Abstract
This research presents an overview of the typical disc and folder-level encryption that a digital forensic investigator may encounter when investigating a Linux operating system. Based on prior first-hand experience and significant follow-up testing and research, this work examines the operation of such encryption from the user's perspective, discusses how the encryption operates “under the hood”; and explores methods and techniques that can be used to access and retrieve data from such encrypted devices, both during at-scene/live forensic investigation and also post-scene. Worked examples are presented, to aid the reader's understanding. This research also presents considerations, approaches and steps that can be used by an investigator, in order to maximise the potential for data acquisition, and most crucially discusses lessons learnt to facilitate getting the best evidence in such cases. A breakdown of the binary structure of the key files associated with fscrypt is also presented, for reference. Current limitations and gaps in knowledge are also discussed.
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callMore From: Forensic Science International: Digital Investigation
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
