Difference between pages "Spyware detection tools" and "Defeating Whole Disk Encryption"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (New page: Spyware detection tools can find the presence of spyware (but not always). Some tools will only find spyware on the running system; others can find it on any disk. It is useful to know if...)
 
m (New page: PGP Whole Disk Encryption has the ability to generate a "temporary key." Normally the use of the temporary key leaves a trace on the disk being cracked. But according to a recent cyberspea...)
 
Line 1: Line 1:
Spyware detection tools can find the presence of spyware (but not always). Some tools will only find spyware on the running system; others can find it on any disk.
+
PGP Whole Disk Encryption has the ability to generate a "temporary key." Normally the use of the temporary key leaves a trace on the disk being cracked. But according to a recent cyberspeak podcast, when this feature is used on a hard drive that has a write-blocker attached, it still works.
  
It is useful to know if there is spyware on a system you are investigating.
+
Bitlocker: you can unlock a drive with the cscript command, leave the master key in the clear. Use these commands:
 
+
  cscript manage-bdg.wsf unlock c:
If you are trying to prove guilt of the system's primary user:
+
  cscript manage-bdg.wsf autounlock enable c:
* You need to understand what the spyware on the system can do and what it can't do
+
 
+
If you are trying to prove innocence:
+
* The presence of spyware can mean that someone else is running system
+
 
+
One way to find spyware is to set up a virtual machine with a disk image of the captured system, install the spyware detector, and then
+
 
+
Tools recommended for finding spyware in a forensic context:
+
 
+
* Spyware Doctor (in Google Pack)
+

Revision as of 01:03, 15 October 2007

PGP Whole Disk Encryption has the ability to generate a "temporary key." Normally the use of the temporary key leaves a trace on the disk being cracked. But according to a recent cyberspeak podcast, when this feature is used on a hard drive that has a write-blocker attached, it still works.

Bitlocker: you can unlock a drive with the cscript command, leave the master key in the clear. Use these commands:

 cscript manage-bdg.wsf unlock c:
 cscript manage-bdg.wsf autounlock enable c: