Hello,
I was recently on a case which involved Windows 10 laptops using Bitlocker encryption and have not found a program which can decrypt the encrypted volumes within the forensic images.
I had obtained complete physical and verified images while on site via Paladin Edge to E01 of the Win10 machines with bitlocker enabled. Upon returning to my lab, with the thought that EnCase could handle Bitlocker, I attempted to decrypt the images in EnCase v7.11 (both 32 & 64 bit). I input the Bitlocker key provided to me for each machine and no errors were thrown however the encrypted volumes were not decrypted. After speaking with EnCase technical support I learned that in the Fall of 2015 Microsoft released an update to Bitlocker for Windows 10 machines. This updated encryption is not supported by EnCase and was not on the list to be put into future releases.
Has anyone else experienced this yet?
Does anyone have any ideas on how to decrypt/view these volumes besides going back to the original machines?
Thank you in advance.
I have NOT worked a case with Windows 10 being the OS in use yet. I suspect you could put encase 8 on a win 10 box use PDE with disk caching enabling, decrypt, and then image the decrypted volume. The support guys have keep stating to me though the devs do not confirm that encase can be run on WIn10 and they have successfully done so in a lab'd environment.
Just an opinion from the internet… )
Hello,
I was recently on a case which involved Windows 10 laptops using Bitlocker encryption and have not found a program which can decrypt the encrypted volumes within the forensic images.
I had obtained complete physical and verified images while on site via Paladin Edge to E01. Upon returning to my lab, with the thought that EnCase could handle Bitlocker, I attempted to decrypt the images in EnCase v7.11 (both 32 & 64 bit). I input the Bitlocker key provided to me for each machine and no errors were thrown however the encrypted volumes were not decrypted. After speaking with EnCase technical support I learned that in the Fall of 2015 Microsoft released an update to Bitlocker for Windows 10 machines. This updated encryption is not supported by EnCase and was not on the list to be put into future releases.
Has anyone else experienced this yet?
Does anyone have any ideas on how to decrypt/view these volumes besides going back to the original machines?
Thank you in advance.
EnCase v7.12 is able to decrypt the new windows 10 bitlocker encryption, i really dont know which technical support staff would say it is not supported in encase.
Mansiu,
I loaded all forensic images one at a time in EnCase v7.12.01x64 to no avail. As with v7.11.01 there is no error thrown and the encrypted volumes remain completely unallocated. I also attempted to input an incorrect random password - in which a checksum error was thrown. My next test was to input a valid bitlocker recovery password just from another machine. This process did not toss an error but continued to re-prompt me for a correct bitlocker recovery password before just going to the next screen with the unallocated volume. I also double checked that my hash values match on my working images.
The end result of my testing here leads me to believe that EnCase does recognize the correct bitlocker recovery password for the machine but doesn't decrypt it.
Have you successfully gotten this scenario to work on your case and/or testing?
Thanks for the input.
EnCase v7.12 is able to decrypt the new windows 10 bitlocker encryption, i really dont know which technical support staff would say it is not supported in encase.
I emailed a contact there and he said they are using EnCase 7.13 with Bitlocker on Windows 10, no problems.
Why don't you make a copy of your disk image and mount it; then open the partition with BitLocker to confirm that it's valid, not corrupt, etc.?
I haven't tried this with Windows 10 however see the thread linked that has instructions on how to convert the encrypted E01 to DD, then convert that to VHD, mount in Windows and enter the unlock key.
Mansiu,
I loaded all forensic images one at a time in EnCase v7.12.01x64 to no avail. As with v7.11.01 there is no error thrown and the encrypted volumes remain completely unallocated. I also attempted to input an incorrect random password - in which a checksum error was thrown. My next test was to input a valid bitlocker recovery password just from another machine. This process did not toss an error but continued to re-prompt me for a correct bitlocker recovery password before just going to the next screen with the unallocated volume. I also double checked that my hash values match on my working images.
The end result of my testing here leads me to believe that EnCase does recognize the correct bitlocker recovery password for the machine but doesn't decrypt it.
Have you successfully gotten this scenario to work on your case and/or testing?
Thanks for the input.
I have decrypted windows 10 bitlocker with encase 7.12
[edited] just tried again with 7.12.01, i dont know why it does not work. i really remember i have a successful decryption before.
Thank you everyone for the input. Your suggestions helped me obtain a solution.
Recap
I have verified E01's where the source machines were newer Windows 10 OS's with Bitlocker enabled. I needed access to the data however EnCase has been unsuccessful in decrypting these volumes.
Solution
Using a company Windows 10 machine with Bitlocker Version 1511 (encryption mode showing as "XTS-AES" - see image below) and
A point worth noting - I ran a test with the Windows 10 machine encrypting a thumb drive and in the options it states this new disk encryption is not compatible with older versions of windows. The options below that statement allow the user to select either "New encryption mode…" or "Compatible mode…". This may explain why some people are able decrypt Windows 10 Bitlocker machines and other are not.
Thanks again.
encryption mode showing as "XTS-AES"
Yes, that explains the issue nicely, it was introduced in November 2015, with the 1511 version
http//
jaclaz
Are Microsoft not responsive to legal requests to decrypt Bitlocker?
My understanding was always Apple stopped being able to crack their own encryption around 2012 probably as a result of too many requests from law enforcement placing a burden on their resources.
However I thought Microsoft always retained the ability to decrypt Bitlocker.
I suspect anyone who has had experience of them doing this will be barred from disclosing this, but conversely has anyone seen a request to Microsoft to ask them to decrypt their software that they have been unable to comply with?