by Oleg Afonin, Danil Nikolaev and Yuri Gubanov
In our previous article, we talked about acquiring tablets running Windows 8 and 8.1. In this publication, we will talk about the acquisition of Windows computers – desktops and laptops. This class of devices has their own share of surprises when it comes to acquisition.
The obvious path of acquiring a Windows PC has always been “pull the plug, take the disk out, connect to an imaging device and collect evidence”. Sound familiar? Well, in today’s connected world things do not work quite like that.
In this article, we will have a look at measures the investigator has to take before taking the disk out, and even before pulling the plug, review Windows security measures and how they can work in combination with the computer’s hardware.
Windows Security Model
In our previous article, we mentioned Windows RT as an exemplary platform with strict and thorough implementation of a straightforward security model, which made forensic acquisition of Windows RT devices difficult. Fortunately for us, in general, Windows PCs and laptops are not anywhere close to reaching that security level, relying instead on restricting physical access to computer hardware and locking user accounts with passwords. This, however, does not protect the actual data.
Locked bootloader? We do not see that often on Windows laptops, let alone desktop computers. Secure Boot? Disabled by default or easily deactivated from the computer’s UEFI BIOS. BitLocker encryption? Not if the computer’s motherboard lacks TPM support. NTFS encryption? Can be attacked offline by recovering (or breaking) the user’s account password.
So does that all mean one can follow with the familiar pull-the-plug approach? Not quite. By powering down the device, you’ll be losing the content of the computer’s volatile memory, missing the chance to obtain valuable evidence – or even accessing the disk at all, if encrypted volumes are present.
Windows 7, BitLocker and TPM (Trusted Platform Module)
While BitLocker is an essential part of the Windows security model, it has never been all that popular on Windows desktops, and is only available on counted laptops. Why is it so?
Let us have a look at the Windows ecosystem consisting today of Windows tablets, laptops and desktop PCs. As mentioned in our previous article, Windows tablets run either Windows RT or Windows 8/8.1. These tablets often include TPM (Trusted Platform Module) hardware that is required for BitLocker to work. All Windows RT tablets and many mid-range and high-end Windows 8 devices such as Microsoft Surface Pro and Surface 3 are equipped with a TPM module and BitLocker, which activates automatically when the user logs in under their Microsoft Account credentials as an administrator.
This is not the case for many Windows desktops and laptops. First and most importantly, BitLocker is only available to Windows 7 (and Windows Vista) users in the Ultimate and Enterprise editions. These are the most expensive editions of Windows; relatively few of them were sold compared to the Professional edition.
Things have changed with the advent of Windows 8. While Windows 8 and 8.1 users can have BitLocker in the Pro and Enterprise editions, the core edition (as well as Windows RT) also supports BitLocker device encryption, a feature-limited version of BitLocker that encrypts the whole disk C: partition. Moreover, device encryption activates automatically when the user logs in as an administrator with their Microsoft Account.
While BitLocker device encryption is offered on all versions of Windows 8.1, device encryption requires that the device meets a number of specifications. Notably, the device must support Connected Standby, which requires solid-state drives, have non-removable RAM (to protect against cold boot attacks) and a Trusted Platform Module (TPM) 2.0 chip. Few laptops and very few desktops meet all specifications required for the activation of device encryption.
Are We Likely to See BitLocker Running on a Windows PC?
How likely is an investigator to encounter a BitLocker-protected device? If we were acquiring a Windows tablet, the chances would be pretty high, as BitLocker device encryption is activated automatically on most tablets. The chance of encountering BitLocker protection on a desktop or laptop computer are much lower.
By Q2 2015, about 16% of Windows computers are still running Windows XP, while over 60% are Windows 7 and Vista. That is 76% of devices that most likely will not have BitLocker protection (unless the user has Windows 7 Ultimate or Enterprise and manually activated BitLocker). Windows 8 and 8.1 together take a combined share of roughly 15% of the market. How many of those devices running Windows 8.x are using hardware that is not equipped with either a TPU chip, a solid-state storage or soldered memory chips is anyone’s guess. While we can expect BitLocker device encryption on most Windows tablets, the same cannot be said about Windows desktops and laptops. However, with more devices (especially laptops) manufactured to meet the required security standards, in time we will be seeing more BitLocker-encrypted computers.
Dealing with BitLocker Encryption
If you know the user’s Microsoft Account credentials, the user’s BitLocker Recovery Key can be retrieved from https://onedrive.live.com/recoverykey. Alternatively, when investigating a corporate computer, BitLocker Recovery Key can be obtained from the company’s Active Directory.
However, if the Recovery Key is not available, your only option of imaging a BitLocker disk would be capturing the content of the computer’s RAM (with a tool like Belkasoft Live RAM Capturer) and using a product such as Passware Kit Forensic or ElcomSoft Forensic Disc Decryptor to extract the binary key used by BitLocker to decrypt information. That key can be then used in the same product to mount BitLocker-protected partitions.
Making a RAM Dump
The importance of capturing memory dumps before shutting the computer down is hard to underestimate. Note that without a memory dump, you may be locked out of encrypted volumes and faced with the possibility of spending days or weeks trying to break into a crypto container – with dubious results.
Our tool of choice for making memory dumps is Belkasoft Live RAM Capturer. The tool runs in the system’s kernel mode, and allows acquisition of the complete contents of the computer’s ram along with protected memory areas.
Once RAM is captured, you will need to use a tool that has a Live RAM analysis feature. Belkasoft’s Evidence Center allows searching for various forensic artifacts inside the memory, like browser histories, including deleted data and Private browsing history, SQLite databases, pictures, documents, messenger chat histories, registry files, and more.
To sum up, acquiring Windows computers is more complex than simply pulling the plug and taking the disk out. Even if the computer is not protected by Windows security features such as BitLocker, acquiring data from a turned-off machine means missing evidence from Live RAM, where we are extremely likely to find some forensically important artifacts. That is why we strongly recommend creating a memory dump before powering down the computer.
About the authors
Oleg Afonin is Belkasoft’s sales and marketing director. He is an author, expert, and consultant in computer forensics.
Danil Nikolaev is Belkasoft’s sales and marketing manager, co-author, and content manager.
Yuri Gubanov is a renowned digital forensics expert. He is a frequent speaker at industry-known conferences such as CEIC, HTCIA, TechnoSecurity, FT-Day, DE-Day and others. Yuri is the Founder and CEO of Belkasoft, the manufacturer of digital forensic software empowering police departments in about 70 countries. With years of experience in digital forensics and security domain, Yuri led forensic training courses for multiple law enforcement departments in several countries. You can add Yuri Gubanov to your LinkedIn network at http://linkedin.com/in/yurigubanov.
Contacting the authors
You can contact the authors via email: [email protected]
Follow Belkasoft on Twitter: https://twitter.com/Belkasoft
Subscribe to the blog: https://belkasoft.wordpress.com
About Belkasoft Research
Belkasoft Research is based in St. Petersburg State University, performing non-commercial researches and scientific activities. A list of articles by Belkasoft Research can be found at http://belkasoft.com/articles. To learn more about forensic analysis of RAM, please read Belkasoft article “Catching the ghost: how to discover ephemeral evidence with Live RAM analysis” at http://belkasoft.com/live-ram-forensics. Belkasoft’s previous article, Capturing RAM Dumps and Imaging eMMC Storage on Windows Tablets, can be found at http://belkasoft.com/en/ram-capture-on-windows-tablets. For more information about Belkasoft’s Live RAM Capturer, please visit http://belkasoft.com/en/ram-capturer.