeOTFE
Transparent on the fly encryption for MS Windows and Windows Mobile PDAs. Also supports mounting Linux dm-crypt and LUKS volumes
http://www.FreeOTFE.org/
GBDE
GEOM Based Disk Encryption. Provides transparent full disk and swap encryption for FreeBSD. Supported ciphers: AES (128 bit).
Supports hidden volumes and Pre-Boot Authentification.
Since data loss can occur on unexpected shutdowns, GELI is recommended instead of GBDE.
http://www.freebsd.org/cgi/man.cgi?query=gbde&apropos=0&sektion=8&manpath=FreeBSD+6.2-RELEASE&format=html
http://phk.freebsd.dk/pubs/bsdcon-03.gbde.paper.pdf
GELI
Cryptographic GEOM class. Provides transparent full disk encryption for FreeBSD. Supports various ciphers: AES, Blowfish and 3DES.
Supports hidden volumes and Pre-Boot Authentification.
http://www.freebsd.org/cgi/man.cgi?query=geli&sektion=8
FileVault Disk Encryption
Jetico BestCrypt
http://www.jetico.com/
loop-AES
Transparent file system and swap encryption for Linux using the loopback device and AES.
http://sourceforge.net/projects/loop-aes/
Linux Unified Key Setup (LUKS) or dm-crypt
Transparent file system and swap encryption for Linux using the Linux 2.6 device mapper. Supports various ciphers and Linux Unified Key Setup (LUKS).
http://www.saout.de/misc/dm-crypt/
PGPDisk
Pretty Good Privacy Whole Disk Encryption provides transparent whole disk encryption with Pre-Boot authentification for Windows. Also supports MacOS X 10.4 (non-boot disks only).
Can use OpenPGP RFC 2440 keys and X.509 keys for authentification.
Supports USB Tokens for authentification.
Supported ciphers: AES (256 bit keys).
http://www.pgp.com/products/wholediskencryption/
SafeGuard Easy
Certified according to Common Criteria EAL3 and FIPS 140-2
Encryption algorithms supported: AES (128 and 256 bit) and IDEA (128 bit)
Provides complete hard drive encryption including the boot disk.
http://www.utimaco.us/products
SECUDE
SECUDE provides a software and hardware solution for full disk encryption.
http://www.secude.com
Securstar DriveCrypt
http://www.securstar.com/products_drivecryptpp.php
TrueCrypt
Transparent full disk encryption for Linux and Windows. Supports AES (256 bit), Serpent and Twofish.
Supports hidden volumes within TrueCrypt volumes (plausible deniability).
http://www.truecrypt.org/
vnconfig
The -K option of OpenBSD vnconfig(8) associates and encryption key with the svnd device. Supports saltfiles. Supported ciphers: Blowfish.
http://www.openbsd.org/cgi-bin/man.cgi?query=vnconfig&sektion=8

Full Disk Encryption Analysis Tools

Due to continual updates and variances to full disk encryption software, there is varied coverage of each software by digital forensics tools. Additionally, each forensic tool may only support limited versions of the encryption software, as noted in the table below:

Solution Check Point (PointSec PC) Credant Mobile Guardian Dell Data Protection GuardianEdge Encryption Plus/Anywhere GuardianEdge Hard Disk Encryption FileVault Disk Encryption Linux Unified Key Setup (LUKS) McAfee Endpoint (SafeBoot) Microsoft BitLocker Sophos SafeGuard Easy Sophos SafeGuard Enterprise Symantec/PGP Whole Disk Symantec Endpoint TrueCrypt WinMagic SecureDoc
EnCase Forensics v6 No No No Yes Yes unknown unknown Yes Yes Yes Yes Yes No No Yes
EnCase Forensics v7 6.3.1 to 7.4, 8.0 5.2.1, 5.3, 5.4.1, 5.4.2, 6.1 through 6.8, 7.3 8.3 7 and 8 (No 64-bit support) 9.1.5, 9.2.2, 9.3.0, 9.4.0, 9.5.0, 9.5.1 unknown unknown 4.x, 5.x, 6.x, 7.x Windows Vista, 7, 8, Server 2008 4.5, 5.5, 5.6, 6.0 4.5, 5.5, 5.6, 6.0 9.8, 9.9, 10.0, 10.1, 10.2 7.0.2 through 7.0.8, 8.0, 8.2 No 4.5, 4.6, 5.x, 6.x
AccessData FTK v3 unknown unknown unknown unknown unknown unknown unknown 4.x, 5.x, 6.x [1] unknown unknown unknown unknown unknown unknown unknown
X-Ways unknown unknown unknown unknown unknown unknown unknown unknown unknown unknown unknown unknown unknown unknown unknown
Other Applications unknown unknown unknown unknown unknown libfvde libluksde unknown dislocker, libbde unknown unknown unknown unknown unknown unknown

External Links