Difference between revisions of "BitLocker Disk Encryption"

From Forensics Wiki
Jump to: navigation, search
m (double "they have")
(See Also)
(6 intermediate revisions by 3 users not shown)
Line 1: Line 1:
BitLocker is a [[Microsoft]] [[Full Volume Encryption]] solution first included with the Enterprise and Ultimate editions of [[Windows|Windows Vista]].  
+
'''BitLocker Disk Encryption''' is a [[Microsoft]] [[Full Volume Encryption]] solution first included with the Enterprise and Ultimate editions of [[Windows|Windows Vista]]. It is also present in [[Windows 7]] along with a system for encrypting [[USB]] devices called [[BitLocker To Go]].
  
== Indicator ==
+
Drives protected with BitLocker will have a different signature than the standard [[NTFS]] header. Instead, they have in their first sector: <tt>EB 52 90 2D 46 56 45 2D 46 53 2D</tt> or, in ASCII, <tt>eR -FVE-FS-</tt>
  
Drives protected with BitLocker will have a different signature than the standard [[NTFS]] header. Instead, they have in their first sector: <pre>EB 52 90 2D 46 56 45 2D 46 53 2D</pre> or, in ASCII, <pre>eR -FVE-FS-</pre>
+
The actual data on a drive is protected with either 128-bit or 256-bit [[AES]] and optionally diffused using an algorithm called Elephant. The key used to do that encryption, the Full Volume Encryption Key (FVEK), is stored in the BitLocker metadata on the protected volume. The FVEK is encrypted using another key, the Volume Master Key (VMK). Several copies of the VMK are also stored in the metadata. Each copy of the VMK is encrypted using another key. The nature of those keys and the algorithm used depends on how the system is configured.
 
+
== Algorithm ==
+
 
+
The program uses either 128 or 256 [[AES]] with an elephant diffuser. See the links section for full details.
+
 
+
== Recovery Keys ==
+
  
 
== See Also ==
 
== See Also ==
[[Defeating Whole Disk Encryption]]
+
* [[FreeOTFE]]
 +
* [[BitLocker To Go]]
 +
* [[Defeating Whole Disk Encryption]]
  
 
== External Links ==
 
== External Links ==
  
* Conducting forensic analysis on BitLocker protected volumes was discussed in the paper [http://jessekornblum.com/research/papers/bitlocker.pdf Implementing BitLocker for Forensic Analysis].
+
* Jesse D. Kornblum, [http://jessekornblum.com/publications/di09.html Implementing BitLocker for Forensic Analysis], ''Digital Investigation'', 2009
 
* [http://en.wikipedia.org/wiki/BitLocker_Drive_Encryption Wikipedia entry on BitLocker]
 
* [http://en.wikipedia.org/wiki/BitLocker_Drive_Encryption Wikipedia entry on BitLocker]
 
* [http://technet2.microsoft.com/WindowsVista/en/library/c61f2a12-8ae6-4957-b031-97b4d762cf311033.mspx?mfr=true Microsoft's Step by Step Guide]
 
* [http://technet2.microsoft.com/WindowsVista/en/library/c61f2a12-8ae6-4957-b031-97b4d762cf311033.mspx?mfr=true Microsoft's Step by Step Guide]
Line 22: Line 18:
 
* [http://www.microsoft.com/whdc/system/platform/hwsecurity/BitLockerFAQ.mspx Microsoft FAQ]
 
* [http://www.microsoft.com/whdc/system/platform/hwsecurity/BitLockerFAQ.mspx Microsoft FAQ]
 
* [http://www.microsoft.com/downloads/details.aspx?FamilyID=131dae03-39ae-48be-a8d6-8b0034c92555&DisplayLang=en Microsoft Description of the Encryption Algorithm]
 
* [http://www.microsoft.com/downloads/details.aspx?FamilyID=131dae03-39ae-48be-a8d6-8b0034c92555&DisplayLang=en Microsoft Description of the Encryption Algorithm]
 +
* [http://secude.com/htm/801/en/White_Paper%3A_Cold_Boot_Attacks.htm Cold Boot Attacks, Full Disk Encryption, and BitLocker]
 +
 +
[[Category:Disk encryption]]
 +
[[Category:Windows]]

Revision as of 05:40, 14 August 2009

BitLocker Disk Encryption is a Microsoft Full Volume Encryption solution first included with the Enterprise and Ultimate editions of Windows Vista. It is also present in Windows 7 along with a system for encrypting USB devices called BitLocker To Go.

Drives protected with BitLocker will have a different signature than the standard NTFS header. Instead, they have in their first sector: EB 52 90 2D 46 56 45 2D 46 53 2D or, in ASCII, eR -FVE-FS-

The actual data on a drive is protected with either 128-bit or 256-bit AES and optionally diffused using an algorithm called Elephant. The key used to do that encryption, the Full Volume Encryption Key (FVEK), is stored in the BitLocker metadata on the protected volume. The FVEK is encrypted using another key, the Volume Master Key (VMK). Several copies of the VMK are also stored in the metadata. Each copy of the VMK is encrypted using another key. The nature of those keys and the algorithm used depends on how the system is configured.

See Also

External Links