Decrypt a McAfee-encrypted evidence source with a machine key

If you don't know the password for a McAfee-encrypted evidence source, you can attempt to decrypt it using a machine key. Machine keys are Base64 strings that must be 44 characters long and are unique to each computer. If you provide a machine key in the correct format but the key is incorrect (for example, the key is not associated with the evidence you are trying to decrypt), AXIOM Process attempts to decrypt the evidence source but creates an image without any results.

You obtain a machine key from the McAfee administrator. You find the key at the bottom of the XML file, between the <MfeEpeExportMachineKey> tags.

In AXIOM Process, when you attempt to decrypt a drive, only the largest partition appears to be available, as McAfee encrypts entire drives and not individual partitions.

1. In the Decryption option drop-down list, click I have the machine key.
2. In the Machine key field, paste the 44-character machine key from the XML file.
3. To verify that the password is correct, click Check.
4. To continue setting up your case, click Next.