What type of acquisition is done if the computer has an encrypted drive and the password is available?

Latest posts:

October 25, 2022 Product Update

Passware announces full support for macOS Ventura by its products. The 1Password decryption option is updated with support for the latest 1Password 8 on all platforms: Windows, Linux, and macOS. Passware Kit 2022 v4 also helps users to gain access to sensitive data in QuickBooks databases by brute-forcing the original passwords for specific QuickBooks accounts.

October 12, 2022 Product Update

Passware Kit Mobile 2022 v4 arrives with GPU-accelerated passcode recovery for Samsung Exynos devices, including the Galaxy S7, S7 Edge, S8, S8 Plus, and Note 8. As of this release, the software supports 200+ mobile devices and is no longer in the “Beta” stage.

September 15, 2022 How-To

A password manager app, besides passwords, can contain additional data sources, emails, connections, online banking details, and even documents. This data is very appealing to computer forensics. Let’s take a closer look into the password managers, their versions, and how difficult it is to break into them.

July 27, 2022 Product Update

Passware adds a new option to its FileVault/APFS decryption feature – deleted data recovery. Also, Passware Kit 2022 v3 instantly decrypts QuickBooks for Mac 2022 databases, extracts passwords from Dashlane passwords manager for Mac, expands the range of supported Acronis versions, speeds up bcrypt password recovery on GPU, and works with hybrid Rainbow Tables.

July 12, 2022 Product Update

Passware Kit Mobile 2022 v3 introduces support for MediaTek-based LG smartphones, including the K11+ and X Power 2. The type of passcode (PIN, password, or pattern) is detected automatically, and Passware Kit Mobile performs GPU-accelerated brute-force password recovery without the device having to be connected.

April 12, 2022 Product Update

Passware introduces a password recovery option for bcrypt hashes. The new version of the Passware Kit decrypts QuickBooks 2022 databases, bypasses Windows Hello protectors on Windows 11, and recovers passwords from Dashlane browser extension databases. On top of this, Mac version supports GPU acceleration with OpenCL technology.

March 08, 2022 How-To

When it comes to the forensic investigation of Apple devices, a Keychain analysis is of particular importance. Not only does Keychain contain passwords from websites and applications, but it can also provide computer forensics with access to the same user’s other Apple devices.

December 15, 2021 Product Update

Passware Kit 2022 v1 fully supports the latest OS releases: Windows 11 and macOS Monterey. We are continually expanding the range of file types and applications that Passware Kit supports. The new version introduces GPU-accelerated password recovery for Acronis backups.

October 21, 2021 Product Update

Passware makes it easy to handle cases with multiple encrypted disks by introducing batch mode for FDE images. It allows users to configure password recovery settings for the encrypted images and processes them one by one without user interaction. AFF4 is also supported. Passware Kit will automatically send an email whenever a password is found or the recovery process gets finished.

July 28, 2021 News

Our team has worked hard to build the next generation of decryption solutions for mobile devices – Passware Kit Mobile. We put together a short 4-minute video to summarize the key features and licensing options of the product.

July 13, 2021 How-To

Did you know that we upload technical articles and useful tips to our Knowledge Base on a regular basis? For the last 12 months, we have added a dozen new articles to the database.

June 30, 2021 Product Update

We announced a Beta version of Passware Kit Forensic for Mac in 2020. Thanks to the feedback we received from our beta testers, we were able to resolve stability, performance, and compatibility issues. Now, we are proud to announce the release version of the Passware Kit Forensic for Mac!

•If the computer has an encrypted drive, a live acquisition is done if the password or passphrase isavailable—meaning the computer is powered on and has been logged on to by the suspect.•Static acquisitions are always the preferred way to collect digital evidence.•However, they do have limitations in some situations, such as an encrypted drive that’s readable onlywhen the computer is powered on or a computer that’s accessible only over a network.•For both types of acquisitions, data can be collected with four methods:44

Determining the Best Acquisition Method

Posted: September 18, 2013 in Uncategorized
Tags: acquisition method, CFI, contingency planning, data forensics, Forensics, image acquisition

In digital Forensics, there are 2 types of acquisitions:

Static Acquisition: which is the preferred way to collect a digital evidence when a computer seized during police raid.
Live Acquisition: is the way to collect digital evidence when a computer is powered on and the suspect has been logged on to. This type is preferred when the hard disk is encrypted with a password.

For both types, there are 4 methods of collecting data:

1. Creating a disk-to-image file: the most common method to collect data. It allows the investigator to create on or many bit-for-bit replications of the original drive. By using this method, we can use any of the forensics tools such as ProDiscover, EnCase, FTK, X-ways, ILook, SMART, and Sleuth Kit to read the different types of disk-to-image files.
2. Creating a disk-to-disk copy: is used when disk-to-image faces hardware of software errors due to incompatibilities. It copies the entire disk to a newer disk by using any of the forensics tools such as EnCase and SafeBack. These tools can adjust the target disk’s geometry to match the original drive.
3. Creating a logical disk-to-disk or disk-to-data file: this is the preferred method with large data storage such as RAID servers. This method captures only specific files or file types of interest to the case. It is used when time is limited.
4. Creating a sparse copy of a folder or file: this method is similar to creating a logical acquisition but it also collects deleted data (unallocated). Also this method is used when an investigator doesn’t need to examine the whole drive.

To determine the appropriate acquisition method, the investigator must consider the following:

The size of the source disk.
Can you retain the source disk as an evident or must you return it to the owner?
Time to do perform the acquisition.
Location of the evidence

Source: GCFI, 4th ed, Ch4