Difference between pages "Full Disk Encryption" and "Cell Phone Forensics"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
m (Supplemental Hardware / External Chassis: rm dead links)
 
(External Links)
 
Line 1: Line 1:
'''Full Disk Encryption''' or '''Whole Disk Encryption''' is a phrase that was coined by [[Seagate]] to describe their encrypting [[hard drive]]. Under such a system, the entire contents of a hard drive are encrypted. This is different from [[Full Volume Encryption]] where only certain partitions are encrypted.
+
== Guidelines ==
  
Some examples of full disk encryption:
+
# If on, switch it off. If off, leave off.
  
== Hardware Solutions ==
+
#* Note only under exceptional circumstances should the handset be left switched on and in any case every precaution to prevent the handset connecting with the Communication Service Provider should be made. Consider use of one of many [[wireless preservation]] or [[RF isolation]] techniques. Note that the slightest signal leakage will allow an overwriting text message through even if a phone call can't get through.
=== Embedded into internal HDD ===
+
; Hitachi ''Bulk Data Encryption'' ("BDE")
+
: http://www.hitachigst.com/tech/techlib.nsf/techdocs/74D8260832F2F75E862572D7004AE077/$file/bulk_encryption_white_paper.pdf
+
  
; Seagate ''Full Disk Encryption'' ("FDE")
+
#* Instead of switching off, it may be better to remove the battery. Phones run a different part of their program when they are turned off. You may wish to avoid having this part of the program run.  
: http://www.seagate.com/docs/pdf/marketing/PO-Momentus-FDE.pdf
+
  
; Toshiba ''Self-Encrypting Drives'' ("SED")
+
#* Note that removing the battery or powering off a mobile phone may introduce a handset unlock code upon powering the device on.
: http://sdd.toshiba.com/main.aspx?Path=TrendsTechnology/Self-EncryptingDrives
+
  
=== Supplemental Hardware / External Chassis ===
+
# Collect and preserve other surrounding and related devices. Be especially careful to collect the power charger. The phone's battery will only last a certain amount of time. When it dies, much of the data on the device may go too!
; Addonics product lines
+
: http://www.addonics.com/products/cipher/CPD256U.asp
+
# Plug the phone in, preferably in the evidence room, as soon as possible.
 +
# Retain [[search warrant]] (if necessary - [[LE]]).
 +
# Return device to forensic lab if able.
 +
# Use [[forensically sound]] tools for processing. However, also remember ACPO Principle 2 says: In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
  
; Apricorn product lines
+
== Notes ==
: http://www.apricorn.com/products.php?cat_id=72
+
  
; Eracom Technology DiskProtect
+
Expand on as to what to collect:
: http://www.eracom-tech.com/drive_encryption.0.html
+
  
; iStorage DiskCrypt Mobile
+
* [[ESN]],
: http://www.istorage-uk.com/diskcryptmobile.php
+
* [[IMEI]],
 +
* [[Carrier]],
 +
* Manufacturer,
 +
* Model Number,
 +
* Color, and
 +
* Other information related to [[Cell Phone]] and [[SIM Card]]...
  
; Network Appliance (Decru)
+
Process:
: http://www.netapp.com/ftp/decru-fileshredding.pdf
+
# Photograph the [[Cell Phone]] screen during power up.
: http://www.netapp.com/us/products/storage-security-systems/
+
# Research the [[Cell Phone]] for technical specifications.  
: http://www.forensicswiki.org/images/6/6f/Securing_Storage_White_Paper.pdf (Decru white paper)
+
# Research the [[Cell Phone]] for forensic information.  
 +
# Based on phone type [[GSM]], [[CDMA]], [[iDEN]], or [[Pay As You Go]] determine acquisition tools
  
== Software Solutions ==
+
GSM:
 +
# Phone and SIM Card
 +
# SIM Card
  
; beCrypt
+
CDMA:
: http://www.becrypt.com/our_products/disk_protect.php
+
# Phone
  
; [[BitArmor]] [[DataControl]]
+
iDEN:
: FDE tool that protects fixed and removable media.
+
# Three major tools exist for iDEN Phones:
 +
* iDEN Companion Pro
 +
* iDEN Media Downloader
 +
* iDEN Phonebook Manager
  
; [[BitLocker]]
+
Pay As You Go:
: Part of Windows Vista that uses [[AES]] 128 or 256 bit encryption
+
# Phone
  
; [[CGD]]
+
== External Links ==
: Cryptographic Device Driver. Provides transparent full disk encryption for [[NetBSD]].
+
: Supports various [[ciphers]]: [[AES]] (128 bit blocksize and accepts 128, 192 or 256 bit keys), [[Blowfish]] (64 bit blocksize and accepts 128 bit keys) and [[3DES]] (uses a 64 bit blocksize and accepts 192 bit keys (only 168 bits are actually used for encryption).
+
: http://www.netbsd.org/docs/guide/en/chap-cgd.html
+
  
; [[Checkpoint Full Disk Encryption]]
+
Articles and Reference Materials
: http://www.checkpoint.com/products/datasecurity/pc/
+
*[http://www.e-evidence.info/cellarticles.html E-Evidence.Info Articles, Papers, Presentations, etc.]
 +
*[http://esm.cis.unisa.edu.au/new_esml/resources/publications/forensic%20analysis%20of%20mobile%20phones.pdf Forensic Analysis of Mobile Phones]
 +
*[http://www.ijde.org/docs/03_spring_art1.pdf Forensics and the GSM Mobile Telephone System]
 +
*[http://www.cl.cam.ac.uk/~fms27/persec-2006/goodies/2006-Naccache-forensic.pdf Law Enforcement, Forensics and Mobile Communications]
 +
*[http://www.forensics.nl/mobile-pda-forensics Mobile Phone Forensics & PDA Forensics Links]
 +
*[http://www.holmes.nl/MPF/FlowChartForensicMobilePhoneExamination.htm Netherlands Forensic Institute: Mobile Phone Forensics Examination - Basic Workflow and Preservation]
 +
*[http://csrc.nist.gov/mobilesecurity/publications.html#MF U.S. National Institute of Standards and Technology Documents]
  
; [[dm-crypt]]
+
Conferences
: Transparent [[file system]] and [[swap]] encryption for [[Linux]] using the Linux 2.6 device mapper. Supports various [[ciphers]] and [[LUKS]] (Linux Unified Key Setup).
+
*[http://www.MobileForensicsWorld.com/ Mobile Forensics World]
: http://www.saout.de/misc/dm-crypt/
+
  
; [[FreeOTFE]]
+
Investigative Support
: Transparent on the fly encryption for [[Windows|MS Windows]] and [[Microsoft Windows Mobile|Windows Mobile]] PDAs. Also supports mounting [[Linux]] [[dm-crypt]] and [[LUKS]] volumes
+
*[http://www.search.org/files/pdf/CellphoneInvestToolkit-0806.pdf Creating a Cell Phone Investigation Toolkit: Basic Hardware and Software Specifications]
: http://www.FreeOTFE.org/
+
*[http://www.e-evidence.info/cellular.html E-Evidence.Info Mobile Forensic Tools]
 +
*[http://www.forensicfocus.com ForensicFocus.com(Practitioners Forum)]
 +
*[http://www.hex-dump.com Hex-Dump.com(Advanced Forum for Hex Dump and Memory Analysis)]
 +
*[http://www.Mobile-Examiner.com Mobile-Examiner.com (Forum for Practitioners)]
 +
*[http://www.Mobile-Forensics.com Mobile-Forensics.com (Research Forum for Mobile Device Forensics)]
 +
*[http://www.mfi-training.com Mobile Forensics Training Forum (Mobile Device Investigative Support and Training)]
 +
*[http://www.SmartPhoneForensics.com SmartPhoneForensics.com (Mobile Device Forensics Training and Investigative Support)]
 +
*[http://www.Phone-Forensics.com Phone-Forensics.com (Advanced Forum for Practitioners)]
 +
*[http://trewmte.blogspot.com TREW Mobile Telephone Evidence (Mobile Telephone Evidence Practitioner Site)]
  
; [[GBDE]]
+
Phone Research
: [[GEOM]] Based Disk Encryption. Provides transparent full disk and swap encryption for [[FreeBSD]]. Supported  [[ciphers]]: [[AES]] (128 bit).
+
*[http://www.GSMArena.com GSMArena.com (Technical information regarding GSM Cell Phones)]
: Supports hidden volumes and Pre-Boot Authentification.
+
*[http://www.MobileForensicsCentral.com MobileForensicsCentral.com (Information regarding Cell Phone Forensic Applications)]
: Since data loss can occur on unexpected shutdowns, GELI is recommended instead of GBDE.
+
*[http://www.PhoneScoop.com PhoneScoop.com (Technical information regarding all Cell Phones)]
: http://www.freebsd.org/cgi/man.cgi?query=gbde&apropos=0&sektion=8&manpath=FreeBSD+6.2-RELEASE&format=html
+
*[http://www.ssddforensics.com/ Small Scale Digital Device Forensics Information]
: http://phk.freebsd.dk/pubs/bsdcon-03.gbde.paper.pdf
+
  
; [[GELI]]
+
Training
: Cryptographic [[GEOM]] class. Provides transparent full disk encryption for [[FreeBSD]]. Supports various [[ciphers]]: [[AES]], [[Blowfish]] and [[3DES]].
+
*[http://www.Mobile-Forensics.com Mobile-Forensics.com (Research Forum for Mobile Device Forensics)]
: Supports hidden volumes and Pre-Boot Authentification.
+
*[http://www.MobileForensicsWorld.com/Training.aspx Mobile Forensics World Training]
: http://www.freebsd.org/cgi/man.cgi?query=geli&sektion=8
+
*[http://www.mobileforensicstraining.com Mobile Forensics Training (Mobile Forensics Inc. Training Class site)]
 
+
*[http://www.paraben-training.com/training.html Paraben-Forensics.com (Paraben's Handheld Forensic Training Classes)]
; Jetico BestCrypt
+
*[http://www.SmartPhoneForensics.com SmartPhoneForensics.com (Mobile Device Forensics Training and Investigative Support)]
: http://www.jetico.com/
+
*[http://www.msab.com/training/schedule Micro Systemation Training (Mobile Forensics Training)]
 
+
; [[loop-AES]]
+
: Transparent [[file system]] and [[swap]] encryption for [[Linux]] using the loopback device and [[AES]].
+
: http://sourceforge.net/projects/loop-aes/
+
 
+
; [[PGPDisk]]
+
: Pretty Good Privacy Whole Disk Encryption provides transparent whole disk encryption with Pre-Boot authentification for [[Windows]]. Also supports [[MacOS]] X 10.4 (non-boot disks only).
+
: Can use OpenPGP RFC 2440 keys and X.509 keys for authentification.
+
: Supports USB Tokens for authentification.
+
: Supported [[ciphers]]: [[AES]] (256 bit keys).
+
: http://www.pgp.com/products/wholediskencryption/
+
 
+
; [[SafeGuard Easy]]
+
: Certified according to [[Common Criteria]] EAL3 and FIPS 140-2
+
: Encryption algorithms supported: [[AES]] (128 and 256 bit) and [[IDEA]] (128 bit)
+
: Provides complete [[hard drive]] encryption including the boot disk.
+
: http://www.utimaco.us/products
+
 
+
; [[SECUDE]]
+
: [[SECUDE]] provides a software and hardware solution for full disk encryption.
+
: http://www.secude.com
+
 
+
; Securstar DriveCrypt
+
: http://www.securstar.com/products_drivecryptpp.php
+
 
+
; [[TrueCrypt]]
+
: Transparent full disk encryption for [[Linux]] and [[Windows]]. Supports [[AES]] (256 bit), [[Serpent]] and [[Twofish]].
+
: Supports hidden volumes within TrueCrypt volumes (plausible deniability).
+
: http://www.truecrypt.org/
+
 
+
; [[DiskCryptor]]
+
: Free solution provided under GNU General Public License.
+
: http://diskcryptor.net/index.php/DiskCryptor_en
+
 
+
; [[vnconfig]]
+
: The -K option of [[OpenBSD]] vnconfig(8) associates and encryption key with the svnd device. Supports saltfiles. Supported [[ciphers]]: [[Blowfish]].
+
: http://www.openbsd.org/cgi-bin/man.cgi?query=vnconfig&sektion=8
+
 
+
[[Category:Encryption]]
+
[[Category:Anti-Forensics]]
+
[[Category:Disk encryption]]
+

Latest revision as of 08:27, 11 May 2011

Guidelines

  1. If on, switch it off. If off, leave off.
    • Note only under exceptional circumstances should the handset be left switched on and in any case every precaution to prevent the handset connecting with the Communication Service Provider should be made. Consider use of one of many wireless preservation or RF isolation techniques. Note that the slightest signal leakage will allow an overwriting text message through even if a phone call can't get through.
    • Instead of switching off, it may be better to remove the battery. Phones run a different part of their program when they are turned off. You may wish to avoid having this part of the program run.
    • Note that removing the battery or powering off a mobile phone may introduce a handset unlock code upon powering the device on.
  1. Collect and preserve other surrounding and related devices. Be especially careful to collect the power charger. The phone's battery will only last a certain amount of time. When it dies, much of the data on the device may go too!
  1. Plug the phone in, preferably in the evidence room, as soon as possible.
  2. Retain search warrant (if necessary - LE).
  3. Return device to forensic lab if able.
  4. Use forensically sound tools for processing. However, also remember ACPO Principle 2 says: In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.

Notes

Expand on as to what to collect:

Process:

  1. Photograph the Cell Phone screen during power up.
  2. Research the Cell Phone for technical specifications.
  3. Research the Cell Phone for forensic information.
  4. Based on phone type GSM, CDMA, iDEN, or Pay As You Go determine acquisition tools

GSM:

  1. Phone and SIM Card
  2. SIM Card

CDMA:

  1. Phone

iDEN:

  1. Three major tools exist for iDEN Phones:
  • iDEN Companion Pro
  • iDEN Media Downloader
  • iDEN Phonebook Manager

Pay As You Go:

  1. Phone

External Links

Articles and Reference Materials

Conferences

Investigative Support

Phone Research

Training