0 Replies Latest reply on Mar 13, 2013 5:07 AM by naldor

    Safeboot Forensics

      Hi

       

      I'm tasked with performing a forensics investigation of a safeboot protected computer. Since the forensics software I'm using (FTK) have support for safeboot, I figured I'd do it the right way instead of decrypting the whole drive. Unfortunately, the standard method (of using sbadmcl.exe with the getmachinekey option) returns a 128 byte key whereas FTK requires a 32 byte key to interact with the drive.

       

      So the question is why do I get a 128 byte key instead of a 32 byte key from sbadmcl?

       

      //Naldor