I am working on a Windows 10 machine and I am looking for evidence of the user turning on Bitlocker encryption.
Bitlocker was not turned on by default on this machine. It appears that the user turned on Bitlocker and I am looking for evidence of this including the date and time this occurred.
I have not found the Win Event log ID for this.
Can anyone point me to where I can find this evidence of this on Windows 10
Thanks in advance
Have you looked to see if the Bitlocker Key was stored as a file on the device? I know this is not recommended when you create the key, but it doesn't mean it is not done. The creation date of the .txt might help. Or you could look to see if there is a link file to a USB drive where the file was stored. Many times people will check a file after it is transferred to an external drive to make sure it will open. I know these are low-tech solutions, but sometimes they are effective.
Thanks.
Yes I have searched the entire image of the machine and not found any file with the recovery key saved to the machine.
I extracted the recovery key from within the OS using
Start / type BitLocker /select Manage BitLocker from the list of results / select Back up your recovery key
Thanks again. I have searched and not found either of the those in the Event Logs
Thanks again. I have searched and not found either of the those in the Event Logs
The person who just posted the two Event ID's has deleted their post - but those event ID's may be useful to others so I am posting them - Event ID 24667 and Event ID 24665
Thanks to a private message I have found EVENT ID 775 to be very relevant
/Windows/System32/winevt/Logs/Microsoft-Windows-BitLocker%4BitLocker Management.evtx. ( EVENT ID 775)
I have worked on a case with bitlocker before and i got official reply from microsoft about the date of encryption
"the date stored in the FVE metadata block is the date that the disk has been encrypted"
and for what is FVE metadata block, please refer to https://