Wiping a BitLocker ...
 
Notifications
Clear all

Wiping a BitLocker Encrypted USB Drive - Possible?

12 Posts
7 Users
0 Likes
1,125 Views
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
Topic starter
 

I have a USB thumb drive (PNY USB 3.0 256GB) which is BitLocker encrypted, but the encryption key is no longer available.

I am not able to wipe the drive using OSForensics.

Is there a method or tool available to wipe BitLocker encrypted drives?

I am curious why the BitLocker encryption blocks wiping tools from wiping the drive if anyone has an opinion.

 
Posted : 01/05/2018 2:35 pm
JaredDM
(@jareddm)
Posts: 118
Estimable Member
 

In disk manager remove the drive letter so it's no longer mounted.

If necessary, use a hex editor to modify the last byte of sector 0 from AA to BB. Then unplug and plug back in the drive. Now it should appear as not initialized and you can simply create a new partition table.

 
Posted : 01/05/2018 5:58 pm
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

It has to be some other issues, from what I know BitLocker can't interact at device block level in the way you write about it.

I think it's a Windows related issue not being able to work directly with the USB Drive at block level, try wiping it under Linux, for example with Paladin Edge.

 
Posted : 01/05/2018 6:00 pm
JaredDM
(@jareddm)
Posts: 118
Estimable Member
 

Windows likes to lock components of the filesystem such as the MFT from being accessed by most software. It's likely to prevent viruses from leveraging that for ransomware purposes.

It's an annoyance we deal with daily working in data recovery where we need to clone/image/wipe drives all the time. But, we've learned a few tricks to get around it.

It's not likely related to the Bitlocker at all though, that's true. It's just Windows being annoying and trying to protect you from yourself.

 
Posted : 01/05/2018 6:11 pm
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
Topic starter
 

Thanks for the replies - I was actually able to wipe the USB drive using my Tableau TD2U.

So, as you have inferred, there must be a Windows based service that was preventing OSForensics from wiping the drive.

 
Posted : 01/05/2018 9:15 pm
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

Good to know!

Could be that the Virtual Volume Manager got implemented a routine for BL header detection and turns on automatically the read-only attribute ?!

I find this a bit stupid, an OS shouldn't be blocking the user from explicitly doing something like this. In case of a built-in feature, there should be ONLY a warning or question like 'bla bla you are trying to zap a BL encrypted volume, continue or not ?!', but the decision should be mine )

Are the computers taking over the control ?!

 
Posted : 02/05/2018 6:18 am
KungFuAction
(@kungfuaction)
Posts: 109
Estimable Member
 

GParted

 
Posted : 02/05/2018 2:22 pm
Passmark
(@passmark)
Posts: 376
Reputable Member
 

We tested it here and saw the same problem. The operating system returns this error when an attempt is made to zero the drive at a low level.
"This drive is locked by BitLocker Drive Encryption. You must unlock this drive from Control Panel."

If the drive isn't mounted to a drive letter, then the error is different. The error in this case is "The device is not ready".

So it does seem like the Windows O/S is protecting the drive. Overwriting the drive in Linux is no problem, so it isn't anything physical in the drive.

But it seems there is also an exception to this protection in Windows. You can use diskpart.

In diskpart, as the admin user, do this,
select disk, clean, create partition primary, format OVERRIDE

We'll dig a bit deeper to see if we can understand why diskpart works, but the normal Windows APIs fail.

 
Posted : 02/05/2018 11:23 pm
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

@Passmark Don't waste too much time on it, your question contains a self-explanatory answer already "Windows" )

 
Posted : 03/05/2018 9:33 am
Passmark
(@passmark)
Posts: 376
Reputable Member
 

So we dug into the problem a bit more. It seems Bitlocker locks the drive (as we already knew). It would seem self-evident that unmounting the drive should avoid this lock. But it doesn't.

According to Microsoft in MSDN, if a volume is dismounted, the next call to open the volume causes it to be mounted again (automatically).

So our speculation is that Bitlocker is doing some activity regularly in the background and the volume gets auto remounted fairly quickly after being dismounted. Which blocks the wiping of the drive.

But we also found there is an additional option in Windows to both dismount and take the volume 'offline'. Taking it offline removes the lock and allows the drive to be written to again. This change will be appear in OSForensics V6 and the next release of ImageUSB. So their will be need to use Linux or the command line going forward.

 
Posted : 08/05/2018 2:10 am
Page 1 / 2
Share: