Notifications
Clear all

Bitlocker Artefacts  

  RSS
The-Game
(@the-game)
New Member

Hi Experts,

Here I'm again to bother all of you, I'm working on a case where I need find if there has been any movement of data outside a particular system. I have looked at shellbag, link files, jumplist, internet history to see if there are any traces of data moving to external drive or any upload to cloud storage.

I would like to understand if there is an external drive encrypted with bitlocker mounted on the suspect machine then where all can I find traces for it like event logs, any artifact (windows system) which I might have missed, etc.

Appreciate any kind of lead.

Thanks in advanceā€¦ )

PS Ignore my limited knowledge in this field, still learning under the guidance of you guys and google ofcourse.

Quote
Posted : 04/03/2017 11:37 pm
UnallocatedClusters
(@unallocatedclusters)
Senior Member

What tools are in your current tool box?

Knowing that will help the forum members provide some targeted advice.

ReplyQuote
Posted : 06/03/2017 9:13 pm
The-Game
(@the-game)
New Member

Hi Experts,

Tools at my disposal are Encase ver 6,7 &8, IEF, Nuix.

Regards
The-Game

ReplyQuote
Posted : 07/03/2017 6:46 pm
bytethese
(@bytethese)
New Member

If you are looking to see if anyone transferred data to an external drive, I don't believe whether it's encrypted or not should matter. Unless it's against policy to encrypt, etc and that's a a facet of your investigation. I would think that whether a regular NTFS volume or a BitLockered NTFS volume, you would see the S/N of the USB device in your setupapi.dev.log and be able to match a drive letter to the mounted volume via registry. Once you have the drive letter, you can do a link file analysis to see what files were opened from that volume and based on date, show that on a particular date, then that the drive letter was mounted on that date so therefore the data was put to drive with S/N xxxxx.

I haven't had my second cup of coffee yet so hopefully that makes sense. )

ReplyQuote
Posted : 07/03/2017 9:01 pm
UnallocatedClusters
(@unallocatedclusters)
Senior Member

A simple trick is to search the forensic image of the workstation for

"E\"
"F\"
"G\"
"H\"
"I\"
"J\"
"K\"
etc.

Although to my knowledge, Windows does not keep any record of the specific files copied from a Windows OS workstation to external USB media, you might get lucky if the suspect accessed files that have been transferred to the external USB media after transferring them to the external USB media, in which case you should see something like, "E\PERSONAL DOCS\CLIENT-LIST.xlsx".

That is why I usually run a global search for the drive letter paths to see what comes up.

Why do you suspect Bitlocker? Did you see a Windows Event Log entry for encrypting an external USB drive with BitLocker? Why does BitLocker encryption matter?

ReplyQuote
Posted : 07/03/2017 10:48 pm
Cults14
(@cults14)
Active Member

That is why I usually run a global search for the drive letter paths to see what comes up.

Interesting. I normally use TZWorks Link and JumpList parsers which seem to be relaible to see if there's anything non-C\ (internal corporate sometimes have D\ as well but it depends on the site), then look at ShellBags for similar. This usually takes less than an hour, sometimes much less. If there are external file references I give them to someone in the business who might understand the filenames and THEN if there's anything to worry about we try to match devices to filenames. But even that seems to be getting harder with SSDs and the consequent lack of EMDMGMT volume serial numbers.

I also look at outgoing emails from the user's corporate account to see if any attachments have gone to what look like private email addresses (this is OK under our AUP).

But TBH nowadays users seem to be either getting smarter about taking stuff out or they're getting more honest (which I doubt).

As a matter of interest, what's your process for searching a forensic image for text strings and how long does it take?

Cheers

ReplyQuote
Posted : 14/03/2017 2:59 pm
Share: