Forums
Main Category
General (Technical,...
BitLocker - Whole D...
 
Notifications
Clear all

BitLocker - Whole Disk - I got the Password... Now what?

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by jaclaz 12 years ago
10 Posts
3 Users
0 Reactions
2,147 Views
RSS
 Bedpan
(@bedpan)
Active Member
Joined: 16 years ago
Posts: 6
Topic starter 16/01/2014 8:21 pm  

Hey folks… Long time reader, first time poster 😉

Stumped here and would love some direction.

I have a laptop here. I imaged the drive and brought it into Encase. Encase recognized BitLocker Whole Disk Encryption. We have the Encryption Suite. I spoke with the company that owns the laptop and was provided with a BitLocker Password. Encase prompts for the Recovery Password or the Key. The password provided by the company does not work. Encase says "Password does not have 8 segments or there are white spaces at the end" when I try and use the password provided (which is just a 6 character numeric password).

To move things forward I made a copy of the HD and placed it back into the laptop. Power it on and it POSTs then asks for the password which works. It then boots to Windows 7 Enterprise. At this time I do not have the Username or password to logon to the machine and look around.

I am waiting for the company in question to open to see if by chance they can provide the username and password. I suspect the cannot provide the password as they are using AD. Possibly they can provide a Local Admin account.

Backing up the train a little I would rather work the encrypted disk in Encase then logging onto the machine and re-imaging to keep the forensic aspect of this case going.

So, how the heck do I get this disk decrypted. I thought having the password (that I know works) I would be set.

Any thoughts would be greatly appreciate.

I do have access to FTK and X-Waves as well, but would most likely have to go for a drive to use them. I would rather stick with Encase if possible but I will do what I have to!

Many thanks in advance!

Mike


   
Quote
 johnking89
(@johnking89)
Active Member
Joined: 15 years ago
Posts: 5
16/01/2014 8:52 pm  

So fundamentals in how bit locker and TPM works would be beneficial, here is a quick overview.

So TPM is a physical chip that resides on the mobo of the laptop/workstation. It is used to store the encryption keys. When a drive is bit locker'd, the key used to unlock the encryption is stored within the TPM.

When booting the machine up, a check of the environment is made (so what hardware is installed, is the genuine Microsoft boot loader in place.) if the environment is ok, it asks the user for a password. if the password is correct then, the TPM chip releases the encryption key so the boot loader can continue loading the OS. If the environment is not correct, or the hdd has been inserted into another computer you then have to enter the recovery key. This is a long key (cant remember the actual length) that will unlock the encryption.

So in essence the password has no effect on the encryption in bit locker. what you need is the recovery key essentially the encryption key. Depending on how the company has set up there bit locker group policy's, it may be in a text file somewhere, printed or stored within active directory.


   
ReplyQuote
jaclaz
 jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
16/01/2014 8:54 pm  

You are seemingly confusing two different items

  1. Bitlocker Password
  2. Bitlocker Recovery key

    3. [/listo]

    #1 is the password the user uses normally, #2 is a Recovery key, in the format of 48 numerical key, 8 groups of 6 numbers 0-9.

    See
    http//www.forensicswiki.org/wiki/BitLocker_Disk_Encryption
    http//windowsitpro.com/microsoft-surface/locating-your-microsoft-surface-bitlocker-recovery-key
    http//www.niallbrady.com/2012/08/28/how-can-i-retrieve-my-bitlocker-recovery-key/

    jaclaz


   
ReplyQuote
 Bedpan
(@bedpan)
Active Member
Joined: 16 years ago
Posts: 6
Topic starter 16/01/2014 8:56 pm  

Getting there.. Thanks for the help..

I am logged into the laptop now with a local admin account on the copied harddrive.

I believe (guessing anyways) that I can generate the backup key from that account then bring it into Encase?

Thoughts?

Thanks!!!!!

Mike


   
ReplyQuote
 johnking89
(@johnking89)
Active Member
Joined: 15 years ago
Posts: 5
16/01/2014 9:01 pm  

A quick Google would reveal this.

http//www.niallbrady.com/2012/08/28/how-can-i-retrieve-my-bitlocker-recovery-key/

Hopefully that helps. Please report back as I am interested to know if it works.


   
ReplyQuote
 Bedpan
(@bedpan)
Active Member
Joined: 16 years ago
Posts: 6
Topic starter 16/01/2014 9:32 pm  

Confusing would indicate I know what I am doing 😉 I simply did not know! You are right though..

Thanks everyone

You are seemingly confusing two different items

  1. Bitlocker Password
  2. Bitlocker Recovery key

    3. [/listo]

    #1 is the password the user uses normally, #2 is a Recovery key, in the format of 48 numerical key, 8 groups of 6 numbers 0-9.

    See
    http//www.forensicswiki.org/wiki/BitLocker_Disk_Encryption
    http//windowsitpro.com/microsoft-surface/locating-your-microsoft-surface-bitlocker-recovery-key
    http//www.niallbrady.com/2012/08/28/how-can-i-retrieve-my-bitlocker-recovery-key/

    jaclaz


   
ReplyQuote
 Bedpan
(@bedpan)
Active Member
Joined: 16 years ago
Posts: 6
Topic starter 16/01/2014 9:35 pm  

Thanks.. I had replied without actually getting to the step of searching.. Just wanted to toss the idea out there….

I will be booting up the laptop here in a couple minutes. Will let you know how it goes.

Many thanks to everyone!

Mike

A quick Google would reveal this.

http//www.niallbrady.com/2012/08/28/how-can-i-retrieve-my-bitlocker-recovery-key/

Hopefully that helps. Please report back as I am interested to know if it works.


   
ReplyQuote
jaclaz
 jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
16/01/2014 9:44 pm  

A quick Google would reveal this.

http//www.niallbrady.com/2012/08/28/how-can-i-retrieve-my-bitlocker-recovery-key/

Hopefully that helps. Please report back as I am interested to know if it works.

Strangely similar to the link already provided roll 😉

jaclaz


   
ReplyQuote
 Bedpan
(@bedpan)
Active Member
Joined: 16 years ago
Posts: 6
Topic starter 16/01/2014 10:22 pm  

And…. I am in….

Ran the manage-bde and dump the password.. Plop that into Encase and life is good again.

Many thanks folks. Greatly appreciate the help.

Mike


   
ReplyQuote
jaclaz
 jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
16/01/2014 11:55 pm  

And…. I am in….

Good D .

jaclaz


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: