Accessing a locked system is always a challenge. Full-disk encryption presents an immediate challenge to forensic experts. When acquiring computers with encrypted system volumes, the investigation cannot go forward without breaking the encryption first. By Oleg Afonin from ElcomSoft.
Traditionally, experts would remove the hard drive(s), make disk images and work from there. There is a faster and easier way to access information required to break full-disk encryption by booting from a flash drive, extracting the system’s hibernation keys and obtaining encryption metadata required to brute-force the original plain-text passwords to encrypted volumes.
The article provide following information for forensics experts:
- Dealing with full disk encryption
- No encryption: do i still need a password?
- Why not reset the password?
- Launching the chain reaction
- Recovering windows logon password
Whether or not you are able to recover the password with a preliminary attack is a matter of luck, especially if there are multiple users or a domain controller in place. If you were unable to recover the particular user’s Windows logon password, as a last resort, you may reset the account password (or remove account lock if it was locked).
[Read More]