During a forensic investigation, an analyst discovers that the suspect's hard drive was encrypted using BitLocker. The analyst has obtained the recovery key. Which of the following is the best next step to ensure data integrity?
Trap 1: Decrypt the drive using the recovery key and then create a forensic…
Decrypting first modifies the drive, potentially altering evidence.
Trap 2: Run a live analysis tool to extract encryption keys from memory.
This does not address the need for a forensic image and may alter memory.
Trap 3: Boot the suspect computer and copy files to an external drive.
Booting modifies the system and does not preserve the full drive image.
- A
Decrypt the drive using the recovery key and then create a forensic image.
Why wrong: Decrypting first modifies the drive, potentially altering evidence.
- B
Run a live analysis tool to extract encryption keys from memory.
Why wrong: This does not address the need for a forensic image and may alter memory.
- C
Create a forensic image of the encrypted drive, then decrypt the image.
This preserves the original encrypted state and allows analysis of the decrypted image.
- D
Boot the suspect computer and copy files to an external drive.
Why wrong: Booting modifies the system and does not preserve the full drive image.