3 Replies Latest reply on Jun 27, 2016 2:26 PM by Peter M

    MRP - McAfee Removable Media Protection - Decrypting and Imaging


      I need to forensically image a thumb drive that was encrypted with MRP


      If the password is not known, how can I decrypt the drive?  Is there a master password?  Is the user's password stored by the EPO console?


      If I know the pw, I can decrypt the drive using the McAfee utility that gets stored on the thumb drive.  However doing a logical image after decryption using a tool like ftk imager does not  work.  It does not see the decrypted files.  Is there an alternative way that will  work?  I also tried taking a physical image with Forensic Falcon, but FTK 6.0.3 does not recognize files as encrypted and does not ask for an authentication  password.