Decrypting evidence

For many evidence sources, if you installed the Passware plugin, AXIOM Process detects whether an evidence source is encrypted and, where possible, the type of encryption method that was used. You can also attempt to decrypt software-encrypted evidence from an APFS-formatted macOS computer, without requiring the Passware plugin.

For supported encryption types, you can provide known decryption credentials such as passwords and recovery keys, to decrypt the evidence source before AXIOM Process searches it. For some evidence sources, if you don't know the password, you can try cracking it—otherwise, AXIOM Process attempts a sector-level search of the drive.

For Windows 10 devices that have BitLocker Device Encryption turned on (including many Microsoft Surface Pro devices), AXIOM Process will automatically try to recover a clear key from the Master Boot Record (MBR). IfAXIOM Process finds a clear key in the MBR, it will then try to decrypt the device using that password. If AXIOM Process is unable to automatically decrypt the device, you're prompted to provide known decryption credentials for the device.

In AXIOM Process, a locked icon appears beside both decrypted and encrypted partitions, as it's not guaranteed that AXIOM Process will successfully decrypt the drive.

During a search, AXIOM Process adds the decrypted evidence source and the password that successfully decrypted the evidence source to the case folder. For decrypted evidence from a macOS computer with the APFS file system, you'll find a decrypted image for each partition. Before you attempt to decrypt an evidence source, make sure you have enough space for the decrypted images.

Skip ahead to:

Decrypt evidence with a known password or recovery key

If you know the password or recovery key for an evidence source, you can attempt to decrypt it. For evidence from a macOS computer with the APFS file system, AXIOM Process supports user passwords or personal recovery keys, and, in some cases, might be able to display a password hint.

  1. In the Decryption option drop-down list, click I have the password/recovery key.
  2. In the Password/Recovery key field, provide a password or recovery key.
  3. To verify that the password is correct, click Check.
  4. To finish setting up your case, click Next.

Decrypt a McAfee-encrypted evidence source with a machine key

If you don't know the password for a McAfee-encrypted evidence source, you can attempt to decrypt it using a machine key. Machine keys are Base64 strings that must be 44 characters long and are unique to each computer. If you provide a machine key in the correct format but the key is incorrect (for example, the key is not associated with the evidence you are trying to decrypt), AXIOM Process attempts to decrypt the evidence source but creates an image without any results.

You obtain a machine key from the McAfee administrator. You find the key at the bottom of the XML file, between the <MfeEpeExportMachineKey> tags.

In AXIOM Process, when you attempt to decrypt a drive, only the largest partition appears to be available, as McAfee encrypts entire drives and not individual partitions.

  1. In the Decryption option drop-down list, click I have the machine key.
  2. In the Machine key field, paste the 44-character machine key from the XML file.
  3. To verify that the password is correct, click Check.
  4. To continue setting up your case, click Next.

Decrypt a FileVault-encrypted evidence source with a password and a wipe key

You need both a password and a wipe key to decrypt a macOS (HFS+ and HFSX) evidence source that is encrypted by FileVault. To recover the wipe key, search the recovery partition of the macOS computer.

  1. In AXIOM Process, click Evidence Sources > Computer > Mac > Files and folders.
  2. Select the check box beside the recovery partition.
  3. Finish setting up your case.
  4. Once processing is complete, extract the following file: EncryptedRoot.plist.wipekey. This file is usually stored at \Recovery HD\com.apple.boot.P\System\Library\Caches\com.apple.corestorage\EncryptedRoot.plist.wipekey.

To decrypt the evidence source:

  1. In AXIOM Process, click Evidence Sources > Computer > MacImages or Files and folders.
  2. Browse to or select the evidence source you want to decrypt, and then click Next.
  3. In the Key file field, provide the wipe key.
  4. In the Password field, provide the known password.
  5. To verify that the password is correct, click Check.
  6. For each item, select the type of search you want to complete.
  7. To continue setting up your case, click Next.

Decrypt a VeraCrypt-encrypted partition with a password and a PIM

You need both a password and a Personal Iterations Multiplier (PIM) to decrypt VeraCrypt-encrypted partitions. The PIM specifies the number of iterations used by the header key derivation function. The higher the PIM, the more secure the encryption is. For more information about the PIM, see the VeraCrypt PIM documentation.

Note: If you enter the wrong PIM, VeraCrypt won't be able to decrypt the partition.

  1. In the Decryption option drop-down list, select I have the password.
  2. In the Password field, provide the known password.
  3. In the Personal iterations multiplier field, provide the PIM.
  4. To verify that the PIM and password are correct, click Check.
  5. To continue setting up your case, click Next.

Decrypt an evidence source by cracking the password

To crack the password of a drive, you must be using AXIOM Process with the Passware plugin. You must also have a password list file in .txt format.

With the dictionary attack capabilities of the Passware plugin, you can use custom password lists, in .txt format, to attempt to decrypt drives, mobile devices, and images. Passware reads each new line as a separate password. Additionally, Passware reads spaces at any point in the line as part of the password.

You can use the AXIOM Wordlist Generator to retrieve a list of keywords from the devices in your case. This tool writes keywords to a .txt file that you can use to decrypt drives, mobile devices, and images.

McAfee, APFS, FileVault, and VeraCrypt-encrypted evidence sources can't be decrypted using password cracking.

Warning: Password cracking can take a significant amount of time and system resources, and isn't guaranteed to work. To save time, consider cracking encrypted sources separately from sources with known passwords.

  1. In the Decryption option drop-down list, select I want to crack the password.
  2. Click Browse and browse to the location of the .txt file.
  3. To continue setting up your case, click Next.

The Analyze evidence screen displays the cracking progress and the number of passwords that have been attempted. If the drive is successfully decrypted, the blue locked icon changes to the blue unlocked icon and AXIOM Process begins searching the drive immediately.

If password cracking is successful, that source is skipped during processing. You can find the correct password, decryption duration, and more in the Passware XML report file. This file is located in your case folder and will have a similar name to the decrypted image.

Supported encryption types

Encryption type What's supported
BitLocker

All versions up to and including Windows 10, including BitLocker To Go

Note: If the device was encrypted on a system with a TPM (Trusted Platform Module), the recovery key is required to decrypt the image. The password will not decrypt the image.
FileVault and FileVault 2 All versions of macOS formatted with HFS+ (non-system partitions are not supported) or APFS
McAfee Drive Encryption McAfee 7.x and later (non-system partitions are not supported)
PGP Whole Disk Encryption (PGP WDE) PGP Desktop 9.x - 10.x (encrypted drives can't currently be decrypted using administrator credentials)
TrueCrypt TrueCrypt 5.0 and later (hidden and system partitions are not supported)
VeraCrypt

All current versions are supported

Encryption ciphers supported: AES, Serpent, Twofish

Encryption ciphers not supported: Kyznyechik, Magma, Carmellia

Hash functions supported: RIPEMD-160, SHA256, SHA512, Whirlpool

Hash functions not supported: Streebog