BitLocker Full Volume Encryption (FVE) is included in some versions of Windows 7 and it has changed a little compared to the version included with Windows Vista. There are (6) six versions of Windows 7 available:
- Home Basic
- Home Premium
- Enterprise (volume licensing)
Removable devices are now treated differently than internel hard disks and are listed below under the heading "BitLocker to go". When you encrypt a removable device, you are presented with a screen that lets you set your own password as well as other authentication methods. This is a change fromt he way Vista handles removable devices and the fact that the user can set the pasword.
Once you enter a password the drive is encrypted, but in a different way than using Bitlocker on removables in Windows Vista. With Windows 7, BitLocker to Go is used and the contents of the flash drive are encrypted into a file container, then an application is placed on the removable device, letting you access the entrypted container from other computers, including non-Windows 7 computers. If you look at the removable device in WIndows explorer or via forensic software, you will see several files:
Normally, I get nervous when I see "autorun.inf" on any removable drive. But in this case if you don't have the autorun feature disabled in the registry (your should!), then the "BitLockerToGo.exe" application is started. Once the application starts, it will then ask for the password that was set.
Once the password is entered, the contents of the encrypted container is displayed and you can copy files from the device:
The "C" volume is the boot partition and is not encrypted and the "D" volume is the actual encrypted volume. It is important to note that the above drive letters are assigned by EnCase and are not the same as what would be seen on a live Windows machine with BitLocker enabled. In Windows Vista, the second partition was usually labelled "S". In Windows 7, it does not have a drive label by default. The boot sector of the encrypted volume looks like this: