Difference between pages "Upcoming events" and "BitLocker: how to image"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Conferences)
 
(Traditional Imaging)
 
Line 1: Line 1:
<b>PLEASE READ BEFORE YOU EDIT THE LISTS BELOW</b><br>
 
Events should be posted in the correct section, and in date order.  An event should NEVER be listed in more than one section (i.e. Ongoing/Continuous events should not be listed in Scheduled Training).  When events begin the same day, events of a longer length should be listed first.  New postings of events with the same date(s) as other events should be added after events already in the list. If a provider offers the same event at several locations simultaneously, the listing should have a single (ONE) entry in the list with the date(s) and ALL locations for the event. Please use three-letter month abbreviations (i.e. Sep, NOT Sept. or September), use two digit dates (i.e. Jan 01 NOT Jan 1), and use date ranges rather than listing every date during an event(i.e. Jan 02-05, NOT Jan 02, 03, 04, 05).<br>
 
<i>Some conferences or training opportunities may be <u>limited</u> to <b>Law Enforcement Only</b> or to a specific audience.  Such restrictions should be noted when known.</i>
 
  
This is a BY DATE listing of upcoming conferences and training events relevant to [[digital forensics]].  It is not an all inclusive list, but includes most well-known activities.  Some events may duplicate events on the generic [[conferences]] page, but entries in this list have specific dates and locations for the upcoming event.
+
= Imaging Options =
  
This listing is divided into four sections (described as follows):<br>
+
There are multiple ways to image a computer with bitlocker security in place.
<ol><li><b><u>Calls For Papers</u></b> - Calls for papers for either Journals or for Conferences, relevant to Digital Forensics (Name, Closing Date, URL)</li><br>
+
<li><b><u>Conferences</u></b> - Conferences relevant for Digital Forensics (Name, Date, Location, URL)</li><br>
+
<li><b><u>On-Going / Continuous Training</u></b> - Training opportunities that are either always available online/distance learning format or that are offered the same time every month (Name, date-if applicable, URL)</li><br>
+
<li><b><u>[[Scheduled Training Courses]]</u></b> - Training Classes/Courses that are scheduled for specific dates/locations.  This would include online (or distance learning format) courses which begin on specific dates, instead of the "start anytime" courses listed in the previous section. (Name, Date(s), Location(s), URL) (''note: this has been moved to its own page.'')<br></li></ol>
+
  
The Conference and Training List is provided by the American Academy of Forensic Sciences (AAFS) Digital and Multi-media Listserv. 
+
== Traditional Imaging ==
<i> (Subscribe by sending an email to listserv@lists.mitre.org with message body containing SUBSCRIBE AAFS-DIGITAL-MULTIMEDIA-LIST)</i>
+
Requests for additions, deletions or corrections to this list may be sent by email to David Baker <i>(bakerd AT mitre.org)</i>.
+
  
== Calls For Papers ==
+
One can make a traditional image with the image containing encrypted information.
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
|- style="background:#bfbfbf; font-weight: bold"
+
! Title
+
! Due Date
+
! Website
+
|-
+
|International Workshop on Digital Forensics (WSDF’08) (ARES 2008)
+
|Dec 1, 2007
+
|http://www.ares-conference.eu/cfp/WSDF.pdf
+
|-
+
|ShmooCon
+
|Dec 10, 2007
+
|https://www.shmoocon.org/cfp.html
+
|-
+
|JDFSL - Special Issue on Security Issues in Online Communities
+
|Dec 31, 2007
+
|http://www.jdfsl.org/cfp-special-issue.htm
+
|-
+
|HTCIA/ASIS High Technology Crime Conference
+
|Dec 31, 2007
+
|http://htciatraining.org/papers.asp
+
|-
+
|International Association of Forensic Science Annual Meeting
+
|Jan 01, 2008
+
|http://www.iafs2008.com/abstracts/intro.asp
+
|-
+
|Usenix Annual Technical Conference
+
|Jan 07, 2008 (11:59PM PST)
+
|http://www.usenix.com/events/usenix08/cfp/
+
|-
+
|6th International Conference on Applied Cryptography and Network Security
+
|Jan 14, 2008 (11:59PM EST)
+
|http://acns2008.cs.columbia.edu/cfp.html
+
|-
+
|ADFSL 2008 Conference on Digital Forensics, Security and Law
+
|Jan 15, 2008 (11:59PM EST)
+
|http://www.digitalforensics-conference.org/callforpapers.htm
+
|-
+
|17th USENIX Security Symposium
+
|Jan 30, 2008 (11:59 PM PST)
+
|http://www.usenix.org/sec08/cfp/
+
|-
+
|Techno-Security 2008
+
|May 04, 2008
+
|http://www.techsec.com/html/TechnoPapers.html
+
|-
+
|Digital Forensic Research Workshop (DFRWS) 2008
+
|Mar 17, 2008
+
|http://www.dfrws.org/2008/cfp.shtml
+
|-
+
|}
+
  
== Conferences ==
+
Options to offline decrypt the information, provided the password or recovery password is available, exists some are:
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
* [http://www.hsc.fr/ressources/outils/dislocker/ dislocker]
|- style="background:#bfbfbf; font-weight: bold"
+
* [[EnCase]] (as of version 6) with the (optional) encryption module
! Title
+
* [[libbde]]
! Date/Location
+
! Website
+
|-
+
|DeepSec IDSC
+
|Nov 22-24, Vienna, Austria
+
|http://deepsec.net/
+
|-
+
|Digital Forensic Forum Prague 2007
+
|Nov 26-27, Prague, Czech Republic
+
|http://www.dff-prague.com/
+
|-
+
|Association of AntiVirus Asia Researchers (AVAR) International Conference
+
|Nov 28-30, Seoul, Korea
+
|http://www.aavar.org/avar2007/index.html
+
|-
+
|PacSec Applied Security Conference
+
|Nov 29-30, Tokyo, Japan
+
|http://www.pacsec.jp/index.html
+
|-
+
|5th Australian Digital Forensics Conference
+
|Dec 03, Edith Cowan University, Mount Lawley, WA, Australia
+
|http://scissec.scis.ecu.edu.au/conferences2007/index.php?cf=1
+
|-
+
|HTCIA Asia Pacific Training Conference 2007
+
|Dec 12-14, Hong Kong, China
+
|http://2007.htcia.org.hk
+
|-
+
|SANS Security 2008
+
|Jan 11-19, New Orleans, LA
+
|http://www.sans.org/security08/
+
|-
+
|DoD Cyber Crime Conference 2008
+
|Jan 13-18, St. Louis, MO
+
|http://www.dodcybercrime.com/
+
|-
+
|e-Forensics 2008
+
|Jan 21-23, Adelaide, SA, Australia
+
|http://www.e-forensics.eu
+
|-
+
|4th Annual IFIP WG 11.9 International Conference on Digital Forensics
+
|Jan 27-30, Kyoto, Japan
+
|http://www.ifip119-kyoto.org/doku.php
+
|-
+
|Blackhat DC 2008 Briefings & Training
+
|Feb 12-15, Washington, DC
+
|http://www.blackhat.com/html/bh-link/briefings.html
+
|-
+
|ShmooCon
+
|Feb 15-17, Washington, DC
+
|http://www.shmoocon.org/
+
|-
+
|AAFS Annual Meeting 2008
+
|Feb 18-23, Washington, DC
+
|http://aafs.org/default.asp?section_id=meetings&page_id=aafs_annual_meeting
+
|-
+
|International Workshop on Digital Forensics (WSDF’08) in Conjunction with ARES 2008
+
|Mar 04–07, Polytechnic University of Catalonia, Barcelona, Spain
+
|http://www.ares-conference.eu/conf/index.php?option=com_content&task=view&id=45
+
|-
+
|CanSecWest Security Conference 2008
+
|Mar 19-21, Vanouver, BC, Canada
+
|http://cansecwest.com/
+
|-
+
|Blackhat Europe 2008 Briefings & Training
+
|Mar 25-28, Amsterdam, Netherlands
+
|http://www.blackhat.com/html/bh-link/briefings.html
+
|-
+
|ADFSL 2008 Conference on Digital Forensics, Security and Law
+
|Apr 23-25, Oklahoma City, OK
+
|http://www.digitalforensics-conference.org
+
|-
+
|Microsoft Law Enforcement Tech Conference 2008
+
|Apr 28-30, Redmond, Washington
+
|-
+
|HTCIA/ASIS High Technology Crime Conference
+
|May 06-08, San Francisco, CA
+
|http://htciatraining.org/general_info.asp
+
|-
+
|EuSecWest Security Conference 2008
+
|May 21-22, London, England
+
|http://eusecwest.com/
+
|-
+
|Techno-Security 2008
+
|Jun 01-04, Myrtle Beach, SC
+
|http://www.techsec.com/html/Techno2008.html
+
|-
+
|6th International Conference on Applied Cryptography and Network Security
+
|Jun 03-06, Columbia University, New York City, NY
+
|http://acns2008.cs.columbia.edu/
+
|-
+
|Usenix Annual Technical Conference
+
|Jun 22-27, Boston, MA
+
|http://www.usenix.com/events/usenix08/
+
|-
+
|International Association of Forensic Sciences Annual Meeting
+
|Jul 21-26, New Orleans, LA
+
|http://www.iafs2008.com/
+
|-
+
|17th USENIX Security Symposium
+
|Jul 28-Aug 01, San Jose, CA
+
|http://www.usenix.org/events/sec08/
+
|-
+
|Blackhat USA 2008 Briefings & Training
+
|Aug 02-07, Las Vegas, NV
+
|http://www.blackhat.com/html/bh-link/briefings.html
+
|-
+
|Defcon 16
+
|Aug 08-10, Las Vegas, NV
+
|http://www.defcon.org
+
|-
+
|Digital Forensic Research Workshop
+
|Aug 11-13, Baltimore, MD
+
|http://www.dfrws.org
+
|-
+
|}
+
  
== On-going / Continuous Training ==
+
The recovery password is a long series of digits broken up into 8 segments.
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
<pre>
|- style="background:#bfbfbf; font-weight: bold"
+
123456-123456-123456-123456-123456-123456-13456-123456
! Title
+
</pre>
! Date/Location or Venue
+
 
! Website
+
Note that there is no white space in the recovery password including not at the end, e.g. EnCase does not accept the recovery password if there is trailing white space.
|-
+
 
|Basic Computer Examiner Course - Computer Forensic Training Online
+
The recovery password can be recovered from a BitLocker enabled computer provided it can be logged into or if stored in escrow.
|Distance Learning Format
+
 
|http://www.cftco.com
+
The basic steps are:
|-
+
 
|Linux Data Forensics Training
+
# Make a "traditional" full disk image.
|Distance Learning Format
+
# Recover the password, this can be done by booting the original computer, or by creating a clone and booting the clone. (booting from a clone has not been tested at this time.)
|http://www.crazytrain.com/training.html
+
## Once booted log into the computer
|-
+
## Use the BitLocker control panel applet to display the password.  This can also be done from the command-line.
|SANS On-Demand Training
+
## record the password
|Distance Learning Format
+
#:
|http://www.sans.org/ondemand/?portal=69456f95660ade45be29c00b0c14aea1
+
# For EnCase v6 or higher with the encryption module installed
|-
+
## Load the image into EnCase
|MaresWare Suite Training
+
## You will be prompted for the password. Simply enter it and continue.
|First full week every month, Atlanta, GA
+
## If you prefer to have an un-encrypted image to work with other tools or share with co-workers, you can "re-acquire" the image from within EnCase.  The new image will have unencrypted data.
|http://www.maresware.com/maresware/training/maresware.htm
+
## After adding the encrypted image into your case, simply right click on the drive in the left panel and select acquire. Select "do not add to case". You will be presented a dialog window to enter new information about the image.  Make sure the destination you select for your new image does not exist.
|-
+
 
|Evidence Recovery for Windows Vista&trade;
+
== Live Imaging ==
|First full week every month, Brunswick, GA
+
 
|http://www.internetcrimes.net
+
=== FTK Live Imaging of a physical drive ===
|-
+
 
|Evidence Recovery for Windows Server&reg; 2003 R2
+
Using FTK Imager lite, it was determined a live image of the physical system disk resulted in an image with an encrypted bitlocker container on it.
|Second full week every month, Brunswick, GA
+
 
|http://www.internetcrimes.net
+
Note that the phrase "physical" here corresponds directly with FTK Imagers use of the term in their image acquire menu.
|-
+
 
|Evidence Recovery for the Windows XP&trade; operating system
+
=== FTK Live Imaging of a logical partition ===
|Third full week every month, Brunswick, GA
+
 
|http://www.internetcrimes.net
+
This has not been verified to work or fail at this time.
|-
+
 
|Computer Forensics Training and CCE&trade; Testing for Litigation Support Professionals
+
Note that the phrase "logical" here corresponds directly with FTK Imagers use of the term in their image acquire menu.
|Third weekend of every month (Fri-Mon), Dallas, TX
+
 
|http://www.md5group.com
+
=== FTK Live Files and Folders collections ===
|-
+
 
|}
+
This was not attempted, but it seems reasonable to assume this will collect unencrypted files.
==[[Scheduled Training Courses]]==
+
 
 +
== See Also ==
 +
* [[BitLocker Disk Encryption]]
 +
* [[Defeating Whole Disk Encryption]]
 +
 
 +
[[Category:Disk encryption]]
 +
[[Category:Windows]]

Revision as of 01:03, 15 July 2013

Contents

Imaging Options

There are multiple ways to image a computer with bitlocker security in place.

Traditional Imaging

One can make a traditional image with the image containing encrypted information.

Options to offline decrypt the information, provided the password or recovery password is available, exists some are:

The recovery password is a long series of digits broken up into 8 segments.

123456-123456-123456-123456-123456-123456-13456-123456

Note that there is no white space in the recovery password including not at the end, e.g. EnCase does not accept the recovery password if there is trailing white space.

The recovery password can be recovered from a BitLocker enabled computer provided it can be logged into or if stored in escrow.

The basic steps are:

  1. Make a "traditional" full disk image.
  2. Recover the password, this can be done by booting the original computer, or by creating a clone and booting the clone. (booting from a clone has not been tested at this time.)
    1. Once booted log into the computer
    2. Use the BitLocker control panel applet to display the password. This can also be done from the command-line.
    3. record the password
  3. For EnCase v6 or higher with the encryption module installed
    1. Load the image into EnCase
    2. You will be prompted for the password. Simply enter it and continue.
    3. If you prefer to have an un-encrypted image to work with other tools or share with co-workers, you can "re-acquire" the image from within EnCase. The new image will have unencrypted data.
    4. After adding the encrypted image into your case, simply right click on the drive in the left panel and select acquire. Select "do not add to case". You will be presented a dialog window to enter new information about the image. Make sure the destination you select for your new image does not exist.

Live Imaging

FTK Live Imaging of a physical drive

Using FTK Imager lite, it was determined a live image of the physical system disk resulted in an image with an encrypted bitlocker container on it.

Note that the phrase "physical" here corresponds directly with FTK Imagers use of the term in their image acquire menu.

FTK Live Imaging of a logical partition

This has not been verified to work or fail at this time.

Note that the phrase "logical" here corresponds directly with FTK Imagers use of the term in their image acquire menu.

FTK Live Files and Folders collections

This was not attempted, but it seems reasonable to assume this will collect unencrypted files.

See Also