Bitlocker Forensics...
 
Notifications
Clear all

Bitlocker Forensics Win 10

7 Posts
3 Users
0 Likes
2,848 Views
(@badgerau)
Posts: 96
Trusted Member
Topic starter
 

I am working on a Windows 10 machine and I am looking for evidence of the user turning on Bitlocker encryption.

Bitlocker was not turned on by default on this machine. It appears that the user turned on Bitlocker and I am looking for evidence of this including the date and time this occurred.

I have not found the Win Event log ID for this.

Can anyone point me to where I can find this evidence of this on Windows 10

Thanks in advance

 
Posted : 06/02/2019 8:35 pm
kastajamah
(@kastajamah)
Posts: 109
Estimable Member
 

Have you looked to see if the Bitlocker Key was stored as a file on the device? I know this is not recommended when you create the key, but it doesn't mean it is not done. The creation date of the .txt might help. Or you could look to see if there is a link file to a USB drive where the file was stored. Many times people will check a file after it is transferred to an external drive to make sure it will open. I know these are low-tech solutions, but sometimes they are effective.

 
Posted : 06/02/2019 8:51 pm
(@badgerau)
Posts: 96
Trusted Member
Topic starter
 

Thanks.

Yes I have searched the entire image of the machine and not found any file with the recovery key saved to the machine.

I extracted the recovery key from within the OS using

Start / type BitLocker /select Manage BitLocker from the list of results / select Back up your recovery key

 
Posted : 06/02/2019 8:57 pm
(@badgerau)
Posts: 96
Trusted Member
Topic starter
 

Thanks again. I have searched and not found either of the those in the Event Logs

 
Posted : 06/02/2019 9:18 pm
(@badgerau)
Posts: 96
Trusted Member
Topic starter
 

Thanks again. I have searched and not found either of the those in the Event Logs

The person who just posted the two Event ID's has deleted their post - but those event ID's may be useful to others so I am posting them - Event ID 24667 and Event ID 24665

 
Posted : 06/02/2019 9:22 pm
(@badgerau)
Posts: 96
Trusted Member
Topic starter
 

Thanks to a private message I have found EVENT ID 775 to be very relevant

/Windows/System32/winevt/Logs/Microsoft-Windows-BitLocker%4BitLocker Management.evtx. ( EVENT ID 775)

 
Posted : 06/02/2019 9:53 pm
(@mansiu)
Posts: 83
Trusted Member
 

I have worked on a case with bitlocker before and i got official reply from microsoft about the date of encryption

"the date stored in the FVE metadata block is the date that the disk has been encrypted"

and for what is FVE metadata block, please refer to https://github.com/libyal/libbde/blob/master/documentation/BitLocker%20Drive%20Encryption%20(BDE)%20format.asciidoc

 
Posted : 20/02/2019 10:57 am
Share: