±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 3 Overall: 35259
New Yesterday: 9 Visitors: 201

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Bitlocker Forensics Win 10

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

badgerau
Senior Member
 

Bitlocker Forensics Win 10

Post Posted: Feb 06, 19 14:35

I am working on a Windows 10 machine and I am looking for evidence of the user turning on Bitlocker encryption.

Bitlocker was not turned on by default on this machine. It appears that the user turned on Bitlocker and I am looking for evidence of this including the date and time this occurred.

I have not found the Win Event log ID for this.

Can anyone point me to where I can find this evidence of this on Windows 10

Thanks in advance  
 
  

kastajamah
Senior Member
 

Re: Bitlocker Forensics Win 10

Post Posted: Feb 06, 19 14:51

Have you looked to see if the Bitlocker Key was stored as a file on the device? I know this is not recommended when you create the key, but it doesn't mean it is not done. The creation date of the .txt might help. Or you could look to see if there is a link file to a USB drive where the file was stored. Many times people will check a file after it is transferred to an external drive to make sure it will open. I know these are low-tech solutions, but sometimes they are effective.  
 
  

badgerau
Senior Member
 

Re: Bitlocker Forensics Win 10

Post Posted: Feb 06, 19 14:57

Thanks.

Yes I have searched the entire image of the machine and not found any file with the recovery key saved to the machine.

I extracted the recovery key from within the OS using:

Start / type BitLocker /select Manage BitLocker from the list of results / select Back up your recovery key  
 
  

badgerau
Senior Member
 

Re: Bitlocker Forensics Win 10

Post Posted: Feb 06, 19 15:18

Thanks again. I have searched and not found either of the those in the Event Logs  
 
  

badgerau
Senior Member
 

Re: Bitlocker Forensics Win 10

Post Posted: Feb 06, 19 15:22

- badgerau
Thanks again. I have searched and not found either of the those in the Event Logs


The person who just posted the two Event ID's has deleted their post - but those event ID's may be useful to others so I am posting them - Event ID 24667 and Event ID 24665  
 
  

badgerau
Senior Member
 

Re: Bitlocker Forensics Win 10

Post Posted: Feb 06, 19 15:53

Thanks to a private message I have found EVENT ID 775 to be very relevant

/Windows/System32/winevt/Logs/Microsoft-Windows-BitLocker%4BitLocker Management.evtx. ( EVENT ID 775)  
 
  

mansiu
Senior Member
 

Re: Bitlocker Forensics Win 10

Post Posted: Feb 20, 19 04:57

I have worked on a case with bitlocker before and i got official reply from microsoft about the date of encryption

"the date stored in the FVE metadata block is the date that the disk has been encrypted"

and for what is FVE metadata block, please refer to github.com/libyal/libb...t.asciidoc  
 

Page 1 of 1