1 / 38

DiskCypher- The best encryption solution

DiskCypher- The best encryption solution. Presented by Uzi Kohavi I.C.S. President. The Need:. Protect crucial data and privacy by encrypting the data. Encrypt the data at the time of data capture or Forensic Acquisition. Encrypt the data at high speed.

rimona
Download Presentation

DiskCypher- The best encryption solution

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DiskCypher-The best encryption solution Presented by Uzi Kohavi I.C.S. President

  2. The Need: • Protect crucial data and privacy by encrypting the data. • Encrypt the data at the time of data capture or Forensic Acquisition. • Encrypt the data at high speed. • Secure and standard encryption method. • Easy to use. • Easy to load, manage, handle and maintain keys. • Ways to retrieve data when key is lost. • Ways to verify that the right key was used • Reduce human errors. • Transparent to the OS when used on a PC. • Portable. • Low cost.

  3. The Objectives: • Hardware solution: Faster and more secure than a software solution. • SATA Interfaces: • The device side - SATA drives are the most common in the market today. • On the host side - SATA is one of the fastest connections to the PC. • Wide Use: PC, data acquisition hardware tools (like Solo3- F) • Secure: Use NIST approved AES 192 bit and higher algorithm.

  4. The Objectives: • Use industry standard Key dongle. • Use a secure key management tool and method. • Support for lost key and disaster recovery.

  5. Solution: DiskCypher DiskCypher is a fast and powerful hardware encryption solution. • With two SATA ports, it is plugged between a host (PC or Image MASSter Solo-3 ) and an “Evidence” hard drive. • It uses NIST approved AES 192 bit encryption algorithm with ECB mode. • It is a cost effective solution to protect the data should it fall into the wrong hands!As with any acquisition and in compliance with Good Forensics Practice the Evidence Drives must be wiped/erased before use, to ensure that no confusing data is left on the drive. When acquisition is done with the Solo-3 it is recommended to use “Wipe Reminder” option from the Solo-3 menu!

  6. Solution: DiskCypher • It is easy to use: • No need for additional external power. • Small, transportable and compact. • No need for setting : when connected to a PC it automatically encrypts all data that is sent by the OS or applications to the hard drive connected to the unit and it decrypts all data that is read from the connected drive. • Completely transparent to the OS and other applications.

  7. Solution: DiskCypher • Minimal setting is required when DiskCypher is used with ImageMASSter Solo-3. It is as easy as choosing between Key Dongle or “Key” from CF, and go. • High Speed - Encryption, hashing and data acquisition is done all at the same time (when used with Solo-3 F.) • Versatile solution - can be used in conjunction with a software solution. A drive can be encrypted with DiskCypher and decrypted with a software only.

  8. Solution: DiskCypher • No need to change the way forensic users used to capture and analyze drives. (Can capture DD, or 100% copy and use Encase, FTK or other analyzing software).

  9. Key Management • ICS introduces the Key Loader system: hardware and software tools that manage key codes and program it into the Key Dongle.

  10. Key Loader • The Key Loader is a hardware device that connects to a PC with a USB port and is controlled by ICS’s PC Key Loader Utility application. It has a special connector for a Key Dongle to be plugged into it. • The ICS’s application allows the user to generate, save, verify, duplicate and delete a final key code into a Key Dongle. In addition it lets the user create, save and read user key (which is not the final key) or user password, generate a final key from it and program it into the key Dongle. Note: ICS recommends to use this device with a secured PC.

  11. PC Utility Screen shoots- Create new key:

  12. Upload a key

  13. Read a key

  14. Decrypt drive

  15. Corp Key, Upload

  16. Solo-3 Screen shoots

  17. DiskCypher and Solo-3 Maximum flexibility and security is achieved when used with the Solo-3 unit . Two methods of key loading are available: • One is the typical Key Dongle. • Second is the SATA API method. The powerful API method supported by the Solo-3 unit adds flexibility, security, reliability and ease of use to the encryption system.

  18. Advantage of Use With Solo-3 • Prepare a User Key Code (UKEY) on a PC with ICS’s application and save them on a CF. A CF is supplied with the Solo-3 unit and must be plugged into the unit during encrypted operation. Solo-3 uses this UKEY to generate the final key code to be sent to the DiskCypher. The final key is not stored anywhere and is used only at time of encryption. • User Key (UKEY) codes can be generated on the Solo-3 as well. The user can type a password on the Solo-3 keyboard and/or save them into the CF or use it at time of encryption. Warning: If the key dongle is not plugged in properly, and the external key is selected, a red LED will blink and light up and the operation will abort.

  19. Advantage of Use With Solo-3 • Up to 2 DiskCyphers on both “Evidence” (target) ports, with one key, can be used. The Solo-3 automatically detects the target port/ports that a DiskCypher is plugged into. Here are some possible scenarios when used with two “Evidence” hard drives: • Two DiskCyphers with two external dongles - the user chooses external key option, the Solo-3 s/w will encrypt the 2 “Evidence” hard drives with different keys. • One DiskCypher is used. One “Evidence” hard drive is used with DiskCypher and the other “Evidence” drive is used without DiskCypher. The Solo-3 s/w will encrypt one hard drive and the second hard drive will not be encrypted. • Two DiskCyphers are used with internal key option. The Solo3 s/w will request only one user key and use it for both target drives.

  20. Advantage of Use With Solo-3 4.Two DiskCyphers used one with external dongle and the other one without. The Solo-3 will abort.

  21. Advantage of Use With Solo-3 • Key verify – When key dongle is used, the Solo-3 s/w can verify, at the time of acquisition and encryption, that the key dongle is functional and is plugged in properly and it is the correct one (out of the many in the pocket) - the one that the user intended to use. This important feature safeguards against user or system error that can result in major data loss. This verify option forces the user either to enter a password from the Solo-3 touch screen or to retrieve a user key from a CF. The Solo-3 unit then verifies that the password or the user key and the dongle are matching.

  22. Solo-3 Key Verify Option procedure The procedure is: Copy one sector from “Suspect” /master drive and write it to “Evidence”/target drive (Encrypting it with the Key Dongle). Read back and decrypt the same one sector from “Evidence”/target drive with the same key that is generated from the password or from the CF and pass it to the drive through the SATA command and compare to the original sector. If they compare OK, proceed to copy, otherwise the Solo-3 s/w will abort the operation and alert the user of a mismatch between the keys.

  23. Solo-3 Automatic hardware check Solo-3 software will perform automatic process on each “Evidence” port that a DiskCypher is attached to. The procedure includes copy one sector from “Suspect” drive to “Evidence” (s) and read back the same sector and compare the two. This is done with the selected key, either a Key Dongle or a CF key. This automatic check verifies the entire hardware and all connections. It does not verify which key is being used.

  24. Solo-3 Verify Key Utility with drive that was encrypted before!

  25. Verify Key on Solo-3 without the DiskCypher: • This operation, upon prompting for a key, will verify that a drive connected to the “Suspect”/master port on the Solo-3 has been encrypted with that key. • Note: The drive needs to have some valid Master Boot Record (MBR) in order to be verified. The Solo-3 s/w will ask the user to enter a key from CF or a password; it will produce the final encryption key; it will reads the MBR from that drive and decrypt that sector using decrypting software. Then it will check for a valid MBR signature.

  26. Verify Key Dongle on Solo-3 with the use of a DiskCypher • It verifies that a drive is encrypted with a Key Dongle. The drive needs to be connected to a DiskCypher with a Key Dongle and connected to the “Suspect” port position of the Solo-3. • The Solo-3 software will read the MBR from the connected hard drive. The DiskCypher will decrypt the MBR using the Key Dongle and will check the validity of the MBR by reading the sector signature.

  27. Warning! NOTE: User must connect the Key Dongle to the DiskCypher before turning on the power to the drive. This is true for use with Solo-3 and PC as well.

  28. Disaster Recovery Solution. Unique to DiskCypher when is used with Solo-3. • Corporate Key – is a paid option with activation key that is used at the time of encryption. A Corporate Key is another user key that is supplied and maintained by corporate principals. It is used to encrypt the Final Key and save it on the hard drive. In the case that a Key is lost or misplaced, user can retrieve the Final Key and use it to decrypt the rest of the data. It can be retrieved in two ways: • Connecting the encrypted SATA hard drive (with a lost Key) to the Solo-3 unit in the Master position and the Solo-3 software will do the rest. • Connect the drive to a PC and use the ICS Encryption Utility to recover the key. The same process is used with ICS’s optional default key (Key supplied by ICS).

  29. A typical scenario • On site – Forensic investigator acquires and encrypts a suspect drive with the Solo-3 and DiskCypher unit. He uses a CF or a Key Dongle. (there is no need for a notebook for the encryption step). ICS recommends the use of ICS’s Encryption Field Kit. • Ship the encrypted drive to a lab. • Ship Key Dongle, or email or use telephone to transfer the password or User Key to the lab. • In the Lab - (ICS recommends to use ICS Encryption Lab Kit)

  30. A typical scenario – cont. • In the Lab - If Key Dongle was shipped and if DiskCypher is available, connect the units to the lab computer and either decrypt the image while copying it or use the analyzing software to search the evidence drive. • If dongle was not shipped and DiskCypher unit and Key Loader is available, use it with ICS Encryption Utility to generate the Final Key and program it into the dongle. In this case the key has to be either shipped in a CF or the password or User Key has to be communicated to the Lab by phone or email. • If DiskCypher unit or Key Loader is not available use the ICS decryption software (part of the ICS Encryption Utility) to decrypt the drive. In this case use a secure PC, since the key is transferred via s/w and a sniffer program can detect that key. ICS recommends the use of ICS’s Encryption Lab Kit which contains all the necessary hardware and software for any situation.

  31. Competition Open-Source Disk Encryption Software - True Crypt: • True Crypt is a software system for establishing and maintaining an on-the-fly-encrypted volume (data storage device). • On-the-fly encryption means that data is automatically encrypted or decrypted right before it is loaded or saved, without any user intervention. • No data stored on an encrypted volume can be read (decrypted) without using the correct password/keyfile(s) or correct encryption keys. • Entire file system is encrypted (e.g., file names, folder names, contents of every file, free space, meta data. • Less secure. • Benefit: Cost - Free. Ease of use - moderate to difficult. Downside: Must be used with a computer - less portable Speed - dependant on the CPU and algorithm and the average is 39 MB/sec.

  32. Competition cont. • Commercial Disk Encryption Software • PGP Whole Disk Encryption • Drive Tray based Encryption Solutions • Addonics’ Diamond Cipher ExDrive: Key management is very expensive and does not support disaster recovery or verify keys!

  33. Competition cont. • Benefit of using Drive Enclosure: • Speed - “on the fly encryption” at SATA speed. • Platform independent. • Ease of use. • Downside of using Drive Enclosure: • Must be used with a computer - less portable. • Slow to install - remove drives from enclosure. • If the key is lost or stolen there is no back door for the cipher encrypted hard drive. • Key Management - not possible without expensive hardware option ($2000). • No s/w features such as verify keys.

  34. Parts/Kits • DiskCypher(F.GR-9099-000A- $399) is supplied with: • SATA data and power cable to use with the Solo-3. • CF (Loaded with ICS Encryption Utility). • Kits are supplied with: • Field Kit (F.GR-9102-000A - $999) • 2 DiskCypher units • 2 Key Dongles • Hard Case • Lab Kit (F.GR-9103-000A - $999) • DiskCypher • Key Loader • 2 Key Dongles • USB to SATA bridge • Power Supply to power External Drive/Bridge • Hard Case

  35. Kits Pictures Field Kit Lab Kit

  36. Optional hardware • USB to SATA Bridge with Power Supply(CSAR-0222-000A - $60 ). • Key Dongle(F.GR-9100-000A - $25). • Key Loader(F.GR-9101-000A - $395). • PCI E-SATA controller card(CSAR-0223-000A - $80). • PCI SATA controller card(CSAR-0224-000A - $80).

  37. The end! • Thank you for been very patient

More Related