There are Several 'lightweight' answers to this question and one that solves you problem. The real answer is a FIPS certified encryption product that encrypts the information on the hard disk and then keeps a 'key escrow' of the encryption key. Don't like anyone tell you the EFS is an answer for this. EFS is not meant to solve a problem like this - if ten people all reply to this message arguing I will demonstrate to you all the hacking of the recovery agent and you can all go home with your tails between your legs (I did the demonstration at Defcon a while ago). Some good products that address the encryption with key recovery and are FIPS certified (so you can use them in the Army :) )are: Pointsec www.pointsec.com Winmagic www.winmagic.com With these tools you get very good security of 256-bit AES full disk encryption combined with a recovery key that you store on your secure server somewhere in case of emergency. Bryan Glancey bryan.glanceyat_private Manager of Security Solutions EPS Technology 999 Executive Parkway Drive St. Louis, MO 63141 USA http://www.epsione.com/ 314-205-2300 314-205-2303 fax -----Original Message----- From: Ansel, Kenny L. (Sytex Contractor) [mailto:kenny.ansel.sytex@arrtc-exch.mccoy.army.mil] Sent: Tuesday, January 21, 2003 8:14 AM To: 'Darren Welch '; 'forensicsat_private ' Subject: RE: encryption question That doesn't sound like two factor authentication...anyway.. You should NEVER 'tamper' with the original image!! Always make an exact copy (with whatever you use that does the image bit for bit). Then once you get the image...'tamper with the image'....this way the original is always 'as is'. This is very important for many reasons....one important reason is for the courts of law. Secondly, as far as getting key key to decrypt...yea, most OSs require you to be the admin. There are always ways to become the administrator if the 'real' admin is unavailable!! Kenny Ansel -----Original Message----- From: Darren Welch To: forensicsat_private Sent: 1/16/03 3:27 PM Subject: encryption question As a CISSP I have a task to protect information by locking down the info on the pc with encryption. Also as a forensic examiner I am tasked with making forensic images and conducting examinations in support of corporate investigations, essentially getting into the information I am tasked with protecting. There are many products that do hard disk encryption but I have experienced major problems in making acquisitions without first decrypting the drive thus tampering with evidence. As far as directory level encryption the security requirement would be to use a hardware key to authenticate to the encrypted directory (two factor authentication) but as an examiner, the hardware key would need to contain administrator in addition to user accounts or policies which would enable me to conduct a sound investigation. Has anyone been in the same situation or know of any company that offers this? Thanks _________________________________________________________________ MSN 8: advanced junk mail protection and 2 months FREE*. http://join.msn.com/?page=features/junkmail ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jan 23 2003 - 15:09:50 PST