Bitlocker added to ...
 
Notifications
Clear all

Bitlocker added to Image?  

  RSS
seecs2011
(@seecs2011)
New Member

Hey all,

So I just acquired an image in the dd format from a Surface Book and when I go to load it into AXIOM the main partition shows as Bitlocker protected.

Heres the thing though, we don't use bitlocker, the Surface does not have it enabled (I have checked).

I used a Caine instance and obtained the image using guymager. Does it add a passcode? I recently used it to obtain an image from an HP Elitebook and that image does not have bitlocker on it.

Needless to say, I am quite confused and Google is useless re this particular issue and guymager.

Thanks for any ideas!

Note it reads in Autopsy fine from what I can tell

Quote
Posted : 25/09/2019 6:03 pm
dandaman_24
(@dandaman_24)
Active Member

lookup clearkey bitlocker encryption

ReplyQuote
Posted : 25/09/2019 7:29 pm
(@igor_michailov)
Senior Member

A lot of Surface books are encrypted by Bitlocker.

ReplyQuote
Posted : 25/09/2019 9:06 pm
(@amne5ia)
Active Member

With the surface models bitlocker is enabled out the box but the encryption key is stored as a clearkey on the disk. If you choose to 'enable' bitlocker on the device, it enables the TPM (Trusted Platform Module) which from then on unlocks the bitlocker encryption key. Only then is the clearkey wiped.

It is the same as when you opt to suspend bitlocker encryption. the bitlocker clearkey is stored on the disk until the computer next restarts. People tend to suspend protection when they update bios etc which would normally prevent the TPM from releasing the key…

More info check this link

https://github.com/libyal/libbde/blob/master/documentation/BitLocker%20Drive%20Encryption%20(BDE)%20format.asciidoc#25-clear-key

ReplyQuote
Posted : 25/09/2019 9:24 pm
(@arsenalconsulting)
Junior Member

Hey all,

So I just acquired an image in the dd format from a Surface Book and when I go to load it into AXIOM the main partition shows as Bitlocker protected.

Heres the thing though, we don't use bitlocker, the Surface does not have it enabled (I have checked).

I used a Caine instance and obtained the image using guymager. Does it add a passcode? I recently used it to obtain an image from an HP Elitebook and that image does not have bitlocker on it.

Needless to say, I am quite confused and Google is useless re this particular issue and guymager.

Thanks for any ideas!

Note it reads in Autopsy fine from what I can tell

I think seecs2011 is all set and will let him explain more on that front.

We took some screenshots of common BitLocker states, as seen from the output of "manage-bde -status (volume letter)", and posted them here

https://twitter.com/ArsenalRecon/status/1176949908953272321

The BitLocker state seecs2011 is dealing with is similar to our "BitLocker Disabled/Suspended" screenshot, except in his case the protectors do not exist (instead of the protectors being disabled). Another way you could think of this particular state is "All BitLocker Protectors Removed" versus "All BitLocker Protectors Disabled." Both states involve clear keys.

Anyway, Windows and some digital forensics tools have no problem dealing with either of these states.

ReplyQuote
Posted : 25/09/2019 9:55 pm
cs1337
(@cs1337)
Member

I generally take a logical image to bypass this issue. If you got to bitlocker settings from control panel it will show "waiting for activation". I prefer not to activate it on a custodians computer and alter their settings.

ReplyQuote
Posted : 06/10/2019 5:28 am
dandaman_24
(@dandaman_24)
Active Member

Have you tried turning off the Passware module off in the settings section of AXIOM ? I had this issue the other day, albeit with a Mac image.

ReplyQuote
Posted : 06/10/2019 6:36 pm
Share: