Notifications
Clear all

Bitlocker Windows 7

7 Posts
5 Users
0 Likes
742 Views
maskrider
(@maskrider)
Posts: 21
Eminent Member
Topic starter
 

I came across with a situation where a computer running windows 7 enterprise 32bit is encrypted with bitlocker key. Well i have a bittlocker entry pin for this computer but there is another problem. This computer is also protected with administrator access control. With those security control, im unable to do live imaging nor disable the bitlocker.

Does anyone have a suggestion what i could do next?

 
Posted : 15/02/2016 8:25 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

This computer is also protected with administrator access control. With those security control, im unable to do live imaging nor disable the bitlocker.

You mean a "BIOS password" request at boot time?

jaclaz

 
Posted : 15/02/2016 1:42 pm
maskrider
(@maskrider)
Posts: 21
Eminent Member
Topic starter
 

Thank you for the reply jaclaz.

Nope the computer i mention is protected with Bitlocker encryption and administrator login (no BIOS password). What i have now is the bitlocker entry pin and normal user credentials to access the windows operating system. The problem is, normal user credentials doesn't allow any forensic software to run since its asking for administrator credentials. The only way i have to decrypt entire disk with bitlocker recovery key (which i dont have) or to bypass administrator account.

Any technique available to decrypt or bypass administrator account??

 
Posted : 15/02/2016 2:34 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Thank you for the reply jaclaz.

Nope the computer i mention is protected with Bitlocker encryption and administrator login (no BIOS password). What i have now is the bitlocker entry pin and normal user credentials to access the windows operating system. The problem is, normal user credentials doesn't allow any forensic software to run since its asking for administrator credentials. The only way i have to decrypt entire disk with bitlocker recovery key (which i dont have) or to bypass administrator account.

Any technique available to decrypt or bypass administrator account??

So, let me see if I understand correctly.

  • You boot the computer.
  • You are prompted for a bitlocker pin.
  • You enter it and get to the "normal" Windows login.
  • You click on a "normal user" and provide it's password.
  • At this point you are logged in a "normal" Windows system with non-admin privileges.

Is this a 32 bit or 64 bit Windows 7?

There is a technique that can be used to bypass the Logon, involving hex-editing a file (which should be possible from the "limited" account you can access.

There might be consequences (from a purely forensic viewpoint) i.e. besides the simple byte patch on the file some artifacts may be created by this "bypassed" logon, ideally you should test the procedure on a similarly set PC to document if and which changes/artifacts the procedure may cause.

(and it has to be seen - never tested this - if your "limited user" account can actually access the file to patch the bytes)

The method is normally implemented as a grub4dos script (that you cannot obviously use on a bitlockered system) but you can get from it the byte patch and then attempt to patch the file while "logged in" with a hex editor (or with gsar or similar)
http//reboot.pro/files/file/320-passpass/
http//reboot.pro/topic/18588-passpass-bypass-the-password/

jaclaz

 
Posted : 15/02/2016 3:40 pm
(@ssenyl)
Posts: 25
Eminent Member
 

Can't you image it offline (i.e. turn it off, remove the HDD and image it through a write blocker).

Failing that what about a boot disk (Linux or WinFE)

 
Posted : 15/02/2016 3:50 pm
(@thefuf)
Posts: 262
Reputable Member
 

Thank you for the reply jaclaz.

Nope the computer i mention is protected with Bitlocker encryption and administrator login (no BIOS password). What i have now is the bitlocker entry pin and normal user credentials to access the windows operating system. The problem is, normal user credentials doesn't allow any forensic software to run since its asking for administrator credentials. The only way i have to decrypt entire disk with bitlocker recovery key (which i dont have) or to bypass administrator account.

Any technique available to decrypt or bypass administrator account??

Image the disk and mount the encrypted partition using a PIN on your machine, then image the unlocked partition.

 
Posted : 15/02/2016 5:48 pm
(@cults14)
Posts: 367
Reputable Member
 

It's been a while since I did this, but I've used a couple of methods. (a) Image the physical drive and use Arsenal Image Mounter later to Mount the image for processing and analysis, OR (b) create a logical image using WinFE

Boot from a WinFE USB stick
• Start system using the WinFE stick (use F12 to specify boot order)
• Connect the drive where you want the image to go (Destination)
• At first screen with options, Mount the internal drive (Source)
Also at this screen, Mount the Destination and remove the Read-Only restriction on it (and only it)
• Press Continue
• Open Command Prompt
• Type “manage-bde –status” and note the drive letter which is encrypted (assume E for now)
• Type “manage-bde –protectors –get E”
• You will be presented with a Numerical Password ID and a TPM ID
• Call Service Desk and give them the first EIGHT characters of the Numerical Password ID, they should be able to give you the 48-digit Recovery Password
• Still at the Command Prompt, type “manage-bde –unlock –E -recoverypassword <48-digit-Recovery-Password”, that should unlock the drive

HTH

 
Posted : 17/02/2016 9:05 pm
Share: