Question

How do I decrypt Credant data in FTK/AD Lab/AD Enterprise?

 

Supported Versions

Credant 5.4-7.7

 

Prerequisites

Enable the Forensic API on the Credant Server:

  1. Open the file, \Device Server \conf\context.properties
  2. Enable the forensic integration API by setting service.forensic.enable=true
  3. Stop and restart the Device Server from the Start Menu

Enable to Forensic Administrator Role on the Credant Server:

  1. Open the file, \Server Web Interface \conf\context.properties
  2. Enable the Forensic Administrator role by setting admin.type.forensic=true
  3. Stop and restart the Web Interface from the Start Menu
  4. Log in to the Credant Server and give your administrator the Forensic Administrator role

 

Answer

Offline Decryption After Initial Processing:

  1. Browse to "C:\Program Files\AccessData\Forensic Toolkit\\bin"
  2. Copy CFGetBundle.exe to a machine connected to the Credant server
  3. Open a Command Prompt (as Administrator) at the location containing CFGetBundle.exe
  4. Run a command with the following syntax to create an offline key bundle (Note: All commands are case sensitive, and there is no space between the switches and data)

    CFGetBundle.exe -X -a -A -d -s -o -i

    Example:
    CFGetBundle -Xhttps://10.1.1.131:8081/xapi -asuperadmin -Achangeit -dxp1.accessdata.lab -sZE3HM8WW -oKeyBundle.bin -ipassword

  5. Copy the resulting key bundle to the FTK machine
  6. In FTK, click Tools > Credant Decryption to open the Credant Decryption dialog
  7. Go to the Offline tab
  8. Select Evidence Item you wish to decrypt
  9. Browse to the offline Key Bundle to use during decryption
  10. Enter the Password to the Key Bundle
  11. Click OK

 

Online Decryption After Initial Processing:

  1. Ensure your FTK machine can communicate with the Credant server
  2. In FTK, click Tools > Credant Decryption to open the Credant Decryption dialog
  3. Go to the Online tab
  4. Select Evidence Item you wish to decrypt
  5. Enter the Machine ID for the evidence to be decrypted
  6. Enter the Shield ID for the evidence to be decrypted
  7. Enter the User Name for the Credant administrator
  8. Enter the Password for the Credant administrator
  9. Enter the Domain for the Credant server
  10. Enter the IP Address of the Credant server
  11. Enter the Port of the Credant server
  12. Click OK

 

 

Online Decryption During Initial Processing:

  1. Ensure your FTK machine can communicate with the Credant server
  2. In FTK, go to Evidence > Add/Remove
  3. Click Add and select the evidence to process and decrypt
  4. Click Refinement Options
  5. Check the box Decrypt Credant Files
  6. Click Credant Server Settings
  7. Enter the User Name for the Credant administrator
  8. Enter the Password for the Credant administrator
  9. Select Evidence Item you wish to decrypt
  10. Enter the Domain for the Credant server
  11. Enter the IP Address of the Credant server
  12. Enter the Port of the Credant server
  13. Click OK
  14. Proceed to process the evidence

 

Notes

  • After performing online Credant decryption, the necessary credentials are stored automatically for future use
  • Offline decryption does not create any parent-child relationships, resulting in fewer counts than online decryption.