Notifications
Clear all

Windows 7 bitlocker

5 Posts
3 Users
0 Likes
1,118 Views
Fab4
 Fab4
(@fab4)
Posts: 173
Estimable Member
Topic starter
 

Has anyone had any success with Win7 bitlocker?

I have a HDD from a laptop with TPM-based bitlocker. I do not have the laptop currently. I also have created an image of the same. I have the bitlocker keys.

None of the usual suspects (and their associated modules) - EnCase, FTK, X-Ways - support decryption of Win7 bitlocker yet.

This is a first for me. Options I'm considering aloud but unsure as to likelihood of success;

Mount Image Pro and Virtual Forensic Computing??
Restore image to 'identical' HDD, boot laptop (assuming client will provide hardware)??

Any thoughts welcomed.

Thanks in anticipation.

 
Posted : 21/09/2010 6:13 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Has anyone had any success with Win7 bitlocker?

NO. cry

See this recent thread
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=6432

But I don't see how, if you have a key, it cannot work on "identical" or also "very similar" hardware, IF it is NOT TPM enabled (in which case you NEED the "recovery key" which you don't state whether you have or not).

"Bitlocker" by itself means "nothing", there are THREE different bitlocker "modes"
http//en.wikipedia.org/wiki/BitLocker_Drive_Encryption
and further "sub-categories".

Even if you succeed, problem might be (please read as WILL BE) the amount of "forensically sound" that you expect, if you actually boot from that disk you will create a number of modifications to the filesystem (and to the Registry, and to the event logs, etc.) that may, or may not be compatible with the scope of your research.

So, if you have the needed keys, I would try first thing the NVbit Linux FUSE driver (read-only) and UNFINISHED/EXPERIMENTAL
http//www.nvlabs.in/nodes/9
http//www.nvlabs.in/categories/3-Bitlocker

jaclaz

 
Posted : 21/09/2010 7:16 pm
Fab4
 Fab4
(@fab4)
Posts: 173
Estimable Member
Topic starter
 

See this recent thread
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=6432

Thanks for the post jaclaz. Yes, I had seen that thread prior to posting but considered that it was discussing the issue of key recovery. I can clarify that I do already have the recovery keys. I am interested in the most appropriate approach to take to 'serve up' the keys and examine the decryped data.

So, if you have the needed keys, I would try first thing the NVbit Linux FUSE driver (read-only) and UNFINISHED/EXPERIMENTAL
http//www.nvlabs.in/nodes/9
http//www.nvlabs.in/categories/3-Bitlocker

I'll take a look.

Any other thoughts from the community would be appreciated.

 
Posted : 21/09/2010 7:54 pm
Fab4
 Fab4
(@fab4)
Posts: 173
Estimable Member
Topic starter
 

Given the nature of the case, it was decided to take a dd image of the encrypted drive, restore it to another hard drive, mount that drive in Win 7, input the recovery key, remove bitlocker and image the restored decrypted representation of the suspect drive. The decryption process kept pausing, requesting chkdsk /r to be executed. Instead a small looping script was created to continually execute the command manage-bde -resume [volume letter] to resume the process each time without me nannying the PC.

Clearly does not satisfy ACPO1 but I was comfortable with the implications under ACPO2. Only about a dozen non-relevant (to the case) files were created, accessed or written to during the process to remove bitlocker.

 
Posted : 23/09/2010 5:21 pm
(@dforce)
Posts: 4
New Member
 

oops Maybe this is a late response but I will give it any way.

First thing I have to say is that a drive encrypted with bitlocker coming from a Windows 7 can only be 'decrypted' on a Windows 7 and not on a Windows Vista.

You could shorten the time by not decrypting the with bitlocker encrypted hard drive.
You had the recovery key.

So what you could have done
- image the suspect drive
- restore the dd to another drive
- add a writeblocker to that drive
- attach the hard to your forensic computer as external drive
- open the drive with the recovery key
- image that drive when everything of that drive is readable without decrypting that drive (do not select 'turn off bitlocker'). Microsoft calls this decrypting on the fly. This image will contain the decrypted data.

Then use that image for your analysis.

 
Posted : 06/10/2010 1:07 am
Share: