On 5/2/06, Ken S <[EMAIL PROTECTED]> wrote:
How will bitlocker (or other full drive encryption products) impact forensics investigations AND normal administrative functions for machines that are 1) powered down and for those that are 2) on-line?
2) When the machine is online, there will be no difference. BindView, pstools etc will work the same way. 1) When the machine is off-line, the drive will be in a encrypted state, and the decryption keys are with the TPM. So any access to the drive in this "off-line" mode will require obtaining the decryption keys from the TPM. -- Saqib Ali, CISSP, ISSAP Support http://www.capital-punishment.net ----------- "I fear, if I rebel against my Lord, the retribution of an Awful Day (The Day of Resurrection)" Al-Quran 6:15 ----------- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
