I know its been discussed and most have said it can't be done!!!
I've got a laptop that's been seized, but before seizure was shut down.
The imaging has been done, and I've found the laptops drive has been encrypted using bitlocker.
I've looked around and it seems that the only app that can decrypt is passware kit forensic, but this requires a dump of the ram whilst the machine is still logged in.
Passware say's it can bruteforce truecrypt, but does anyone have any experience of it bruteforcing bitlocker?
Any advice and or guidance appreciated.
EnCase has faciliites to decrypt Bitlocker but you require the recovery key, which can sometimes be found on associated removable media. As for brute forcing, I have no idea. Good luck with it, be interested to see what happens with this one.
You didn't give any specifics about the nature of the case, so this may have limited use.
Never underestimate the weakest link in technology, the person. If questioning won't get the password out of them, intentionally or not, then their password maybe written down somewhere, or another user may know it.
Maybe these help (or maybe not)
http//
http//
jaclaz
twjolson has it right!
You are screwed unless you have located the recovery key, by default when bitlocker is enabled it enforces that either a recovery key and or recovery password is created.
The second link posted by jaclaz refers to the enterprise edition of bitlocker. If this case involves a business laptop which was using this version you will need the machine name to ask the Admin for the recovery credentials which may be obtained from Active Directory, dependant on policy settings.
Also if you are able to recover the .BEK file, EnCase has support for accessing bitlocker volumes when this is supplied. Start searching recovered volumes for this file, likely to be on a usb key but can be dumped to any FAT/NTFS volume.
Good luck!
You didn't give any specifics about the nature of the case, so this may have limited use.
Never underestimate the weakest link in technology, the person. If questioning won't get the password out of them, intentionally or not, then their password maybe written down somewhere, or another user may know it.
Yup - any photos or access to the users physical desk? Post-it notes are usually not encrypted and contain passwords in plain text )
If I may put my two pence in. Unless the laptop was encrypted with a TPM chip on the board the drive should boot into the Windows log in screen no? If so then the password would be loaded into RAM allowing you to remove it? I did a paper on it at uni and got 100% D
Check this link - http//
Let us know how you get on.
Thank you all very much, that's some very useful info.
I've been searching other media for any files that could be associated with bitlocker, will have a search for the .BEK file also.
Sorry for the limited amount of information, we've had a laptop from a client that didn't seem to have much information, after a great deal of trying to understand the encryption mechanism I worked out it was bit locker - TPM is disabled at BIOS level, the machines running windows 7.
I've booted the machine upto the windows logon screen to be presented with a logon account, doesn't seem to be domain related. I have asked the client for any other info/mem sticks etc, and so were awaiting those.
Nizmon, thanks for the link I'll have a look into maybe trying pull via ram, but I thought that the newer versions of bitlocker and truecrypt randomise the storage of the keys. Still we can but try, I will get back to you guys and let you know if it works with Win7.
A word of caution, freezing the RAM you should be very aware of condensation/humidity problems, see the
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&p=6540069
Avoiding spraying directly on the chips (and connectors) is a good idea.
Some kitchen plastic film will do nicely.
jaclaz
If TPM is disabled in the BIOS, this may be worth a try. I've never tried it on a bitlocker system.
http//
–Chad