How would you handle encrypted evidence during an investigation?

Preserving evidence integrity while pursuing lawful access to decryption is essential when dealing with encrypted data. Start by preserving the ciphertext as-is, compute and record a hash to ensure future integrity checks, and maintain a solid chain of custody. Identify the encryption type and any accompanying data (modes, key management, headers) to inform next steps. Seek to obtain keys or decryption capabilities through proper, legal channels—get authorization from the appropriate authority (court order, policy, or agreed-upon scope). Decrypt only if you are authorized; decrypting without permission risks altering data, violating laws, and jeopardizing admissibility in court. Meanwhile, analyze metadata, file headers, logs, and any unencrypted components that may exist within the encrypted data or surrounding systems. If keys are unavailable, preserve the encrypted evidence and proceed with non-decryption analysis and correlation with other data sources. Throughout, document all actions and maintain forensic soundness.