A paper (paywalled) in the journal Digital Investigation finds that hard-drive full disk encryption works. Police and other investigators are increasingly unable to access the data on seized equipment due to the efficacy of diskwide scrambling. This is a good, research-backed contribution to the debate on whether encrypting your hard-drive is worth the trouble. If the police can't access data on accused criminals' computers, then it seems likely that criminals who steal your laptop (or snoops in totalitarian states who seize dissidents' computers) won't be able to either.
The increasing use of full disk encryption (FDE) can significantly hamper digital investigations, potentially preventing access to all digital evidence in a case. The practice of shutting down an evidential computer is not an acceptable technique when dealing with FDE or even volume encryption because it may result in all data on the device being rendered inaccessible for forensic examination. To address this challenge, there is a pressing need for more effective on-scene capabilities to detect and preserve encryption prior to pulling the plug. In addition, to give digital investigators the best chance of obtaining decrypted data in the field, prosecutors need to prepare search warrants with FDE in mind. This paper describes how FDE has hampered past investigations, and how circumventing FDE has benefited certain cases. This paper goes on to provide guidance for gathering items at the crime scene that may be useful for accessing encrypted data, and for performing on-scene forensic acquisitions of live computer systems. These measures increase the chances of acquiring digital evidence in an unencrypted state or capturing an encryption key or passphrase. Some implications for drafting and executing search warrants to dealing with FDE are discussed.