Difference between pages "Sanitization Standards" and "BitLocker: how to image"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
m (Russia, Gostechcommission management directive)
 
(Traditional Imaging)
 
Line 1: Line 1:
Here are some of the standards by country that we have been able to find regarding the disk sanitization problem:
 
  
===Australia===
+
= Imaging Options =
* [[ASCI 33]]: 5 pass wipe, 1 pass with character, 1 pass with inverse of character, repeat first two passes, 1 pass random.
+
  
===Canada===
+
There are multiple ways to image a computer with bitlocker security in place.
* [[RCMP TSSIT OPS-II]] ([http://www.rcmp-grc.gc.ca/tsb/pubs/it_sec/g2-003_e.pdf pdf]): 8 pass  wipe.
+
  
===Germany===
+
== Traditional Imaging ==
* [[VSItR]]: Verschlusssachen-IT-Richtlinien, 7 pass wipe followed by verification.
+
  
===Russia===
+
One can make a traditional image with the image containing encrypted information.
* [[GOST R 50739-95]]
+
* Gostechcommission management directive ([www.internet-law.ru/standarts/safety/gtk009.doc doc]): Two passes of random data.
+
  
===UK===
+
Options to offline decrypt the information, provided the password or recovery password is available, exists some are:
* [[BHMG Infosec Standard no.5]]: Three pass wipe followed by verification.
+
* [http://www.hsc.fr/ressources/outils/dislocker/ dislocker]
 +
* [[EnCase]] (as of version 6) with the (optional) encryption module
 +
* [[libbde]]
  
===USA===
+
The recovery password is a long series of digits broken up into 8 segments.
* [[AFSSI-5020]] ([http://jya.com/afssi5020.htm pdf]): USAF Data Sanitization Standard.
+
<pre>
* [[NIST 800-88]] ([http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf pdf]): Guidelines for Data Sanitation, Sept 2006.
+
123456-123456-123456-123456-123456-123456-13456-123456
* [[DoD Destruction]] ([http://www.simson.net/ref/2001/ASD_HD_Disposition_memo060401.pdf pdf]): Disposition of Unclassified DoD Computer Hard Drives, Assistant Secretary of Defence, June 4, 2001.
+
</pre>
* [[DoD 5200.28-STD]] ([http://security.isu.edu/pdf/d520028.pdf pdf]): Department of Defence Trusted Computer System Evaluation Criteria], December 26, 1985.
+
* [[DoD 5220.22-M]] ([http://www.simson.net/ref/2001/DoD_5220.22-M.pdf pdf]): National Industrial Security Program Operating Manual], January 1995, incorporating Change One (July 1997) and Change Two (February 2001).
+
* [[NAVSO P-5239-26]]: US Navy standards for RLL and MFM encoded drives.
+
  
===Other===
+
Note that there is no white space in the recovery password including not at the end, e.g. EnCase does not accept the recovery password if there is trailing white space.
* [[Gutmann Wipe]] ([http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html pdf]): Secure Deletion of Data from Magnetic and Solid-State Memory by [[Peter Gutmann]]. Overwrite process using a sequence of 35 consecutive writes. First published in the Sixth USENIX Security Symposium Proceedings, San Jose, Ca, July 22-25, 1996.
+
* [[Schneier Wipe]]: Two pass of specific characters followed by five passes of Pseudo Random Data. Published by [[Bruce Schneier]] in  [http://www.schneier.com/book-applied.html Applied Cryptography], 1996
+
  
[[Category:Policy]]
+
The recovery password can be recovered from a BitLocker enabled computer provided it can be logged into or if stored in escrow.
[[Category:Secure_deletion]]
+
 
[[Category:Anti-Forensics]]
+
The basic steps are:
 +
 
 +
# Make a "traditional" full disk image.
 +
# Recover the password, this can be done by booting the original computer, or by creating a clone and booting the clone.  (booting from a clone has not been tested at this time.)
 +
## Once booted log into the computer
 +
## Use the BitLocker control panel applet to display the password.  This can also be done from the command-line.
 +
## record the password
 +
#:
 +
# For EnCase v6 or higher with the encryption module installed
 +
## Load the image into EnCase
 +
## You will be prompted for the password.  Simply enter it and continue.
 +
## If you prefer to have an un-encrypted image to work with other tools or share with co-workers, you can "re-acquire" the image from within EnCase.  The new image will have unencrypted data.
 +
## After adding the encrypted image into your case, simply right click on the drive in the left panel and select acquire.  Select "do not add to case".  You will be presented a dialog window to enter new information about the image.  Make sure the destination you select for your new image does not exist.
 +
 
 +
== Live Imaging ==
 +
 
 +
=== FTK Live Imaging of a physical drive ===
 +
 
 +
Using FTK Imager lite, it was determined a live image of the physical system disk resulted in an image with an encrypted bitlocker container on it.
 +
 
 +
Note that the phrase "physical" here corresponds directly with FTK Imagers use of the term in their image acquire menu.
 +
 
 +
=== FTK Live Imaging of a logical partition ===
 +
 
 +
This has not been verified to work or fail at this time.
 +
 
 +
Note that the phrase "logical" here corresponds directly with FTK Imagers use of the term in their image acquire menu.
 +
 
 +
=== FTK Live Files and Folders collections ===
 +
 
 +
This was not attempted, but it seems reasonable to assume this will collect unencrypted files.
 +
 
 +
== See Also ==
 +
* [[BitLocker Disk Encryption]]
 +
* [[Defeating Whole Disk Encryption]]
 +
 
 +
[[Category:Disk encryption]]
 +
[[Category:Windows]]

Revision as of 01:03, 15 July 2013

Contents

Imaging Options

There are multiple ways to image a computer with bitlocker security in place.

Traditional Imaging

One can make a traditional image with the image containing encrypted information.

Options to offline decrypt the information, provided the password or recovery password is available, exists some are:

The recovery password is a long series of digits broken up into 8 segments.

123456-123456-123456-123456-123456-123456-13456-123456

Note that there is no white space in the recovery password including not at the end, e.g. EnCase does not accept the recovery password if there is trailing white space.

The recovery password can be recovered from a BitLocker enabled computer provided it can be logged into or if stored in escrow.

The basic steps are:

  1. Make a "traditional" full disk image.
  2. Recover the password, this can be done by booting the original computer, or by creating a clone and booting the clone. (booting from a clone has not been tested at this time.)
    1. Once booted log into the computer
    2. Use the BitLocker control panel applet to display the password. This can also be done from the command-line.
    3. record the password
  3. For EnCase v6 or higher with the encryption module installed
    1. Load the image into EnCase
    2. You will be prompted for the password. Simply enter it and continue.
    3. If you prefer to have an un-encrypted image to work with other tools or share with co-workers, you can "re-acquire" the image from within EnCase. The new image will have unencrypted data.
    4. After adding the encrypted image into your case, simply right click on the drive in the left panel and select acquire. Select "do not add to case". You will be presented a dialog window to enter new information about the image. Make sure the destination you select for your new image does not exist.

Live Imaging

FTK Live Imaging of a physical drive

Using FTK Imager lite, it was determined a live image of the physical system disk resulted in an image with an encrypted bitlocker container on it.

Note that the phrase "physical" here corresponds directly with FTK Imagers use of the term in their image acquire menu.

FTK Live Imaging of a logical partition

This has not been verified to work or fail at this time.

Note that the phrase "logical" here corresponds directly with FTK Imagers use of the term in their image acquire menu.

FTK Live Files and Folders collections

This was not attempted, but it seems reasonable to assume this will collect unencrypted files.

See Also