RE: encryption question

From: Bryan E. Glancey <bryan.glancey(at)epstechnology.com>
Date: Thu Jan 23 2003 - 11:49:50 EST

There are Several 'lightweight' answers to this question and one that solves you problem.

        The real answer is a FIPS certified encryption product that encrypts the information on the hard disk and then keeps a 'key escrow' of the encryption key. Don't like anyone tell you the EFS is an answer for this. EFS is not meant to solve a problem like this - if ten people all reply to this message arguing I will demonstrate to you all the hacking of the recovery agent and you can all go home with your tails between your legs (I did the demonstration at Defcon a while ago).

        Some good products that address the encryption with key recovery and are FIPS certified (so you can use them in the Army :) )are:

	Pointsec		www.pointsec.com
	Winmagic		www.winmagic.com

With these tools you get very good security of 256-bit AES full disk encryption combined with a recovery key that you store on your secure server somewhere in case of emergency.

Bryan Glancey
bryan.glancey@epstechnology.com
Manager of Security Solutions
EPS Technology
999 Executive Parkway Drive
St. Louis, MO 63141 USA
http://www.epsione.com/
314-205-2300
314-205-2303 fax

-----Original Message-----

From: Ansel, Kenny L. (Sytex Contractor) [mailto:kenny.ansel.sytex@arrtc-exch.mccoy.army.mil] Sent: Tuesday, January 21, 2003 8:14 AM
To: 'Darren Welch '; 'forensics@securityfocus.com ' Subject: RE: encryption question

 That doesn't sound like two factor authentication...anyway..

You should NEVER 'tamper' with the original image!! Always make an exact
copy (with whatever you use that does the image bit for bit). Then once you
get the image...'tamper with the image'....this way the original is always
'as is'. This is very important for many reasons....one important reason is
for the courts of law.

Secondly, as far as getting key key to decrypt...yea, most OSs require you
to be the admin. There are always ways to become the administrator if the
'real' admin is unavailable!!

Kenny Ansel

-----Original Message-----

From: Darren Welch
To: forensics@securityfocus.com
Sent: 1/16/03 3:27 PM
Subject: encryption question

As a CISSP I have a task to protect information by locking down the info on
the pc with encryption. Also as a forensic examiner I am tasked with making
forensic images and conducting examinations in support of corporate investigations, essentially getting into the information I am tasked with
protecting. There are many products that do hard disk encryption but I have
experienced major problems in making acquisitions without first decrypting
the drive thus tampering with evidence. As far as directory level encryption
the security requirement would be to use a hardware key to authenticate to
the encrypted directory (two factor authentication) but as an examiner, the
hardware key would need to contain administrator in addition to user accounts or policies which would enable me to conduct a sound investigation.
Has anyone been in the same situation or know of any company that offers

this? Thanks

---

MSN 8: advanced junk mail protection and 2 months FREE*. http://join.msn.com/?page=features/junkmail

---

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

---

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

---

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Thu Jan 23 18:10:05 2003