Add encryption feasibility gates to forensics checklist

[malb200710-dev]

Bounty type

Skill Improvement bounty

Modified skill

skills/incident-response/forensics-checklist/SKILL.md

Issue

Fixes #1526

What was missing

The forensics checklist collected encryption status as context, but did not require evidence that encrypted disks or cloud snapshots can actually be unlocked, decrypted, copied, or examined before marking acquisition as feasible.

What changed

• Bumped orensics-checklist to v1.0.1.
• Added encryption acquisition feasibility to required context.
• Added an Encryption Feasibility Gate before disk imaging.
• Added FVE-ESCROW-* evidence gates for recovery-key custody, test unlock/decrypt, protector inventory, custody independence, and cloud KMS/grants.
• Added platform branches for BitLocker, FileVault, LUKS, partial encryption, and cloud-managed encryption.
• Added powered-on branch guidance when offline unlock evidence is missing.
• Added AWS/Azure/GCP snapshot KMS access checks before accepting cloud disk evidence.
• Added encryption feasibility fields to the output report.
• Added a pitfall for planning disk imaging without proving encryption access.
• Added references for BitLocker, FileVault, cryptsetup, and cloud KMS/CMEK docs.

Validation

• Confirmed v1.0.1 version bump.
• Confirmed Encryption Feasibility Gate and FVE-ESCROW-01 are present.
• Confirmed powered-on branch guidance is present.
• Confirmed cloud KMS/grant checks are present.
• Confirmed report output includes encryption feasibility fields.
• Confirmed Markdown fence balance.
• Confirmed no non-ASCII characters were introduced.

Bounty request

Requesting consideration for the SecuritySkills improver bounty if accepted/merged. Payment details can be provided privately after acceptance.