I work on criminal cases, so have a slightly different perspective to bradleyland.
> Did you ever come across any exotic filesystems that EnCase can't read, like XFS?
I've come across something "obscure" only once or twice (in several hundred cases). The bottom line is that most computer crime isn't conducted by technically adept people, but by normal people. i.e. Windows is by far the most common system, with Mac a distant (thought growing) second :)
> Did this ever lock you out of any machines configured to use Whole Disk Encryption or out of encrypted, mounted volumes? You could have dumped the keys out of ram, etc.
There are all sorts of ways (as bradleyland explained) to get around this issue. The problem is that most material is siezed by a normal police officer - so there is simply no way you can let them do a live acquisition :D (or indeed no way they would know they had to).
But there are all manner of ways to figure out, or sometimes crack, the encryption key and away you go :)
The times I've come across WDE I've managed to get round it fairly quickly, mostly due to "user error".
Can you elaborate on this? I'm aware of taking advantage of idiotic Firewire/USB drivers to inject code into a running system and the "evil maid" attack, but that's where my knowledge of WDE attacks stops.
> Did you ever come across any exotic filesystems that EnCase can't read, like XFS?
I've come across something "obscure" only once or twice (in several hundred cases). The bottom line is that most computer crime isn't conducted by technically adept people, but by normal people. i.e. Windows is by far the most common system, with Mac a distant (thought growing) second :)
> Did this ever lock you out of any machines configured to use Whole Disk Encryption or out of encrypted, mounted volumes? You could have dumped the keys out of ram, etc.
There are all sorts of ways (as bradleyland explained) to get around this issue. The problem is that most material is siezed by a normal police officer - so there is simply no way you can let them do a live acquisition :D (or indeed no way they would know they had to).
But there are all manner of ways to figure out, or sometimes crack, the encryption key and away you go :)
The times I've come across WDE I've managed to get round it fairly quickly, mostly due to "user error".