2024 Update: Encrypted Discovery (originally published in 2020)

Posted on by

Whether it is on media (CD Rom, USB drive, or hard drive) or through the internet (email or USAfx) it is becoming common practice that discovery files will be encrypted. Encryption adds a layer of protection by scrambling the data, so files cannot be seen unless a digital “key” (password) is provided. The goal of encryption is to protect the data while it is being shipped in case it is lost or stolen, i.e., if a thumb-drive is sent to the wrong address, whoever opens the package can’t just plug the thumb-drive in and read all of the data on it.

Decryption is the process of unscrambling an encrypted file so it is readable. The first step you should take when you receive encrypted files is to create a decrypted copy of the files. If you don’t do this, you will not be able to search, review, or work with these files and you will have to enter a password each time in order to access the files at all. For example, if you try to use dtSearch on encrypted files your searches will yield no results. You must decrypt your discovery and save the decrypted copy in order to work with it. 

How will you know if your discovery is encrypted? One clue is that you are asked for a password to access the discovery. You might be used to looking for the McAfee logo—now the program is called Trellix. Same thing, just a different skin.

Follow the steps below to decrypt and save your discovery so that you can work with it.

Decryption Steps:

  • First, create a destination for your decrypted files to live. Open File Explorer (the file browser on your computer) and navigate to a destination on your computer (or external drive) with enough room to hold a copy of the files. Create a folder that will keep the decrypted copy of the files.
  • Insert or download your discovery and look for the Trellix executable file—the name can vary but you are looking for the “.exe” extension.
  • Click on the “.exe” extension. This will open a dialog window and prompt you for a password. Enter the password in the password box and click ok.
  • Copy the files or folders into the folder you made in step 1. From within Trellix:
    • Select the top level folder from the left hand navigation pane.
    • From the main window, select all the files and folders, right-click on them and choose “Copy.”
    • Paste the copies into the folder you made in File Explorer.
    • Verify that the copied files can be opened. Close Trellix first then open a few of the copied files.

Trellix FRP Program

Trellix FRP is an encryption program commonly used by the USAOs when delivering discovery on thumb drives and CD/DVD discs. (Trellix is a different name for the same program, McAfee, that the USAOs used previously). The media usually includes an executable “FRP Reader” that allows users to view encrypted files on the drive and make decrypted copies of the files. The FRP Reader works on Windows OS and includes limited read-only access to the files. Links between files do not work within FRP Reader and it is generally slow to copy files. Additionally, there can be problems copying big files (over 4GB) or large volumes of files (over 10,000 files).

Alternatively, there is a “FRP Program” that is usually NOT included on encrypted drives. Once installed, the Trellix FRP Program allows users to open a Trellix encrypted container within Windows Explorer, and allows for read, write, edit and delete access to the files. When using the FRP Program links between files work as normal and there are less problems copying big files or larger volumes of files. If you would like the FRP Program, please email Kelly_Scribner@fd.org.

A word of caution: although the FRP Program makes decryption and copying faster, it also allows for files to be edited and deleted with the program installed. We recommend you always make working copies of the files and maintain an unedited copy of the media.

Notes:

  • Look for cover letters and associated correspondence that mention password protection or encryption. Often the sender will tell you that the files are encrypted and provide instructions on how to obtain the key (password). If the media contains encrypted files you cannot work with them unless you have that password.
  • Use a Windows computer. Most decryption programs included on the media are designed to work with Windows computers.  Sometimes decryption can be done on Mac computers, but often it requires additional software not included with the media.
  • Insert the media and look for either a “password” prompt or a decryption program. Certain encryption programs (like Microsoft “Bitlocker“) will automatically prompt for a password when the media is inserted. Other times the media will include Windows-based software programs that needs to be run.
  • Create decrypted copies of the files. When you open a file that is encrypted a computer will typically only temporarily decrypt it.  The file may be in a “read-only” mode that will not work well with most software programs and will continue to need a password when reopening.  Making a decrypted copy of the file will allow it to be correctly recognized by the programs on your computer and will no longer need a password when opening the copy.