3 Replies Latest reply on Jun 27, 2016 2:26 PM by Peter M

    MRP - McAfee Removable Media Protection 4.3.1.138 - Decrypting and Imaging

    leo99

      I need to forensically image a thumb drive that was encrypted with MRP 4.3.1.138.

       

      If the password is not known, how can I decrypt the drive?  Is there a master password?  Is the user's password stored by the EPO console?

       

      If I know the pw, I can decrypt the drive using the McAfee utility that gets stored on the thumb drive.  However doing a logical image after decryption using a tool like ftk imager does not  work.  It does not see the decrypted files.  Is there an alternative way that will  work?  I also tried taking a physical image with Forensic Falcon, but FTK 6.0.3 does not recognize files as encrypted and does not ask for an authentication  password.

       

      Thanks.