Question

Will Forensic Tools run in an environment where FIPS is enabled?

 

Answer

Yes. Forensic Tools will run in an environment where FIPS is enabled. Please note that PostgreSQL (if you will be using it) must be set to use SHA-256 for password encryption. This is enabled by default starting in our PostgreSQL 14 release (with Forensic Tools 7.6).

Note: Prior to 7.6, you may see the below error:



.NET uses the AES algorithm, which is not part of the Windows Platform FIPS validated cryptographic algorithms. Microsoft removed this setting from its security baseline settings in 2014 due in part to its impact on software leveraging the .NET Framework. You can read more about their reasoning here:

https://blogs.technet.microsoft.com/secguide/2014/04/07/why-were-not-recommending-fips-mode-anymore/

Servers that are set to enforce the FIPS algorithm can prevent services from starting and communication to fail with this error being reported:

System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.

 at System.Security.Cryptography.AesManaged..ctor()
 at ADG.Database.DAL.DALConnection.Decrypt(String __Data)
 at ADG.Database.DAL.DALCommand.ExecuteNonQueryWithDecrypt(String format, String encrypted)
 at ADG.Database.Definition.UDBInstallUninstall.PrepareDatabase(IDALConnection conn, UDBParams udbParams, Boolean reinstallADMSSQL, CaseDBRecoveryMode recoveryMode)
 at ADG.Database.Definition.UDBInstallUninstall.CreateDatabase(UDBParams udbParams, String adminUser, String adminPassword, Boolean reinstallADMSSQL, CaseDBRecoveryMode recoveryMode, Boolean fixSequences)
 at ADG.Database.Definition.UDBInstallUninstall.InstallUnifiedDB(UDBParams udbParams, CredentialContext context, IProgress`1 progress, Boolean createAlias)
 at DatabaseConfigurationTool.CreateDatabase.CreateDatabaseSteps()
 at DatabaseConfigurationTool.DatabaseForm.CreateDatabaseThread(Object o)

The issue can be resolved with the following steps:

  1. On each server in the environment, open the Registry Editor (regedit.exe).
  2. Navigate to Changed this registry key to 0: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\fipsalgorithmpolicy\Enabled.
  3. Change the value of the key from 1 to 0.
  4. Reboot the server.

NOTE: Please be aware that this registry change is subject to being re-enabled by Group Policy. The Group Policy setting responsible for this setting is called "System cryptography: Use FIPS compliant algorithms for encryption, hashing and signing" and can be found by expanding the Group Policy console tree to Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\.