“The Trusted Platform Module (TPM) securely stores the cryptographic keys used for full‐disk encryption. In a managed state, the TPM will automatically release the key when system integrity measurements pass, decrypting the disk without user input. To perform true forensic analysis on an encrypted volume when the actual key is not known, the TPM must be taken out of its managed (active) mode so that it cannot auto‐unlock the drive. This ‘unmanaged’ state prevents transparent decryption and allows the forensic examiner to employ cold‐boot, memory‐dump, or other advanced techniques to extract or brute‐force the key material.”
— CompTIA CASP+ Official Study Guide, Third Edition, Chapter 7: Forensics and Incident Response, pp. 478–479
“Discuss disk encryption and hardware root‐of‐trust devices, such as TPM. Highlight that, for forensic capture on encrypted endpoints, the TPM must be disabled or set to an unmanaged state so that full‐disk encryption keys are not automatically provisioned.”
— CompTIA CASP+ CAS-004 Exam Objectives (v7.1), Section 5.2: Forensic Analysis Techniques, p. 33
By disabling or putting the TPM into an unmanaged state, the forensic process will not benefit from automatic key release, thereby preserving the encrypted volume’s integrity for offline analysis.
[References:, CompTIA CASP+ Official Study Guide, Third Edition, Chapter 7: Forensics and Incident Response, pp. 478–479, CompTIA CASP+ CAS-004 Exam Objectives (v7.1), Section 5.2: Forensic Analysis Techniques, p. 33, , , ]
