Monday, January 11, 2010

Forensic Review of Windows 7 - Part V - Bitlocker

BitLocker Full Volume Encryption (FVE) is included in some versions of Windows 7 and it has changed a little compared to the version included with Windows Vista. There are (6) six versions of Windows 7 available:

  • Starter
  • Home Basic
  • Home Premium
  • Professional
  • Enterprise (volume licensing)
  • Ultimate
The Starter version provides the minimal amount of features and each version above that adds additional features. Like in Windows Vista, BitLocker is only available in the Enterprise and Ultimate versions of Windows 7. It seems at first glance, Microsoft has enhanced the Bitlocker capability with "BitLocker to go", an extention of BitLocker designed for removable drives. Here are the BitLocker hardware requirements directly from the built in help:


When you look at the BitLocker options from the control panel you may notice some new options:

Removable devices are now treated differently than internel hard disks and are listed below under the heading "BitLocker to go". When you encrypt a removable device, you are presented with a screen that lets you set your own password as well as other authentication methods. This is a change fromt he way Vista handles removable devices and the fact that the user can set the pasword.




Once you enter a password the drive is encrypted, but in a different way than using Bitlocker on removables in Windows Vista. With Windows 7, BitLocker to Go is used and the contents of the flash drive are encrypted into a file container, then an application is placed on the removable device, letting you access the entrypted container from other computers, including non-Windows 7 computers. If you look at the removable device in WIndows explorer or via forensic software, you will see several files:



Normally, I get nervous when I see "autorun.inf" on any removable drive. But in this case if you don't have the autorun feature disabled in the registry (your should!), then the "BitLockerToGo.exe" application is started. Once the application starts, it will then ask for the password that was set.





Once the password is entered, the contents of the encrypted container is displayed and you can copy files from the device:



The BitLockerToGo Reader only allows a non-Windows 7 computer from *viewing* and copying files from the flash device. You cannot add files onto the device using the BitLocker Reader program. However, if you insert the removable device into a different Windows 7 computer with BitLocker enabled, you can access and add files as long as you present the correct password or smartcard.

From a forensic tool, the removable device will look like this:



The COV file is the container file that actually contains the encrypted data. The example above was created on a 4GB flash device.


For internal hard drives, the process is very similar to Windows Vista. You can enable BitLocker and it will create a second small partition that is used for the initial boot process. The main partition is then completely encrypted (not a container like BitLocker To Go). From a forensic tool, an encrypted volume will look like this:


The "C" volume is the boot partition and is not encrypted and the "D" volume is the actual encrypted volume. It is important to note that the above drive letters are assigned by EnCase and are not the same as what would be seen on a live Windows machine with BitLocker enabled. In Windows Vista, the second partition was usually labelled "S". In Windows 7, it does not have a drive label by default. The boot sector of the encrypted volume looks like this:



Gpedit.msc can be used to configure several new options with BitLocker:











This last screen shows how to use BitLocker without a TPM chip. Just enable the "Require additional authentication methods at startup" and check the "Allow BitLocker without a compatible TPM" checkbox.

 The current version of EnCase (6.15.0.82) does not support decryption of a BitLocker volume created with Windows 7 with the EDS module as it does with Microsoft Vista.

1 comments:

Troyla Thursday, 21 January, 2010  

The BitLocker in Windows 7 is different from that in Vista. Note that Encase does not even recognise that the BitLocker partition above is a BitLocker partition. That may be because the volume headers are very slightly different between versions.

However, the important thing to note is that Vista cannot unlock a Windows 7 BitLocker volume. You must use Windows 7 to Unlock Windows 7 BitLocker. Windows 7 can, however, unlock Vista BitLockered volumes.

Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles