Any decision you make when it comes to securing digital evidence on scene has the power of making or breaking your department’s ability to recover evidence and build a case. The following are practices employed by experts like Elijaht digital forensics investigator for securing a computer, particularly ones that are powered ON and probably encrypted.
- Dealing with power, accessibility and encryption
The conventional way to secure the evidence is to unplug the device from the power source. This is done in order to avoid any unanticipated changes to data that may take place during a normal shutdown. But, the rise in the use of data encryption forces a small change to protocol. If the system is ON and accessible, then a few cursory checks need to be performed before encryption before you do anything else. If the hard drive is encrypted, then the data present on the drive is inaccessible to a forensic examiner without a proper password. So, if the system is ON, accessible and encrypted, you have the chance to access data on the drive that can be lost if you simply unplug the device. If you find the device encrypted, then consult a professional forensic examiner who can conduct a field analysis of the device.
- Finding out if the data is encrypted
Detecting full disk encryption on a system that is ON is fairly easy. It starts with determining the OS and version, as certain versions of the OS support full disk or full volume encryption schemes such as Windows BitLocker. This feature can be found on most modern versions of Windows and can be easily enabled by default on specific clean installs of Windows 8.1 Pro and higher. In order to check Windows BitLocker, you need to view the list of the computer’s hard drives. Go to Start > Computer or File Explorer. Then, check the list of storage media connected to the computer. The BitLocked drive bears a closed LOCK through the icon.
Pay close attention to the volume names. The presence of volume names like CRYPT, VAULT, LOCKED act as a clue that volume level encryption exists. If BitLocker is ruled out, then look for other encryption tools.
- Check the Desktop and closely inspect all desktop icons. Look out for programs named VeraCrypt, PGP, BestCrypt, TrueCrypt or FreeOTFE.
- Inspect your System Trap for icons related to FreeOTFE.
- Inspect the Program List for apps that are capable of providing encryption.Go to Start > Programs or Program Files folder in File Explorer. Seek names like VeraCrypt, PGP, Jettico, BestCrypt, Protector, Kremlin, Shredder, and anything that says Encrypt or Crypt. These programs signify an encrypted drive or volume.