Join Us!

Bitlocker Forensics...
 
Notifications
Clear all

Bitlocker Forensics Win 10  

  RSS
badgerau
(@badgerau)
Member

I am working on a Windows 10 machine and I am looking for evidence of the user turning on Bitlocker encryption.

Bitlocker was not turned on by default on this machine. It appears that the user turned on Bitlocker and I am looking for evidence of this including the date and time this occurred.

I have not found the Win Event log ID for this.

Can anyone point me to where I can find this evidence of this on Windows 10

Thanks in advance

Quote
Posted : 06/02/2019 8:35 pm
kastajamah
(@kastajamah)
Member

Have you looked to see if the Bitlocker Key was stored as a file on the device? I know this is not recommended when you create the key, but it doesn't mean it is not done. The creation date of the .txt might help. Or you could look to see if there is a link file to a USB drive where the file was stored. Many times people will check a file after it is transferred to an external drive to make sure it will open. I know these are low-tech solutions, but sometimes they are effective.

ReplyQuote
Posted : 06/02/2019 8:51 pm
badgerau
(@badgerau)
Member

Thanks.

Yes I have searched the entire image of the machine and not found any file with the recovery key saved to the machine.

I extracted the recovery key from within the OS using

Start / type BitLocker /select Manage BitLocker from the list of results / select Back up your recovery key

ReplyQuote
Posted : 06/02/2019 8:57 pm
badgerau
(@badgerau)
Member

Thanks again. I have searched and not found either of the those in the Event Logs

ReplyQuote
Posted : 06/02/2019 9:18 pm
badgerau
(@badgerau)
Member

Thanks again. I have searched and not found either of the those in the Event Logs

The person who just posted the two Event ID's has deleted their post - but those event ID's may be useful to others so I am posting them - Event ID 24667 and Event ID 24665

ReplyQuote
Posted : 06/02/2019 9:22 pm
badgerau
(@badgerau)
Member

Thanks to a private message I have found EVENT ID 775 to be very relevant

/Windows/System32/winevt/Logs/Microsoft-Windows-BitLocker%4BitLocker Management.evtx. ( EVENT ID 775)

ReplyQuote
Posted : 06/02/2019 9:53 pm
mansiu
(@mansiu)
Member

I have worked on a case with bitlocker before and i got official reply from microsoft about the date of encryption

"the date stored in the FVE metadata block is the date that the disk has been encrypted"

and for what is FVE metadata block, please refer to https://github.com/libyal/libbde/blob/master/documentation/BitLocker%20Drive%20Encryption%20(BDE)%20format.asciidoc

ReplyQuote
Posted : 20/02/2019 10:57 am
Share: