±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35264
New Yesterday: 0 Visitors: 146

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Wiping a BitLocker Encrypted USB Drive - Possible?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

UnallocatedClusters
Senior Member
 

Wiping a BitLocker Encrypted USB Drive - Possible?

Post Posted: May 01, 18 08:35

I have a USB thumb drive (PNY USB 3.0 256GB) which is BitLocker encrypted, but the encryption key is no longer available.

I am not able to wipe the drive using OSForensics.

Is there a method or tool available to wipe BitLocker encrypted drives?

I am curious why the BitLocker encryption blocks wiping tools from wiping the drive if anyone has an opinion.  
 
  

JaredDM
Senior Member
 

Re: Wiping a BitLocker Encrypted USB Drive - Possible?

Post Posted: May 01, 18 11:58

In disk manager remove the drive letter so it's no longer mounted.

If necessary, use a hex editor to modify the last byte of sector 0 from AA to BB. Then unplug and plug back in the drive. Now it should appear as not initialized and you can simply create a new partition table.
_________________
Lead Data Recovery Tech at Data Medics® - www.data-medics.com 
 
  

passcodeunlock
Senior Member
 

Re: Wiping a BitLocker Encrypted USB Drive - Possible?

Post Posted: May 01, 18 12:00

It has to be some other issues, from what I know BitLocker can't interact at device block level in the way you write about it.

I think it's a Windows related issue not being able to work directly with the USB Drive at block level, try wiping it under Linux, for example with Paladin Edge.
_________________
Apple passcode unlock + decrypted filesystem dump, Android user locks unlock + physical dump with decrypted userdata partition. We provide our services world-wide, but we reserve the right for choosing which tasks we take and which we deny! 
 
  

JaredDM
Senior Member
 

Re: Wiping a BitLocker Encrypted USB Drive - Possible?

Post Posted: May 01, 18 12:11

Windows likes to lock components of the filesystem such as the MFT from being accessed by most software. It's likely to prevent viruses from leveraging that for ransomware purposes.

It's an annoyance we deal with daily working in data recovery where we need to clone/image/wipe drives all the time. But, we've learned a few tricks to get around it.

It's not likely related to the Bitlocker at all though, that's true. It's just Windows being annoying and trying to protect you from yourself.
_________________
Lead Data Recovery Tech at Data Medics® - www.data-medics.com 
 
  

UnallocatedClusters
Senior Member
 

Re: Wiping a BitLocker Encrypted USB Drive - Possible?

Post Posted: May 01, 18 15:15

Thanks for the replies - I was actually able to wipe the USB drive using my Tableau TD2U.

So, as you have inferred, there must be a Windows based service that was preventing OSForensics from wiping the drive.  
 
  

passcodeunlock
Senior Member
 

Re: Wiping a BitLocker Encrypted USB Drive - Possible?

Post Posted: May 02, 18 00:18

Good to know!

Could be that the Virtual Volume Manager got implemented a routine for BL header detection and turns on automatically the read-only attribute ?!

I find this a bit stupid, an OS shouldn't be blocking the user from explicitly doing something like this. In case of a built-in feature, there should be ONLY a warning or question like 'bla bla you are trying to zap a BL encrypted volume, continue or not ?!', but the decision should be mine Smile

Are the computers taking over the control ?!
_________________
Apple passcode unlock + decrypted filesystem dump, Android user locks unlock + physical dump with decrypted userdata partition. We provide our services world-wide, but we reserve the right for choosing which tasks we take and which we deny! 
 
  

marcyu
Senior Member
 

Re: Wiping a BitLocker Encrypted USB Drive - Possible?

Post Posted: May 02, 18 08:22

GParted
_________________
Marc Yu
Vice President of Digital Forensics and e-Discovery 
 

Page 1 of 2
Page 1, 2  Next