I have read alot regarding the future problems with Vista's "bitlocker" here on the forums. The main feeling I get is that if you have a live system, that is the best way to aquire your evidence from a system with bitlocker in place. How would one know if the system has bitlocker in place when it's live? Do you risk termintating the OS and aquiring "old school" and end up with an encrypted image or should you just aquire the system while it is live?
I know these issues will probably not come up for a year or so, but what got me thinking is a CF student asked me a question…
Do you see the new security features in Windows Vista, such as Bit Locker, to be a hindrance to computer forensics? Bit Locker allows a criminal to encrypt the entire contents of their hard drive with nothing more than an encryption key stored on a USB flash drive. If that key were destroyed or lost the OS would become unbootable. The encryption algorithm (128bit AES) is also said to be virtually unbreakable with any normal computer. Are there ways to get around this problem or would the seized data be unusable in prosecution?
I certainly believe this will be a hinderance on CF, but what new security technology hasn't been? I think in time the CF world will develop methods to overcome or "get around" these future difficulties. I do not currently know of anyway to decrypt bitlocker based on the limited research. I would like to hear the opinions of you hear as this is on of my few outlets for speaking to CF professionals.
Thanks,
Kevin
according to this recent article, linked from the latest version of forensic magazine. - http//
not going to be a big deal due to the hardware requirements for it to work to begin with (outside of the usb key it requires a special chip on the motherboard to work)
They also recommend live imaging with the machine on if possible before shutting down in the event that you dont have access to the usb key.
Also, in forensic environments, a bitlocker recovery key can be used to access the systems when a live forensic copy and the usb key are not possible.
hope this helps
Yes and no.
Requiring a USB key isnt exactly a hard thing to come by (until more and more motherboards have the TPM chip), its more the question of whether the user chooses to go down this route. Most people dont bother with the extra hassle, but receiving a seized home pc with no USB key isnt going to be fun.
Dell has been shipping PC's with TPM since 2005. I believe almost all current mobo have the TPM chip. If your mobo has Gbit capability it has a TPM chip.