Difference between pages "Online resources" and "BitLocker Disk Encryption"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Added Sam Spade)
 
(New page: BitLocker, introduced with Microsoft's Windows Vista, is a program for full volume encryption. == Indicator == Drives protected with BitLocker will have a different signature t...)
 
Line 1: Line 1:
There are lots of web sites that can provide valuable information for forensic investigators. (This page will probably be broken into categories eventually...)
+
BitLocker, introduced with [[Microsoft]]'s [[Windows Vista]], is a program for full volume encryption.  
  
== WHOIS Queries ==
+
== Indicator ==  
  
The WHOIS Service can be used to find the owner of a domain. Sometimes this is only sufficient to find the registrar for a domain, but even that is a start.
+
Drives protected with BitLocker will have a different signature than the standard [[NTFS]] header. Instead, they have in their first sector, they have <pre>EB 52 90 2D 46 56 45 2D 46 53 2D</pre>, or, in ASCII, <pre>eR -FVE-FS-</pre>
  
* [http://whois-search.com/ WHOIS-Search.com]
+
== Algorithm ==
  
The SamSpade web site also offers several WHOIS related searches
+
The program uses either 128 or 256 [[AES]] with an elephant diffuser. See the links section for full details.
  
* [http://www.samspade.org/ Sam Spade]
+
== External Links ==
  
== Sample Cases ==
+
* [http://en.wikipedia.org/wiki/BitLocker_Drive_Encryption Wikipedia entry on BitLocker]
 
+
* [http://technet2.microsoft.com/WindowsVista/en/library/c61f2a12-8ae6-4957-b031-97b4d762cf311033.mspx?mfr=true Microsoft's Step by Step Guide]
One of the most difficult things for new investigators is finding sample cases to work on.
+
* [http://technet.microsoft.com/en-us/windowsvista/aa906017.aspx Microsoft Technical Overview]
 
+
* [http://www.microsoft.com/whdc/system/platform/hwsecurity/BitLockerFAQ.mspx Microsoft FAQ]
* The [http://honeynet.org/ HoneyNet Project] has several [http://honeynet.org/misc/chall.html forensics challenges] online. These include the "Scan of Month", "The Reverse Challenge," and "The Forensic Challenge." The last one asked entrants to examine a complete RedHat Linux system for information. All of these challenges include complete solutions.
+
* [http://www.microsoft.com/downloads/details.aspx?FamilyID=131dae03-39ae-48be-a8d6-8b0034c92555&DisplayLang=en Microsoft Description of the Encryption Algorithm]
 
+
== Web Page Archives ==
+
 
+
Web page archives can give the investigator a look at what a web page used to look like. The most well known is the [http://www.google.com/help/features.html#cached Google cache], but here are some others:
+
 
+
* [http://web.archive.org The Internet Archive's WayBack Machine] can produce a nicely formatted page showing how a web site looked on certain dates. For example, [http://web.archive.org/web/*/http://www.yahoo.com/ the history of yahoo.com's homepage] gives a nice history lesson. The machine records both main pages and subpages. For example, note the changes in time between [[Jesse Kornblum]]'s [http://web.archive.org/web/*/http://www.profiles.yahoo.com/jessekornblum Yahoo! profile].
+

Revision as of 12:39, 24 February 2007

BitLocker, introduced with Microsoft's Windows Vista, is a program for full volume encryption.

Indicator

Drives protected with BitLocker will have a different signature than the standard NTFS header. Instead, they have in their first sector, they have
EB 52 90 2D 46 56 45 2D 46 53 2D
, or, in ASCII,
eR -FVE-FS-

Algorithm

The program uses either 128 or 256 AES with an elephant diffuser. See the links section for full details.

External Links