ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between pages "Online resources" and "BitLocker Disk Encryption"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Added Sam Spade)
 
(New page: BitLocker, introduced with Microsoft's Windows Vista, is a program for full volume encryption. == Indicator == Drives protected with BitLocker will have a different signature t...)
 
Line 1: Line 1:
There are lots of web sites that can provide valuable information for forensic investigators. (This page will probably be broken into categories eventually...)
+
BitLocker, introduced with [[Microsoft]]'s [[Windows Vista]], is a program for full volume encryption.  
  
== WHOIS Queries ==
+
== Indicator ==  
  
The WHOIS Service can be used to find the owner of a domain. Sometimes this is only sufficient to find the registrar for a domain, but even that is a start.
+
Drives protected with BitLocker will have a different signature than the standard [[NTFS]] header. Instead, they have in their first sector, they have <pre>EB 52 90 2D 46 56 45 2D 46 53 2D</pre>, or, in ASCII, <pre>eR -FVE-FS-</pre>
  
* [http://whois-search.com/ WHOIS-Search.com]
+
== Algorithm ==
  
The SamSpade web site also offers several WHOIS related searches
+
The program uses either 128 or 256 [[AES]] with an elephant diffuser. See the links section for full details.
  
* [http://www.samspade.org/ Sam Spade]
+
== External Links ==
  
== Sample Cases ==
+
* [http://en.wikipedia.org/wiki/BitLocker_Drive_Encryption Wikipedia entry on BitLocker]
 
+
* [http://technet2.microsoft.com/WindowsVista/en/library/c61f2a12-8ae6-4957-b031-97b4d762cf311033.mspx?mfr=true Microsoft's Step by Step Guide]
One of the most difficult things for new investigators is finding sample cases to work on.
+
* [http://technet.microsoft.com/en-us/windowsvista/aa906017.aspx Microsoft Technical Overview]
 
+
* [http://www.microsoft.com/whdc/system/platform/hwsecurity/BitLockerFAQ.mspx Microsoft FAQ]
* The [http://honeynet.org/ HoneyNet Project] has several [http://honeynet.org/misc/chall.html forensics challenges] online. These include the "Scan of Month", "The Reverse Challenge," and "The Forensic Challenge." The last one asked entrants to examine a complete RedHat Linux system for information. All of these challenges include complete solutions.
+
* [http://www.microsoft.com/downloads/details.aspx?FamilyID=131dae03-39ae-48be-a8d6-8b0034c92555&DisplayLang=en Microsoft Description of the Encryption Algorithm]
 
+
== Web Page Archives ==
+
 
+
Web page archives can give the investigator a look at what a web page used to look like. The most well known is the [http://www.google.com/help/features.html#cached Google cache], but here are some others:
+
 
+
* [http://web.archive.org The Internet Archive's WayBack Machine] can produce a nicely formatted page showing how a web site looked on certain dates. For example, [http://web.archive.org/web/*/http://www.yahoo.com/ the history of yahoo.com's homepage] gives a nice history lesson. The machine records both main pages and subpages. For example, note the changes in time between [[Jesse Kornblum]]'s [http://web.archive.org/web/*/http://www.profiles.yahoo.com/jessekornblum Yahoo! profile].
+

Revision as of 16:39, 24 February 2007

BitLocker, introduced with Microsoft's Windows Vista, is a program for full volume encryption.

Indicator

Drives protected with BitLocker will have a different signature than the standard NTFS header. Instead, they have in their first sector, they have
EB 52 90 2D 46 56 45 2D 46 53 2D
, or, in ASCII,
eR -FVE-FS-

Algorithm

The program uses either 128 or 256 AES with an elephant diffuser. See the links section for full details.

External Links