Wednesday, January 23, 2008

Incident Response - Recovering a BitLocker Recovery password before system shutdown

This post is just a refresher for those of you who may encounter a running Vista machine that has BitLocker enabled. The following command will display the recovery password in a command prompt so it can be recorded (a photo) for later use by the examiner.

When initially looking at a running Vista machine, one easy indication that bitlocker is installed is the presence of two volumes. The main volume labeled "C:", and a second volume labeled "S:" (Of course this labeling is by default and could be changed).



The second volume labeled "S:" is a small boot partition that is created when BitLocker is enabled and is typically 1.46GB in size. The contents of this volume is minimal and will at a minimum contain the following files & folders:



If you suspect BitLocker is installed, and even if you recover a removable flash drive that you suspect contains the startup key, the following command is recommended. Start a command prompt with escalated privileges by right-clicking on the command prompt option from the Start menu and choosing "Run as Administrator". Once the command prompt starts, it should say "Administrator: Command Prompt":



Once you have this prompt, the best practice would be to insert your Incident Response toolkit CD-ROM that you previously built (you did previously build it, right?) that contains two WMI scripts that can be found on a default installation of Vista with Bitlocker enabled. These two files can be found in the system32 folder of a BitLocker enabled Vista installation and are named:

manage-bde.wsf
manage-bde.ini.en

You should copy these two files along with the cscript.exe interpreter to your incident response CDROM, you know, the one that's in your incident response toolkit and ready to go....:(

These files are installed by default when the BitLocker feature is enabled, but you shouldn't use the ones on your suspect's installation of Vista. Yes, you are already using the suspect's untrusted operating system, but this is about minimizing risk.

The command to obtain the BitLocker recovery password is:

"cscript manage-bde.wsf -protectors -get c:"



The best method is to take a photo, but verify the photo is not blurry or washed out by the flash before you proceed. Alternatively, you could pipe this information to a text file on a floppy or an inserted flash drive (remember you are going to create registry keys, so document).

You can then shutdown the system and remove the drive to be later imaged in the lab. Once connected to a write-blocker, EnCase (with the EDS module) will recognize the volume as a BitLocked volume and ask for the recovery password. You can then enter the recovery password as it was displayed and make a complete decrypted copy of the data at the logical level (if you look at from the physical level, it will still be encrypted because the data is still encrypted as it sits on the disk).

Alternatively, you can connect the drive to a write blocker (better yet, make a bit level copy and use that) and then connect it to a forensic machine that has Vista installed with BitLocker enabled. Vista will see the volume as a foreign encrypted volume and ask for the recovery password. Once entered, Vista will then mount the volume and assign a drive letter. You can then fire up your favorite trusty imaging application and image the logical volume in a decrypted state.

Both methods will make a decrypted copy of the data so from that point forward, BitLocker is removed from the equation.


*NOTE: There are two primary methods of implementing BitLocker. The first is with the use of an onboard TPM chip. The second is currently the more common implementation and only involves a removable flash drive (a third method exists that involves using both a TPM chip and removable flash disk, which is considered the more secure implementation). The above described commands will succeed for all the different BitLocker methods, but if a TPM chip is installed and used, the decryption process when attempting to image the volume will not work because it relies on the TPM hardware component as part of the decryption process. In theory the only solution in that scenario would be to connect a bit-level copy of the original hard drive to the original suspect's computer and then provide the recovery password at boot and then image the visible volume off to a external drive. I have not yet had the opportunity to test this because I do not yet have a TPM enabled computer. If someone has used or tested this method, please advise.

4 comments:

echo6 Tuesday, 29 January, 2008  

My understanding was that the TPM hardware is used primarily to protect the boot sequence from interference thus ensure the integrity of the booted system.
e.g. more info here http://blogs.technet.com/robert_hensing/archive/2007/04/05/vbootkit-vs-bitlocker-in-tpm-mode.aspx
http://technet2.microsoft.com/WindowsVista/en/library/c61f2a12-8ae6-4957-b031-97b4d762cf311033.mspx?mfr=true

The presence of TPM will not interfere with the decryption process provided you have collected the recovery password or recovery key during your IR procedures. As well as ensuring the integrity of the boot process TPM can protect the Bitlocker Encryption Key (BEK) hence there is no need to a flash drive where the BEK is contained to boot the system.

In order to implement BitLocker the user has to create either a recovery password or key (called protectors) :-) Using either the recovery password or recovery key you can decrypt a bitlockered drive. Even where TPM is used it is possible to recover the BEK providing of course the machine is on and you have admin to deploy the tools. EnCase can detect the presence of bitlocker and will prompt the examiner for either of these.

You can have more than one protector, it's been a while since I looked at bitlocker so I'm not sure how this effects decryption with EnCase, hmm, something for another day.

Also, I don't think simply copying the manage-bde scripts across to your CD will work unless you have some other dependencies present which implement access to some of the WMI/API calls used in the script.

I have my Vista response cd configured and ready :-)

Lance Mueller Tuesday, 29 January, 2008  

Echo6 brings up a good point that might need clarification from my original post.

If a TPM chip is used, the system can be setup to completely encrypt the volume but when booted everything is done automatically and no USB flash device or PIN is required. In this scenario, if you as the examiner remove the drive, then you MUST HAVE the recovery key to obtain an unencrypted copy of the drive.

Alternatively, BitLocker can be configured with the TPM AND a USB flash drive, which means the hard drive needs to be in the original machine AND the flash device connected in order for the user to boot the system. For you the examiner, all you need is the recovery password.

If you DO NOT have the recovery password and TPM was used, then the drive needs to be in the original hardware in order for the decryption process to work automatically at boot time and to try and obtain a logical image using a write blocker.

Also, as Echo6 points out there are some DLLs that the manage-bde scripts rely on. My suggestion was to just copy the scripts so that you were not using the suspect's copies since these are plain text script files and could easily be edited to do anything, like erase a volume. Although possible, trojanizing a dependant DLL would be much more difficult and if that was the case then all your other incident response commands (netstat, ipconfig, etc.) could have problems as well, but it is a better practice.

Markus Sunday, 31 August, 2008  

I have done the procedure like described before, but it does not work. I made a partition copy with Disc Clone 2.0, and put the drive into a Vista Computer, but the encrypted partition is not identified as a bitlocker partition. Recovery password is available, but I could not access the bitlocker partition. Also diskpart command "list volumes" shows all other partition but the bitlocker partition is not listed. Therfore also the bitlocker repair tool does not work, because I need a Volume entry for this.
Does anybody have a idea how I could access my bitlocker encrypted data ?

AeroTobee Thursday, 24 September, 2009  

TIP

When using the cscript command as stated above, you can also type the following

"cscript manage-bde.wsf -protectors -get c: > C:\bitlkrkey.txt"

Which will send the output of the command to a file named bitlkrkey.txt to you C:\.

You can substitute the file name for anything you want but must use the .txt extension, and you can also change the path from just c:\ to say c:\directory1\mytxtfiles\ for example.

Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles