Showing results for 
Search instead for 
Did you mean: 
Level 7

Safeboot Forensics


I'm tasked with performing a forensics investigation of a safeboot protected computer. Since the forensics software I'm using (FTK) have support for safeboot, I figured I'd do it the right way instead of decrypting the whole drive. Unfortunately, the standard method (of using sbadmcl.exe with the getmachinekey option) returns a 128 byte key whereas FTK requires a 32 byte key to interact with the drive.

So the question is why do I get a 128 byte key instead of a 32 byte key from sbadmcl?


0 Kudos