Question
How do I decrypt Credant data in FTK/AD Lab/AD Enterprise?
Supported Versions
Credant 5.4-7.7
Prerequisites
Enable the Forensic API on the Credant Server:
- Open the file, \Device Server \conf\context.properties
- Enable the forensic integration API by setting service.forensic.enable=true
- Stop and restart the Device Server from the Start Menu
Enable to Forensic Administrator Role on the Credant Server:
- Open the file, \Server Web Interface \conf\context.properties
- Enable the Forensic Administrator role by setting admin.type.forensic=true
- Stop and restart the Web Interface from the Start Menu
- Log in to the Credant Server and give your administrator the Forensic Administrator role
Answer
Offline Decryption After Initial Processing:
- Browse to "C:\Program Files\AccessData\Forensic Toolkit\\bin"
- Copy CFGetBundle.exe to a machine connected to the Credant server
- Open a Command Prompt (as Administrator) at the location containing CFGetBundle.exe
- Run a command with the following syntax to create an offline key bundle (Note: All commands are case sensitive, and there is no space between the switches and data)
CFGetBundle.exe -X -a -A -d -s -o -i
Example:CFGetBundle -Xhttps://10.1.1.131:8081/xapi -asuperadmin -Achangeit -dxp1.accessdata.lab -sZE3HM8WW -oKeyBundle.bin -ipassword
- Copy the resulting key bundle to the FTK machine
- In FTK, click Tools > Credant Decryption to open the Credant Decryption dialog
- Go to the Offline tab
- Select Evidence Item you wish to decrypt
- Browse to the offline Key Bundle to use during decryption
- Enter the Password to the Key Bundle
- Click OK
Online Decryption After Initial Processing:
- Ensure your FTK machine can communicate with the Credant server
- In FTK, click Tools > Credant Decryption to open the Credant Decryption dialog
- Go to the Online tab
- Select Evidence Item you wish to decrypt
- Enter the Machine ID for the evidence to be decrypted
- Enter the Shield ID for the evidence to be decrypted
- Enter the User Name for the Credant administrator
- Enter the Password for the Credant administrator
- Enter the Domain for the Credant server
- Enter the IP Address of the Credant server
- Enter the Port of the Credant server
- Click OK
Online Decryption During Initial Processing:
- Ensure your FTK machine can communicate with the Credant server
- In FTK, go to Evidence > Add/Remove
- Click Add and select the evidence to process and decrypt
- Click Refinement Options
- Check the box Decrypt Credant Files
- Click Credant Server Settings
- Enter the User Name for the Credant administrator
- Enter the Password for the Credant administrator
- Select Evidence Item you wish to decrypt
- Enter the Domain for the Credant server
- Enter the IP Address of the Credant server
- Enter the Port of the Credant server
- Click OK
- Proceed to process the evidence
Notes
- After performing online Credant decryption, the necessary credentials are stored automatically for future use
- Offline decryption does not create any parent-child relationships, resulting in fewer counts than online decryption.