Encryption is a challenge in forensics and the use of encryption to protect computer data is growing. Without a decryption key, the data and the potential evidence can’t be accessed. When you come across a system that is encrypted taking the right now makes your life a lot easier down the line. In this post I will discuss BitLocker, what is it and what should you do?
What is BitLocker?
BitLocker is a full disk encryption feature included with Microsoft Windows. It is designed to protect data by providing encryption for entire volumes. By default, it uses the AES encryption algorithm in cipher block chaining (CBC), since Windows 10 1511 it also supports XEX-based tweaked-codebook mode with ciphertext stealing (XTS) with a 128-bit or 256-bit key. CBC is not used over the whole disk; it is applied to each individual sector. It is a logical volume encryption system.
To use BitLocker at least two NTFS-formatted volumes are required: one for the operating system and another from which the operating system boots. The volume is then encrypted as a background task, something that may take a considerable amount of time with a large disk as every logical sector is read, encrypted and rewritten back to disk.The keys are only protected after the whole volume has been encrypted when the volume is considered secure.
BitLocker uses a low-level device driver to facilitate the encryption and decryption process, making interaction with the encrypted volume transparent to applications running on the platform.
The Trusted Platform Module offers facilities for the secure generation of cryptographic keys, and limitation of their use, in addition to a random number generator. The software can use a Trusted Platform Module to authenticate hardware devices. Since each TPM chip has a unique and secret RSA key burned in as it is produced, it is capable of performing platform authentication. BitLocker uses the TPM chip to authenticate the computer prior to booting the OS.
BitLocker stores its Volume Master Key in the TPM chip. This key is used to decrypt the Full volume encryption key stored on the encrypted volume. After decryption of this key, it’s used to encrypt and decrypt data in RAM. BitLocker never stores unencrypted data on the hard drive, the unencrypted data only exists in RAM.
An additional key file may also be used to authenticate to the system during boot. This can be a user-defined PIN or a key file stored on a USB drive. This additional authentication ensures only the authorized user is allowed access to the drive. Not only does an unauthorized user need to have access to the authorized physical system, but they must also have the PIN and/or the key file.
BitLocker and Forensics
You can’t access a BitLocker volume without the proper keys. If you need to examine a system that has been encrypted with BitLocker you need to retrieve the keys. There currently is not a viable way to bypass or crack BitLocker. BitLocker is, as explained above, a very secure and reliable encryption system. There are some tools on the market that are able to brute force the encryption pin/password but these are painfully slow at the time of writing. Acquiring the key is your best bet to get access to the volume.
When you encounter a live system using BitLocker you should always do two things:
- Capture the RAM
- Export the BitLocker recovery key
1. Capture the RAM
This should always be the first step when you want to seize a live system. The RAM will contain a lot of information about the system, including the encryption keys. With the right tools (e.g. Elcomsoft Forensic Disk Decryptor or Passware Kit Forensic) you might be able to extract the Encryption keys from the RAM dump later on.
|Forensics 101: RAM capture (FTK-Imager)|
2. Export the BitLocker recovery key
BitLocker has a great feature called the “Recovery key”. The recovery key is a 48-character key used to regain access to your BitLocker volume in case of an emergency (e.g. you forgot your password or the motherboard/TPM is damaged).
When a BitLocker volume is mounted, it is possible to Back up the recovery key. Doing this is easy, just follow these steps:
Control Panel > System and Security > BitLocker Drive Encryption
Control Panel > BitLocker Drive Encryption
In the BitlockLocker Drive Encryption Manager, you will see a list of drives that are currently connected to the system. Behind every drive, you will see if BitLocker has been enabled or not.
In this example, we see that drive H: has BitLocker enabled. By expanding this option we get several options:
Here you also have the option to change or remove the password. But since we don’t want to modify the potential evidence and don’t want to risk the possibility that something goes wrong we will only back up the recovery key.
Selecting the option “Back up your recovery key” will open a new window.
Notice that the system did not ask for any verification. You don’t need to know the password of the volume in order to backup the key. BitLocker assumes since the volume is mounted and the user is logged in you are authorized to backup the key.
Choose the option “Save to a file” and save the key to a safe location. You can now close this window. With the recovery key, you will always be able to decrypt the volume. Most forensic tools have some way to access BitLocker volumes using the recovery key.
When you need to perform forensics on a dead system that was using BitLocker there are only a few options. Like stated above, using tools to brute-force the key is painfully slow to the point it’s not a viable way to gain access to the volume.
When enabling BitLocker on a volume the user is forced to make a backup of their recovery key. In my experience, most people tend to save the back-up to another drive. BitLocker does not allow for the key being stored on the same volume on which you are trying to enable BitLocker. When saving to a file a text file is created with a name like this “BitLocker Recovery Key ********-****-****-***-***********.TXT”. If you have a system where only a secondary volume is encrypted there is a good chance you will find this file stored somewhere on the system volume. The same is true if only the System volume is encrypted and the system has a secondary unencrypted volume.