Monday, April 21, 2008

Additional Bitlocker Incident Response tips

In January, I posted some Incident Response tips on how to deal with a Vista system with Bitlocker enabled. You can read the initial post here. I was recently doing some training and we discussed Bitlocker techniques in depth and decided to post a follow up with some additional tips.

The first thing you must do when you roll up on a system running Vista is to determine if Bitlocker is enabled. Remember that Bitlocker is only available in the Enterprise and Ultimate editions of Windows Vista. A quick look at the system properties should tell you what version you are dealing with:

There are a couple of easy ways to determine if Bitlocker is enabled. The first method is to simply open Windows Explorer and look at the logical drive list. Bitlocker requires two logical volumes. One for the OS and user data files and the second is a small boot partition 1.4GB in size, that is not encrypted. By default, Windows assigns the logical drive letter "S" to this small boot partition:

Also, NTFS is the required filesystem on the logical volume encrypted with Bitlocker.
The second method to determine if Bitlocker is enabled is to simply look at the Bitlocker configuration from the Control Panel:

Finally, you can open an Administrative Command Prompt and use the following command to check the status of Bitlocker:

"cscript manage-bde.wsf -status"

This last option tells you that the logical volume "C" is encrypted with Bitlocker and that an external key (USB) and a numerical password are being used as protectors. This tells the investigator that there must be an external USB device with a key on it (.BEK) extension and that there may be a numerical password written down somewhere. The password is very long consisting of eight groups with six numbers in each group, such as: "363319-629200-548735-017523-429363-314292-005962-259380". The status output also tells you if Bitlocker is currently enabled.

Once you have determined that Bitlocker is in fact installed and enabled, the investigator now has to decide how to handle this volume so later analysis can be performed. There are a couple of options available at this point. The investigator could use a live response CD and make an image of the logical drive while the system is running. It is important to understand that a LOGICAL image must be taken, because it uses the Windows API in order to obtain the decrypted data. If a physical image is taken, you will end up with a full image of the hard drive in its encrypted state and then you will have to deal with decrypting it later in order to perform an analysis.

Another solution is to disable Bitlocker. Disabling Bitlocker does not decrypt the data, in turn altering each file. Instead, it stores the key on the disk so that it can be decrypted the next time it is booted or accessed without the need for the startup key or numerical password. The following command shows how to disable Bitlocker from the command line:

"cscript manage-bde.wsf -protectors -disable c:"

The above command will disable Bitlocker (not decrypt) and if later attached to another Vista machine using a write blocker, all the data will be visible and available for imaging.

The investigator should also obtain the numeric recovery password as a safety measure to ensure later access to the drive for imaging. The following command will display the numerical recovery password:

"cscript manage-bde.wsf -protectors -get c:"

Here is a video showing all the above commands:


Anonymous Tuesday, 22 April, 2008  

EnCase can handle BitLocker just fine.

Also, when you disable BitLocker through Vista, the unallocated space will NOT get decrypted! Furthermore the encryption keys get wiped.

Lance Mueller Tuesday, 22 April, 2008  

You are correct, EnCase can handle Bitlocker as long as you have the recovery password or key protector AND you must have the EDS module.

When you disable bitlocker NOTHING gets decypted, not unallocated space or allocated space, everything remains encrypted. The only difference is that the key is stored on the drive so that you dont need to present the key from the USB in order to boot. The encryption keys are not wiped, enabling Bitlockler using the same methods I described, restored Bitlocker back to the previous state requiring the USB startup key or recovery password in order to boot the OS.

I highly suggest using EnCase, if you have it and the EDS module, but the other techniques were presented as alternatives in case you do not.

Anonymous Thursday, 24 April, 2008  

I meant that when bitlocker is REMOVED so that you can forensically analyze the disk everything but unallocaed will get decrypted and the key blob deleted.

Anonymous Thursday, 24 April, 2008  

You can just analyze/preview the live system. Also, most BitLocker intallations just use the TPM and NOT the PIN/USB modes.

Also, when BitLocker gets installed, all the unallocated space (minus 10 GB) gets filled with encrypted 'W'. So these sectors show that they have not been written to since that point!

Lance Mueller Thursday, 24 April, 2008  

Anonymous, thanks for your comments and observations.

A couple of comments: I never recommended REMOVING" Bitlocker since that will severely alter the data and there are other workarounds that will work and there is no reason to decrypt the volume since you can make a image of the decrypted data using other methods.

I am not sure what you mean by "you can just analyze/preview the live system?" Are you saying thats all you can do? or are you saying that you can perform an analysis on the live running machine?

I concur with your observations of unallocated space.

Thanks again for your comments.

Anonymous Friday, 25 April, 2008  

Yes - if you are on a live vista machine, you could just acquire the data from there ( und the acquisition program from a removable disk). Not perfect forensically and you'll have to have admin rights - thanks to UAC.

But your description of Vista/Bitlocker is right on and an excellen resource.

Anonymous Friday, 25 April, 2008  

Yes - if you are on a live vista machine, you could just acquire the data from there ( und the acquisition program from a removable disk). Not perfect forensically and you'll have to have admin rights - thanks to UAC.

But your description of Vista/Bitlocker is right on and an excellen resource.

Anonymous Friday, 25 April, 2008  

Sorry for the double post - dunn how that happened.

Anonymous Monday, 19 May, 2008  

How is it that unallocated space is not decrypted when BitLocker encrypts at the sector level and has absolutely no idea of what sectors are in allocated clusters and those that are not?

Anonymous Tuesday, 20 May, 2008  


Because the BitLocker applet will create a file that will take all of UAC - 10GB. That file will be skipped. This is done so the sectors will be "LOCKED" down

Anonymous Tuesday, 02 December, 2008  

Ummmm...just one small point...if you have logged onto the machine enough to be able to run these commands and view the hard disks??? Who cares? You can access it already!?? Haven't you? Or can bitlocker be locked down to files and folders? I thought the whole point of bitlocker was that someone couldn't steal your PC and image it or remove the HD as THE WHOLE DISK was encrypted...

If you can log into the PC then bitlocker is over. You now can access anything? Right??

Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles