Difference between pages "Radio Frequency (RF) Jammers" and "BitLocker: how to image"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(How It's Done)
 
(Traditional Imaging)
 
Line 1: Line 1:
== The Basics of Cell Phone Jamming ==
 
Cell phones work by communicating with a service network through the utilization of cellular towers or base stations. Individual towers partition cities into small sections called cells. As a cell phone user traverses the cells in an area, the signal is passed from tower to tower.
 
  
Jamming devices take advantage of this fact by transmitting on the spectrum of radio frequencies used by cellular devices. Through its concurrent transmission, the jamming device is able to disrupt the two-way communication between the phone and the base station. This form of a denial-of-service attack inhibits all cellular communication within range of the device.
+
= Imaging Options =
  
== How It's Done ==
+
There are multiple ways to image a computer with bitlocker security in place.
Through the transmission of a high power signal on the same frequency of a cell phone, the jamming device creates a competing signal that collides with, and, in effect, cancels out the cellular signal. Cell phones, which are designed to increase power in the case of low levels of interference, react to this interference. Consequently, jamming devices must be aware of any increases in power by the cellular device and match that power level accordingly.
+
  
As cellular telephones are full-duplex devices utilizing two separate frequencies (one for talking, one for listening where all parties to a call can talk at the same time as opposed to half-duplex walkie-talkies and CBs), any removal of one of these frequencies tricks the phone into thinking there is no cellular service. Consequently, the jammer need only block one of the frequencies.
+
== Traditional Imaging ==
  
The less complex jammers can only block a specific frequency group while the more complex jammers can block several different networks thus preventing dual- or tri-mode phones from switching to a different network with an open signal. Jammers are able to broadcast on any frequency and can interrupt AMPS, CDMA, TDMA, GSM, PCS, DCS, iDEN and Nextel systems. The effective range of a jammer is dependent upon the strength of its power source and the immediate pysical environment (hills or walls which may block the jamming signal). Lower powered jammers have a call-block range of about 30 feet while higher power units can create a cellular signal-free zone about the size of a football field. In addition, certain units applied by law enforcement have been known to shut down cellular service approximately 1 mile from the jamming device.
+
One can make a traditional image with the image containing encrypted information.
  
 +
Options to offline decrypt the information, provided the password or recovery password is available, exists some are:
 +
* [http://www.hsc.fr/ressources/outils/dislocker/ dislocker]
 +
* [[EnCase]] (as of version 6) with the (optional) encryption module
 +
* [[libbde]]
  
 +
The recovery password is a long series of digits broken up into 8 segments.
 +
<pre>
 +
123456-123456-123456-123456-123456-123456-13456-123456
 +
</pre>
  
 +
Note that there is no white space in the recovery password including not at the end, e.g. EnCase does not accept the recovery password if there is trailing white space.
  
WORK IN PROGRESS -- PLEASE CHECK BACK WEEKLY
+
The recovery password can be recovered from a BitLocker enabled computer provided it can be logged into or if stored in escrow.
  
== What's Inside a Cell Phone Jammer ==
+
The basic steps are:
 +
 
 +
# Make a "traditional" full disk image.
 +
# Recover the password, this can be done by booting the original computer, or by creating a clone and booting the clone.  (booting from a clone has not been tested at this time.)
 +
## Once booted log into the computer
 +
## Use the BitLocker control panel applet to display the password.  This can also be done from the command-line.
 +
## record the password
 +
#:
 +
# For EnCase v6 or higher with the encryption module installed
 +
## Load the image into EnCase
 +
## You will be prompted for the password.  Simply enter it and continue.
 +
## If you prefer to have an un-encrypted image to work with other tools or share with co-workers, you can "re-acquire" the image from within EnCase.  The new image will have unencrypted data.
 +
## After adding the encrypted image into your case, simply right click on the drive in the left panel and select acquire.  Select "do not add to case".  You will be presented a dialog window to enter new information about the image.  Make sure the destination you select for your new image does not exist.
 +
 
 +
== Live Imaging ==
 +
 
 +
=== FTK Live Imaging of a physical drive ===
 +
 
 +
Using FTK Imager lite, it was determined a live image of the physical system disk resulted in an image with an encrypted bitlocker container on it.
 +
 
 +
Note that the phrase "physical" here corresponds directly with FTK Imagers use of the term in their image acquire menu.
 +
 
 +
=== FTK Live Imaging of a logical partition ===
 +
 
 +
This has not been verified to work or fail at this time.
 +
 
 +
Note that the phrase "logical" here corresponds directly with FTK Imagers use of the term in their image acquire menu.
 +
 
 +
=== FTK Live Files and Folders collections ===
 +
 
 +
This was not attempted, but it seems reasonable to assume this will collect unencrypted files.
 +
 
 +
== See Also ==
 +
* [[BitLocker Disk Encryption]]
 +
* [[Defeating Whole Disk Encryption]]
 +
 
 +
[[Category:Disk encryption]]
 +
[[Category:Windows]]

Revision as of 01:03, 15 July 2013

Imaging Options

There are multiple ways to image a computer with bitlocker security in place.

Traditional Imaging

One can make a traditional image with the image containing encrypted information.

Options to offline decrypt the information, provided the password or recovery password is available, exists some are:

The recovery password is a long series of digits broken up into 8 segments.

123456-123456-123456-123456-123456-123456-13456-123456

Note that there is no white space in the recovery password including not at the end, e.g. EnCase does not accept the recovery password if there is trailing white space.

The recovery password can be recovered from a BitLocker enabled computer provided it can be logged into or if stored in escrow.

The basic steps are:

  1. Make a "traditional" full disk image.
  2. Recover the password, this can be done by booting the original computer, or by creating a clone and booting the clone. (booting from a clone has not been tested at this time.)
    1. Once booted log into the computer
    2. Use the BitLocker control panel applet to display the password. This can also be done from the command-line.
    3. record the password
  3. For EnCase v6 or higher with the encryption module installed
    1. Load the image into EnCase
    2. You will be prompted for the password. Simply enter it and continue.
    3. If you prefer to have an un-encrypted image to work with other tools or share with co-workers, you can "re-acquire" the image from within EnCase. The new image will have unencrypted data.
    4. After adding the encrypted image into your case, simply right click on the drive in the left panel and select acquire. Select "do not add to case". You will be presented a dialog window to enter new information about the image. Make sure the destination you select for your new image does not exist.

Live Imaging

FTK Live Imaging of a physical drive

Using FTK Imager lite, it was determined a live image of the physical system disk resulted in an image with an encrypted bitlocker container on it.

Note that the phrase "physical" here corresponds directly with FTK Imagers use of the term in their image acquire menu.

FTK Live Imaging of a logical partition

This has not been verified to work or fail at this time.

Note that the phrase "logical" here corresponds directly with FTK Imagers use of the term in their image acquire menu.

FTK Live Files and Folders collections

This was not attempted, but it seems reasonable to assume this will collect unencrypted files.

See Also