tag:blogger.com,1999:blog-1746946614390371171.post1665360859047961274..comments2011-05-31T02:26:44.407-07:00Lance Muellerhttp://www.blogger.com/profile/15789264000499223230noreply@blogger.comBlogger12125tag:blogger.com,1999:blog-1746946614390371171.post-55712042218188726782009-06-09T23:07:13.797-07:002009-06-09T23:07:13.797-07:00Thanks for sharing this informative and useful post with us. Good work.Computer Repairhttp://www.support1000.comnoreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-81315091069542087202008-12-02T20:01:00.000-08:002008-12-02T20:01:00.000-08:00Ummmm...just one small point...if you have logged onto the machine enough to be able to run these commands and view the hard disks??? Who cares? You can access it already!?? Haven't you? Or can bitlocker be locked down to files and folders? I thought the whole point of bitlocker was that someone couldn't steal your PC and image it or remove the HD as THE WHOLE DISK was encrypted...<BR/><BR/>If you can log into the PC then bitlocker is over. You now can access anything? Right??Leenoreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-27896627051577272982008-05-20T15:54:00.000-07:002008-05-20T15:54:00.000-07:00Troy:<BR/><BR/>Because the BitLocker applet will create a file that will take all of UAC - 10GB. That file will be skipped. This is done so the sectors will be "LOCKED" downAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-83907009465847748492008-05-19T20:14:00.000-07:002008-05-19T20:14:00.000-07:00How is it that unallocated space is not decrypted when BitLocker encrypts at the sector level and has absolutely no idea of what sectors are in allocated clusters and those that are not?Troynoreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-84883838881222698322008-04-25T18:59:00.002-07:002008-04-25T18:59:00.002-07:00Sorry for the double post - dunn how that happened.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-69190311516321788392008-04-25T18:59:00.001-07:002008-04-25T18:59:00.001-07:00Yes - if you are on a live vista machine, you could just acquire the data from there ( und the acquisition program from a removable disk). Not perfect forensically and you'll have to have admin rights - thanks to UAC.<BR/><BR/>But your description of Vista/Bitlocker is right on and an excellen resource. <BR/>Thanks!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-28177277424873418782008-04-25T18:59:00.000-07:002008-04-25T18:59:00.000-07:00Yes - if you are on a live vista machine, you could just acquire the data from there ( und the acquisition program from a removable disk). Not perfect forensically and you'll have to have admin rights - thanks to UAC.<BR/><BR/>But your description of Vista/Bitlocker is right on and an excellen resource. <BR/>Thanks!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-59973812620572556122008-04-24T10:55:00.000-07:002008-04-24T10:55:00.000-07:00Anonymous, thanks for your comments and observations.<BR/><BR/>A couple of comments: I never recommended REMOVING" Bitlocker since that will severely alter the data and there are other workarounds that will work and there is no reason to decrypt the volume since you can make a image of the decrypted data using other methods.<BR/><BR/>I am not sure what you mean by "you can just analyze/preview the live system?" Are you saying thats all you can do? or are you saying that you can perform an analysis on the live running machine?<BR/><BR/>I concur with your observations of unallocated space.<BR/><BR/>Thanks again for your comments.Lance Muellerhttp://www.blogger.com/profile/15789264000499223230noreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-91861483098615034022008-04-24T10:43:00.000-07:002008-04-24T10:43:00.000-07:00You can just analyze/preview the live system. Also, most BitLocker intallations just use the TPM and NOT the PIN/USB modes.<BR/><BR/>Also, when BitLocker gets installed, all the unallocated space (minus 10 GB) gets filled with encrypted 'W'. So these sectors show that they have not been written to since that point!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-33214044955086249362008-04-24T10:34:00.000-07:002008-04-24T10:34:00.000-07:00I meant that when bitlocker is REMOVED so that you can forensically analyze the disk everything but unallocaed will get decrypted and the key blob deleted.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-38405315847308312682008-04-22T20:18:00.000-07:002008-04-22T20:18:00.000-07:00You are correct, EnCase can handle Bitlocker as long as you have the recovery password or key protector AND you must have the EDS module.<BR/><BR/>When you disable bitlocker NOTHING gets decypted, not unallocated space or allocated space, everything remains encrypted. The only difference is that the key is stored on the drive so that you dont need to present the key from the USB in order to boot. The encryption keys are not wiped, enabling Bitlockler using the same methods I described, restored Bitlocker back to the previous state requiring the USB startup key or recovery password in order to boot the OS.<BR/><BR/>I highly suggest using EnCase, if you have it and the EDS module, but the other techniques were presented as alternatives in case you do not.Lance Muellerhttp://www.blogger.com/profile/15789264000499223230noreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-62666492689113610662008-04-22T12:47:00.000-07:002008-04-22T12:47:00.000-07:00EnCase can handle BitLocker just fine.<BR/><BR/>Also, when you disable BitLocker through Vista, the unallocated space will NOT get decrypted! Furthermore the encryption keys get wiped.Anonymousnoreply@blogger.com