Difference between pages "Online resources" and "BitLocker Disk Encryption"

Latest revision as of 07:41, 21 April 2007 (view source) Jessek (Talk | contribs) (Added Sam Spade)		Revision as of 11:39, 24 February 2007 (view source) Jessek (Talk | contribs) (New page: BitLocker, introduced with Microsoft's Windows Vista, is a program for full volume encryption. == Indicator == Drives protected with BitLocker will have a different signature t...)
Line 1:		Line 1:
−	There are lots of web sites that can provide valuable information for forensic investigators. (This page will probably be broken into categories eventually...)	+	BitLocker, introduced with [[Microsoft]]'s [[Windows Vista]], is a program for full volume encryption.
−	== WHOIS Queries ==	+	== Indicator ==
−	The WHOIS Service can be used to find the owner of a domain. Sometimes this is only sufficient to find the registrar for a domain, but even that is a start.	+	Drives protected with BitLocker will have a different signature than the standard [[NTFS]] header. Instead, they have in their first sector, they have <pre>EB 52 90 2D 46 56 45 2D 46 53 2D</pre>, or, in ASCII, <pre>eR -FVE-FS-</pre>
−	* [http://whois-search.com/ WHOIS-Search.com]	+	== Algorithm ==
−	The SamSpade web site also offers several WHOIS related searches	+	The program uses either 128 or 256 [[AES]] with an elephant diffuser. See the links section for full details.
−	* [http://www.samspade.org/ Sam Spade]	+	== External Links ==
−	== Sample Cases ==	+	* [http://en.wikipedia.org/wiki/BitLocker_Drive_Encryption Wikipedia entry on BitLocker]
−		+	* [http://technet2.microsoft.com/WindowsVista/en/library/c61f2a12-8ae6-4957-b031-97b4d762cf311033.mspx?mfr=true Microsoft's Step by Step Guide]
−	One of the most difficult things for new investigators is finding sample cases to work on.	+	* [http://technet.microsoft.com/en-us/windowsvista/aa906017.aspx Microsoft Technical Overview]
−		+	* [http://www.microsoft.com/whdc/system/platform/hwsecurity/BitLockerFAQ.mspx Microsoft FAQ]
−	* The [http://honeynet.org/ HoneyNet Project] has several [http://honeynet.org/misc/chall.html forensics challenges] online. These include the "Scan of Month", "The Reverse Challenge," and "The Forensic Challenge." The last one asked entrants to examine a complete RedHat Linux system for information. All of these challenges include complete solutions.	+	* [http://www.microsoft.com/downloads/details.aspx?FamilyID=131dae03-39ae-48be-a8d6-8b0034c92555&DisplayLang=en Microsoft Description of the Encryption Algorithm]
−		+
−	== Web Page Archives ==	+
−		+
−	Web page archives can give the investigator a look at what a web page used to look like. The most well known is the [http://www.google.com/help/features.html#cached Google cache], but here are some others:	+
−		+
−	* [http://web.archive.org The Internet Archive's WayBack Machine] can produce a nicely formatted page showing how a web site looked on certain dates. For example, [http://web.archive.org/web/*/http://www.yahoo.com/ the history of yahoo.com's homepage] gives a nice history lesson. The machine records both main pages and subpages. For example, note the changes in time between [[Jesse Kornblum]]'s [http://web.archive.org/web/*/http://www.profiles.yahoo.com/jessekornblum Yahoo! profile].	+

---

Revision as of 11:39, 24 February 2007

BitLocker, introduced with Microsoft's Windows Vista, is a program for full volume encryption.

Indicator

Drives protected with BitLocker will have a different signature than the standard NTFS header. Instead, they have in their first sector, they have

EB 52 90 2D 46 56 45 2D 46 53 2D

, or, in ASCII,

eR -FVE-FS-

Algorithm

The program uses either 128 or 256 AES with an elephant diffuser. See the links section for full details.

External Links

• Wikipedia entry on BitLocker
• Microsoft's Step by Step Guide
• Microsoft Technical Overview
• Microsoft FAQ
• Microsoft Description of the Encryption Algorithm