ForensicsWiki will continue to operate as it has before and will not be shutting down. There may be some minor outages as we transition the site to new hardware, but we will try to minimize this as much as possible. Thank you for your continued support of ForensicsWiki.
BitLocker Disk Encryption
BitLocker Disk Encryption is a Microsoft Full Volume Encryption solution first included with the Enterprise and Ultimate editions of Windows Vista. It is also present in Windows 7 along with a system for encrypting USB devices called BitLocker To Go.
Drives protected with BitLocker will have a different signature than the standard NTFS header. Instead, they have in their first sector: EB 52 90 2D 46 56 45 2D 46 53 2D or, in ASCII, eR -FVE-FS-
The actual data on a drive is protected with either 128-bit or 256-bit AES and optionally diffused using an algorithm called Elephant. The key used to do that encryption, the Full Volume Encryption Key (FVEK), is stored in the BitLocker metadata on the protected volume. The FVEK is encrypted using another key, the Volume Master Key (VMK). Several copies of the VMK are also stored in the metadata. Each copy of the VMK is encrypted using another key. The nature of those keys and the algorithm used depends on how the system is configured.
- Jesse D. Kornblum, Implementing BitLocker for Forensic Analysis, Digital Investigation, 2009
- Wikipedia entry on BitLocker
- Microsoft's Step by Step Guide
- Microsoft Technical Overview
- Microsoft FAQ
- Microsoft Description of the Encryption Algorithm
- Cold Boot Attacks, Full Disk Encryption, and BitLocker