Notifications

Clear all

Bitlocker - Windows 10

Rapid015 · 2016-08-03T19:32:18Z

Hello,I was recently on a case which involved Windows 10 laptops using Bitlocker encryption and have not found a program which can decrypt the encrypted volumes within the forensic images.I had obtained complete physical and verified images while on site via Paladin Edge to E01 of the Win10 machines with bitlocker enabled. Upon returning to my lab, with the thought that EnCase could handle Bitlocker, I attempted to decrypt the images in EnCase v7.11 (both 32 & 64 bit). I input the Bitlocker key provided to me for each machine and no errors were thrown however the encrypted volumes were not decrypted. After speaking with EnCase technical support I learned that in the Fall of 2015 Microsoft released an update to Bitlocker for Windows 10 machines. This updated encryption is not supported by EnCase and was not on the list to be put into future releases.Has anyone else experienced this yet?Does anyone have any ideas on how to decrypt/view these volumes besides going back to the original machines?Thank you in advance.

Page 2 / 2 Prev

General (Technical, Procedural, Software, Hardware etc.)

Last Post by AWForensicExpert 8 years ago

13 Posts

9 Users

0 Reactions

3,418 Views

RSS

jaclaz

(@jaclaz)

Illustrious Member

Joined: 18 years ago

Posts: 5133

22/08/2016 2:29 pm

However I thought Microsoft always retained the ability to decrypt Bitlocker.

Well, I would be curious to know where you found any info leading you to think that. ?

If you actually DO NOT give MS your Bitlocker key
https://theintercept.com/2015/12/28/recently-bought-a-windows-computer-microsoft-probably-has-your-encryption-key/
http//arstechnica.com/information-technology/2015/12/microsoft-may-have-your-encryption-key-heres-how-to-take-it-back/

Allow me to doubt that they will be cracking it.

jaclaz

ReplyQuote

AmNe5iA

(@amne5ia)

Estimable Member

Joined: 9 years ago

Posts: 175

22/08/2016 8:50 pm

BitLocker recovery keys CAN be stored "in the cloud" (on microsoft servers).
You'll find them at the address below but you'll need the owners Microsoft Passport details (email and password) to access

https://onedrive.live.com/recoverykey

ReplyQuote

AWForensicExpert

(@awforensicexpert)

New Member

Joined: 8 years ago

Posts: 1

01/09/2017 11:56 am

Thank you everyone for the input. Your suggestions helped me obtain a solution.

Recap
I have verified E01's where the source machines were newer Windows 10 OS's with Bitlocker enabled. I needed access to the data however EnCase has been unsuccessful in decrypting these volumes.

Solution
Using a company Windows 10 machine with Bitlocker Version 1511 (encryption mode showing as "XTS-AES" - see image below) and Arsenal Image Mounter v2.0.010.0, I mounted the E01 file (When mounting, use the setting of 'Write Temporary'. Without this I ran into permission issues for user folders). All volumes mounted without issue and the encrypted one prompted me for the Bitlocker key. Once input I was able to view the contents of the volume as if it were an external drive.

A point worth noting - I ran a test with the Windows 10 machine encrypting a thumb drive and in the options it states this new disk encryption is not compatible with older versions of windows. The options below that statement allow the user to select either "New encryption mode…" or "Compatible mode…". This may explain why some people are able decrypt Windows 10 Bitlocker machines and other are not.

Thanks again.

Thanks a lot to you, Rapid015.

I recently had to work on the same case Imaging of a Surface Pro, Windows 10 with bitlocker.
While I never had any issue previously with other Windows 10 imaging, trying to mount this new image in Encase was impossible.

It seems like the bitlocker version used was the one mentioned by Rapid015 (XTS-AES) and we've finally been able to access the content of the image using the tool "Arsenal Image Mounter".

It's still amazing that Encase doesn't communicate on this issue, I sincerely hope it'll soon be implemented in a new version of the software.

ReplyQuote

Page 2 / 2 Prev

8 Forums
15.7 K Topics
92.3 K Posts
261 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed