Computer Forensics, Malware Analysis & Digital Investigations: April 2008

In January, I posted some Incident Response tips on how to deal with a Vista system with Bitlocker enabled. You can read the initial post here. I was recently doing some training and we discussed Bitlocker techniques in depth and decided to post a follow up with some additional tips.

The first thing you must do when you roll up on a system running Vista is to determine if Bitlocker is enabled. Remember that Bitlocker is only available in the Enterprise and Ultimate editions of Windows Vista. A quick look at the system properties should tell you what version you are dealing with:

There are a couple of easy ways to determine if Bitlocker is enabled. The first method is to simply open Windows Explorer and look at the logical drive list. Bitlocker requires two logical volumes. One for the OS and user data files and the second is a small boot partition 1.4GB in size, that is not encrypted. By default, Windows assigns the logical drive letter "S" to this small boot partition:

Also, NTFS is the required filesystem on the logical volume encrypted with Bitlocker.
The second method to determine if Bitlocker is enabled is to simply look at the Bitlocker configuration from the Control Panel:

Finally, you can open an Administrative Command Prompt and use the following command to check the status of Bitlocker:

"cscript manage-bde.wsf -status"

This last option tells you that the logical volume "C" is encrypted with Bitlocker and that an external key (USB) and a numerical password are being used as protectors. This tells the investigator that there must be an external USB device with a key on it (.BEK) extension and that there may be a numerical password written down somewhere. The password is very long consisting of eight groups with six numbers in each group, such as: "363319-629200-548735-017523-429363-314292-005962-259380". The status output also tells you if Bitlocker is currently enabled.

Once you have determined that Bitlocker is in fact installed and enabled, the investigator now has to decide how to handle this volume so later analysis can be performed. There are a couple of options available at this point. The investigator could use a live response CD and make an image of the logical drive while the system is running. It is important to understand that a LOGICAL image must be taken, because it uses the Windows API in order to obtain the decrypted data. If a physical image is taken, you will end up with a full image of the hard drive in its encrypted state and then you will have to deal with decrypting it later in order to perform an analysis.

Another solution is to disable Bitlocker. Disabling Bitlocker does not decrypt the data, in turn altering each file. Instead, it stores the key on the disk so that it can be decrypted the next time it is booted or accessed without the need for the startup key or numerical password. The following command shows how to disable Bitlocker from the command line:

"cscript manage-bde.wsf -protectors -disable c:"

The above command will disable Bitlocker (not decrypt) and if later attached to another Vista machine using a write blocker, all the data will be visible and available for imaging.

The investigator should also obtain the numeric recovery password as a safety measure to ensure later access to the drive for imaging. The following command will display the numerical recovery password:

"cscript manage-bde.wsf -protectors -get c:"

Here is a video showing all the above commands: