Difference between pages "BitLocker Disk Encryption" and "First Responder's Evidence Disk"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(Added See Also)
 
Line 1: Line 1:
'''BitLocker Disk Encryption''' (BDE) is a [[Microsoft]] [[Full Volume Encryption]] solution first included with the Enterprise and Ultimate editions of [[Windows|Windows Vista]]. It is also present in [[Windows 7]] along with a system for encrypting removable storage media devices, like [[USB]], which is called [[BitLocker To Go]].
+
The First Responder's Evidence Disk, or FRED, is a script based [[Incident Response|incident response]] tool. It was designed to capture volatile information from a computer system for later analysis without modifying anything on the victim. It consists of a batch file used to execute a set of known good tools that gather the state of a victim computer system. It was similar to the [[IRCR]] program and has been widely imitated by other tools. Many other incident response tools used names similar to FRED.
  
Volumes encrypted with BitLocker will have a different signature than the standard [[NTFS]] header. Instead, they have in their volume header (first sector): <tt>2D 46 56 45 2D 46 53 2D</tt> or, in ASCII, <tt>-FVE-FS-</tt>.
+
== Usage ==
  
Volumes encrypted with BitLocker To Go will have a hybrid encrypted volume, meaning that part of the volume is unencrypted and contains applications to unlock the volume and the other part of the volume is encypted. These volumes can be identified by the BitLocker GUID/UUID: 4967d63b-2e29-4ad8-8399-f6a339e3d00.
+
The program was distributed as a compressed 1.44 MB floppy image. The examiner runs this image on a safe system and writes the FRED program out to a piece of removable media such as a floppy disk or USB device. The examiner then connects this device to the victim machine. When run, the FRED program writes information out to an audit file on the removable device. The examiner takes this audit file back to the safe system for later analysis. The audit file can also be sent to other investigators if desired.
  
The actual data on the encrypted volume is protected with either 128-bit or 256-bit [[AES]] and optionally diffused using an algorithm called Elephant. The key used to do the encryption, the Full Volume Encryption Key (FVEK) and/or TWEAK key, is stored in the BitLocker metadata on the protected volume. The FVEK and/or TWEAK keys are encrypted using another key, namely the Volume Master Key (VMK). Several copies of the VMK are also stored in the metadata. Each copy of the VMK is encrypted using another key, also know as key-protector key. Some of the key-protectors are:
+
== History ==
* TPM (Trusted Platform Module)
+
* recovery password
+
* start-up key
+
* clear key; this key-protector provides no protection
+
* user password
+
  
BitLocker has support for partial encrypted volumes.
+
FRED was developed by [[Jesse Kornblum]] for the [[AFOSI|Air Force Office of Special Investigations]] starting in the fall of 2000 and was first released in 2001. The tool was publicly unveiled the following year at the [[DFRWS|DFRWS Conference]]. Although the component parts of FRED were not released, mostly due to licensing restrictions, Kornblum did present a paper, ''[http://dfrws.org/2002/papers/Papers/Jesse_Kornblum.pdf Preservation of Fragile Digital Evidence by First Responders]'', that included the FRED script.  
  
== See Also ==
+
A version of the FRED script was later incorporated into the [[Helix]] disk.
* [[BitLocker To Go]]
+
* [[Defeating Whole Disk Encryption]]
+
  
== External Links ==
+
There was a proposal for a program to process the audit files into [[HTML]], but this never came to fruition.
  
* [http://www.nvlabs.in/archives/1-NVbit-Accessing-Bitlocker-volumes-from-linux.html NVbit : Accessing Bitlocker volumes from linux], 2008
+
Since 2004 FRED has been maintained by the [[AFCERT|Air Force Computer Emergency Response Team]] and is not publicly available.
* Jesse D. Kornblum, [http://jessekornblum.com/publications/di09.html Implementing BitLocker for Forensic Analysis], ''Digital Investigation'', 2009
+
 
* [http://en.wikipedia.org/wiki/BitLocker_Drive_Encryption Wikipedia entry on BitLocker]
+
== Trivia ==  
* [http://technet2.microsoft.com/WindowsVista/en/library/c61f2a12-8ae6-4957-b031-97b4d762cf311033.mspx?mfr=true Microsoft's Step by Step Guide]
+
 
* [http://technet.microsoft.com/en-us/windowsvista/aa906017.aspx Microsoft Technical Overview]
+
The desire for a recursive [[MD5]] program for FRED inspired the development of [[md5deep]].
* [http://www.microsoft.com/whdc/system/platform/hwsecurity/BitLockerFAQ.mspx Microsoft FAQ]
+
 
* [http://www.microsoft.com/downloads/details.aspx?FamilyID=131dae03-39ae-48be-a8d6-8b0034c92555&DisplayLang=en Microsoft Description of the Encryption Algorithm]
+
== See Also ==
* [http://secude.com/htm/801/en/White_Paper%3A_Cold_Boot_Attacks.htm Cold Boot Attacks, Full Disk Encryption, and BitLocker]
+
* [http://code.google.com/p/libbde/ Project to read BitLocker encrypted volumes]
+
  
[[Category:Disk encryption]]
+
[[IRCR]]
[[Category:Windows]]
+
[[COFEE]]

Revision as of 06:34, 2 March 2007

The First Responder's Evidence Disk, or FRED, is a script based incident response tool. It was designed to capture volatile information from a computer system for later analysis without modifying anything on the victim. It consists of a batch file used to execute a set of known good tools that gather the state of a victim computer system. It was similar to the IRCR program and has been widely imitated by other tools. Many other incident response tools used names similar to FRED.

Usage

The program was distributed as a compressed 1.44 MB floppy image. The examiner runs this image on a safe system and writes the FRED program out to a piece of removable media such as a floppy disk or USB device. The examiner then connects this device to the victim machine. When run, the FRED program writes information out to an audit file on the removable device. The examiner takes this audit file back to the safe system for later analysis. The audit file can also be sent to other investigators if desired.

History

FRED was developed by Jesse Kornblum for the Air Force Office of Special Investigations starting in the fall of 2000 and was first released in 2001. The tool was publicly unveiled the following year at the DFRWS Conference. Although the component parts of FRED were not released, mostly due to licensing restrictions, Kornblum did present a paper, Preservation of Fragile Digital Evidence by First Responders, that included the FRED script.

A version of the FRED script was later incorporated into the Helix disk.

There was a proposal for a program to process the audit files into HTML, but this never came to fruition.

Since 2004 FRED has been maintained by the Air Force Computer Emergency Response Team and is not publicly available.

Trivia

The desire for a recursive MD5 program for FRED inspired the development of md5deep.

See Also

IRCR COFEE