Difference between pages "Network forensics" and "BitLocker Disk Encryption"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Deep-Analysis Systems)
 
(BitLocker)
 
Line 1: Line 1:
'''Network forensics''' is the process of capturing information that moves over a [[network]] and trying to make sense of it in some kind of forensics capacity. A [[network forensics appliance]] is a device that automates this process.
+
'''BitLocker Disk Encryption''' (BDE) is [[Full Volume Encryption]] solution by [[Microsoft]] first included with the Enterprise and Ultimate editions of [[Windows|Windows Vista]]. It is also present in [[Windows|Windows 7]] along with a system for encrypting removable storage media devices, like [[USB]], which is called BitLocker To Go. Unlike previous versions of BitLocker, BitLocker To Go allows the user to protect volumes with a password or smart card.
  
There are both open source and proprietary network forensics systems available.
+
== BitLocker ==
 +
BitLocker encrypts data with either 128-bit or 256-bit [[AES]] and optionally using a diffuser algorithm called Elephant. The key used to do the encryption, the Full Volume Encryption Key (FVEK) and/or TWEAK key, is stored in the BitLocker metadata on the protected volume. The FVEK and/or TWEAK keys are encrypted using another key, namely the Volume Master Key (VMK). Several copies of the VMK are also stored in the metadata. Each copy of the VMK is encrypted using another key, also know as key-protector key. Some of the key-protectors are:
 +
* TPM (Trusted Platform Module)
 +
* Smart card
 +
* recovery password
 +
* start-up key
 +
* clear key; this key-protector provides no protection
 +
* user password
  
== Overview ==
+
BitLocker has support for partial encrypted volumes.
  
<!--
+
== How to detect ==
 +
Volumes encrypted with BitLocker will have a different signature than the standard [[NTFS]] header.
  
  PLEASE DO NOT ADD ENTRIES THAT DO NOT HAVE AN ARTICLE.
+
A BitLocker encrypted volume starts with the "-FVE-FS-" signature.
  
   Please keep these in alphabetical order.
+
A hexdump of the start of the volume should look similar to:
 +
<pre>
 +
00000000  eb 58 90 2d 46 56 45 2d  46 53 2d 00 02 08 00 00  |.X.-FVE-FS-.....|
 +
00000010  00 00 00 00 00 f8 00 00  3f 00 ff 00 00 00 00 00  |........?.......|
 +
00000020  00 00 00 00 e0 1f 00 00  00 00 00 00 00 00 00 00  |................|
 +
00000030  01 00 06 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
 +
00000040  80 00 29 00 00 00 00 4e  4f 20 4e 41 4d 45 20 20  |..)....NO NAME  |
 +
00000050  20 20 46 41 54 33 32 20  20 20 33 c9 8e d1 bc f4  |  FAT32   3.....|
 +
</pre>
  
  When updating any table, please update all tables as appropriate.
+
These volumes can also be identified by the BitLocker GUID/UUID: 4967d63b-2e29-4ad8-8399-f6a339e3d00 or 4967d63b-2e29-4ad8-8399-f6a339e3d01 for BitLocker ToGo.
  
-->
+
<pre>
 +
000000a0  3b d6 67 49 29 2e d8 4a  83 99 f6 a3 39 e3 d0 01  |;.gI)..J....9...|
 +
</pre>
  
{| class="wikitable sortable" style="width: auto; font-size: smaller"
+
== BitLocker To Go ==
|-
+
Volumes encrypted with BitLocker To Go will have a hybrid encrypted volume, meaning that part of the volume is unencrypted and contains applications to unlock the volume and the other part of the volume is encrypted. The "discovery drive" volume contains BitLocker To Go Reader to read from encrypted volumes on versions of Microsoft [[Windows]] without BitLocker support.
! System
+
! [[software license|License]]
+
! User Interface
+
! Supported Platform
+
! Supported Protocols
+
! class="unsortable" | Refs <!-- This column is for a general reference and does not replace the need to identify references for specific features if the feature is not explained in the general reference -->
+
|
+
|
+
|-
+
| [[Argus]]
+
| [[Open Source]]
+
| Command Line, GUI via [http://www.datenspionage.de/arguseye/ ArgusEye]
+
| Mac OS X, Linux, Solaris, FreeBSD, OpenBSD, NetBSD, AIX, IRIX, Windows (under Cygwin) and OpenWrt
+
| L2 addresses, tunnel identifiers (MPLS, GRE, ESP, etc...), protocol ids, SAP's, hop-count, options, L4 transport identification (RTP, RTCP detection), host flow control indication; netflow
+
|
+
|
+
|-
+
| [[Chaosreader]]
+
| [[Open Source]]
+
| Command Line, GUI
+
| Solaris, RedHat, Windows
+
| FTP files, HTTP transfers (HTML, GIF, JPEG, ...), SMTP emails, ... from the captured data inside network traffic logs
+
|
+
|
+
|-
+
| [[DataEcho]]
+
| [[Open Source]]
+
| GUI
+
| Windows
+
| www, http
+
|
+
|
+
|-
+
| [[Junkie]]
+
| [[Open Source]]
+
| GUI
+
| unknown
+
| unknown
+
|
+
|
+
|-
+
| [[kisMAC]]
+
| [[Open Source]]
+
| GUI
+
| Mac OS X, Linux, Solaris, FreeBSD, OpenBSD, NetBSD, AIX, IRIX, Windows (under Cygwin) and OpenWrt
+
| L2 addresses, tunnel identifiers (MPLS, GRE, ESP, etc...), protocol ids, SAP's, hop-count, options, L4 transport identification (RTP, RTCP detection), host flow control indication; netflow
+
|
+
|
+
|-
+
| [[kismet]]
+
| [[Open Source]]
+
| Command Line /GUI via [http://www.datenspionage.de/arguseye/ ArgusEye]
+
| Mac OS X
+
| unknown
+
|
+
|-
+
| [[n2disk]]
+
| [[Open Source]]
+
| Command Line, GUI
+
| Ubuntu, CentOS
+
| unknown
+
|
+
|
+
|-
+
| [[net-sniff-ng]]
+
| [[Open Source]]
+
| unknown
+
| unknown
+
| unknown
+
|
+
|
+
|-
+
| [[netfse]]
+
| [[Open Source]]
+
| GUI
+
| unknown
+
| TCP/IP, UDP
+
|
+
|
+
|-
+
| [[netsleuth]]
+
| [[Open Source]]
+
| Command Line, GUI
+
| Windows, [[Backtrack]]
+
| Apple MDNS / Bonjour, SMB / CIFS / NetBios, DHCP (using the www.fingerbank.org resource), SSDP (as used in Microsoft Zero Config)
+
|
+
|
+
|-
+
| [[NetworkMiner]]
+
| [[Open Source]]
+
| Windows GUI, Commandline
+
| Linux / Mac OS X / FreeBSD, Windows
+
| http, smb, ftp, tfpt, ssl , tls, tor
+
|
+
|
+
|-
+
| [[ntop]]
+
| [[Open Source]]
+
| Command Line, GUI
+
| Unix (including Linux, *BSD, Solaris, and MacOSX), linux, windows
+
| DPI via OpenDPI Library; FTP POP SMTP IMAP DNS IPP HTTP MDNS NTP NFS SSDP BGP SNMP XDMCP SMB SYSLOG DHCP PostgreSQL MySQL TDS DirectDownloadLink I23V5 AppleJuice DirectConnect Socrates WinMX MANOLITO PANDO Filetopia iMESH Kontiki OpenFT Kazaa/Fasttrack Gnutella eDonkey Bittorrent (Extended) OFF AVI Flash OGG MPEG QuickTime RealMedia Windowsmedia MMS XBOX QQ MOVE RTSP Feidian Icecast PPLive PPStream Zattoo SHOUTCast SopCast TVAnts TVUplayer VeohTV QQLive Thunder/Webthunder Soulseek GaduGadu IRC Popo Jabber MSN Oscar Yahoo Battlefield Quake Second Life Steam Halflife2 World of Warcraft Telnet STUN IPSEC GRE ICMP IGMP EGP SCTP OSPF IP in IP RTP RDP VNC PCAnywhere SSL SSH USENET MGCP IAX TFTP
+
|
+
|
+
|
+
|-
+
| [[OSSEC]]
+
| [[Open Source]]
+
| Command Line, GUI
+
| Windows 7, XP, 2000 and Vista Windows Server 2003 and 2008 VMWare ESX 3.0,3.5 (including CIS checks) FreeBSD (all versions) OpenBSD (all versions) NetBSD (all versions) Solaris 2.7, 2.8, 2.9 and 10 AIX 5.3 and 6.1 HP-UX 10, 11, 11i MacOSX 10 remote syslog: Cisco PIX, ASA and FWSM (all versions) Cisco IOS routers (all versions) Juniper Netscreen (all versions) SonicWall firewall (all versions) Checkpoint firewall (all versions) Cisco IOS IDS/IPS module (all versions) Sourcefire (Snort) IDS/IPS (all versions) Dragon NIDS (all versions) Checkpoint Smart Defense (all versions) McAfee VirusScan Enterprise (v8 and v8.5) Bluecoat proxy (all versions) Cisco VPN concentrators (all versions) Database monitoring is available for the following systems: MySQL (all versions) PostgreSQL (all versions) Oracle, MSSQL (to be available soon)"
+
| Unknown
+
|
+
|
+
|-
+
| [[Snort]]
+
| [[Open Source]]
+
| Command Line, GUI
+
| Linux, Windows
+
| Unknown
+
|
+
|
+
|-
+
| [[Wireshark]]
+
| [[Open Source]]
+
| Command Line, GUI
+
| Windows, Linux, Mac OS X, Solaris, FreeBSD, NetBSD, and others
+
| IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2; Wireshark can decrypt IEEE 802.11 WLAN data with user specified encryption keys, and others
+
|
+
|
+
|-
+
| [[xplico]]
+
| [[Open Source]]
+
| Command Line, GUI
+
| Linux
+
| ARP Radiotap Ethernet PPP VLAN L2TP IPv4 IPv6 TCP UDP DNS HTTP SMTP POP IMAP SIP MGCP H323 RTP RTCP SDP FB chat FTP IPP CHDLC PJL NNTP MSN IRC YAHOO GTALK EMULE SSL/TLS IPsec 802.11 LLC MMSE Linux cooked TFTP SNOOP PPPoE Telnet WebMail Paltalk Exp. Paltalk NetBIOS SMB PPI syslog G711ulaw, G711alaw, G722, G729, G723, G726 and RTAudio (x-msrta: Real Time Audio).
+
| Unknown
+
|
+
|
+
|- class="sortbottom"
+
! System
+
! [[software license|License]]
+
! User Interface
+
! Supported Platform
+
! Supported Protocols
+
! class="unsortable" | Refs <!-- This column is for a general reference and does not replace the need to identify references for specific features if the feature is not explained in the general reference -->
+
|}
+
  
== Open Source Network Forensics ==
+
== manage-bde ==
* [[Argus]]
+
To view the BitLocker Drive Encryption (BDE) status on a running Windows system:
* [[Bulk Extractor]] [https://github.com/simsong/bulk_extractor]
+
<pre>
* [[Chaosreader]] is a session reconstruction tool (supports both live or captured network traffic)
+
manage-bde.exe -status
* [[DataEcho]]
+
</pre>
* [[FlowGREP]] is a basic IDS/IPS tool written in python [http://www.monkey.org/~jose/software/flowgrep/]
+
* [[KisMAC]] is a free, open source wireless stumbling and security tool for Mac OS X. [http://kismac-ng.org]
+
* [[Kismet]]
+
* [[logstash]] is a tool for managing events and logs. You can use it to collect logs, parse them, and store them for later use (like, for searching). Speaking of searching, logstash comes with a web interface for searching and drilling into all of your logs. [http://logstash.net/]
+
  
* [[log2Timeline]] a framework for automatic creation of a super timeline. The main purpose is to provide a single tool to parse various log files and artifacts found on suspect systems (and supporting systems, such as network equipment) and produce a timeline that can be analysed by forensic investigators/analysts. [https://code.google.com/p/log2timeline/]
+
To obtain the recovery password for volume C:
* [[NetFSE]] is a web-based search and analysis application for high-volume network data [http://www.netfse.org available at NetFSE.org]
+
<pre>
* [http://www.netgrab.co.uk NetSleuth] is a live and retrospective network analysis and triage tool.
+
manage-bde.exe -protectors -get C: -Type recoverypassword
* [[ntop]]
+
</pre>
* [[NetGREP]] is a command line tool which tells you which lines in a text file contain network resources related to a particular country or Autonomous Network (AS) [https://pypi.python.org/pypi/netgrep/]
+
* [[NetworkMiner]] is [http://sourceforge.net/apps/mediawiki/networkminer/index.php?title=NetworkMiner an open source Network Forensics Tool available at SourceForge]
+
* [[OSSEC]]
+
* [[Plaso]] (plaso langar að safna öllu) is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines [http://plaso.kiddaland.net/]
+
  
* [[RegRipper]] is an open source tool, written in Perl, for extracting/parsing information (keys, values, data) from the Registry and presenting it for analysis [http://regripper.wordpress.com/]
+
Or just obtain the all “protectors” for volume C:
* [[Snort]]
+
<pre>
* [[Wireshark]]
+
manage-bde.exe -protectors -get C:
* [[Xplico]] is an Internet/IP Traffic Decoder (NFAT). Protocols supported: [http://www.xplico.org/status.html HTTP, SIP, FTP, IMAP, POP, SMTP, TCP, UDP, IPv4, IPv6, ...]
+
</pre>
  
== Commercial Network Forensics ==
+
== See Also ==
 +
* [[BitLocker:_how_to_image|BitLocker: How to image]]
 +
* [[Defeating Whole Disk Encryption]]
  
===Deep-Analysis Systems===
+
== External Links ==
* Code Green Networks [http://www.codegreennetworks.com Content Inspection Appliance] - Passive monitoring and mandatory proxy mode. Easy to use Web GUI. Linux platform. Uses Stellent Outside In to access document content and metadata.
+
* E-Detective [http://www.edecision4u.com/] [http://www.digi-forensics.com/home.html]
+
* [http://www.infowatch.com InfoWatch Traffic Monitor]
+
* Mera Systems [http://netbeholder.com/ NetBeholder]
+
* MFI Soft [http://sormovich.ru/ SORMovich] (in Russian)
+
* Solera Networks - Provider of full packet capture network forensics appliances [http://www.soleranetworks.com/ Solera Networks]
+
* NETRESEC [http://www.netresec.com/?page=NetworkMiner NetworkMiner Professional (portable network forensic analysis tool for Windows)]
+
* NetWitness Corporation - Freeware/Commercial, Enterprise-Wide, Real-Time Network Forensics [http://www.netwitness.com/ NetWitness]
+
* Network Instruments [http://www.networkinstruments.com/]
+
* NIKSUN's [[NetDetector]]
+
* PacketMotion [http://www.packetmotion.com/]
+
* Sandstorm's [http://www.sandstorm.net/products/netintercept/ NetIntercept] - Passive monitoring appliance. Qt/X11 GUI. FreeBSD platform. Uses forensic parsers written by Sandstorm to access document content and metadata.
+
* WildPackets [[OmniPeek]] [http://www.wildpackets.com/solutions/it_solutions/network_forensics] [http://www.wildpackets.com/products/distributed_network_analysis/omnipeek_network_analyzer/forensics_search]
+
* Xplico [[Xplico]]
+
  
===Flow-Based Systems===
+
* [http://en.wikipedia.org/wiki/BitLocker_Drive_Encryption Wikipedia entry on BitLocker]
* Arbor Networks
+
* [http://www.nvlabs.in/nvbit_bitlocker_white_paper.pdf Accessing Bitlocker volumes from linux], by Nitin Kumar and Vipin Kumar, 2008
* GraniteEdge Networks
+
* [http://jessekornblum.com/publications/di09.html Implementing BitLocker for Forensic Analysis], ''Digital Investigation'', by Jesse D. Kornblum, 2009
* Lancope http://www.lancope.com/
+
* [https://googledrive.com/host/0B3fBvzttpiiSX2VCRk16TnpDd0U/BitLocker%20Drive%20Encryption%20(BDE)%20format.pdf BitLocker Drive Encryption (BDE) format specification], by the [[libbde|libbde project]], March 2011
* Mantaro Product Development Services http://www.mantaro.com/products/MNIS/index.htm
+
* [http://technet2.microsoft.com/WindowsVista/en/library/c61f2a12-8ae6-4957-b031-97b4d762cf311033.mspx?mfr=true Microsoft's Step by Step Guide]
* Mazu Networks http://www.mazunetworks.com/
+
* [http://technet.microsoft.com/en-us/windowsvista/aa906017.aspx Microsoft Technical Overview]
 +
* [http://technet.microsoft.com/en-us/magazine/2009.05.win7.aspx An Introduction to Security in Windows 7]
 +
* [http://www.microsoft.com/whdc/system/platform/hwsecurity/BitLockerFAQ.mspx Microsoft FAQ]
 +
* [http://www.microsoft.com/downloads/details.aspx?FamilyID=131dae03-39ae-48be-a8d6-8b0034c92555&DisplayLang=en Microsoft Description of the Encryption Algorithm]
 +
* [http://secude.com/htm/801/en/White_Paper%3A_Cold_Boot_Attacks.htm Cold Boot Attacks, Full Disk Encryption, and BitLocker]
 +
* [http://technet.microsoft.com/en-us/library/hh831412.aspx What's New in BitLocker] in Windows 8
  
===Hybrid Systems===
+
== Tools ==
These systems combine flow analysis, deep analysis, and security event monitoring and reporting.
+
* [http://www.hsc.fr/ressources/outils/dislocker/ dislocker]
* Q1 Labs  http://www.q1labs.com/
+
* [[libbde]]
  
== Tips and Tricks ==
+
[[Category:Disk encryption]]
 
+
[[Category:Windows]]
* The time between two events triggered by an intruder (as seen in logfiles, for example) can be helpful. If it is very short, you can be pretty sure that the actions were performed by an automated script and not by a human user.
+
 
+
== See also ==
+
* [[Wireless forensics]]
+
* [[SSL forensics]]
+
 
+
* [[IP geolocation]]
+
* [[Tools:Network Forensics]]
+
* [[Tools:Logfile Analysis]]
+
 
+
[[Category:Network Forensics]]
+

Revision as of 14:28, 23 December 2013

BitLocker Disk Encryption (BDE) is Full Volume Encryption solution by Microsoft first included with the Enterprise and Ultimate editions of Windows Vista. It is also present in Windows 7 along with a system for encrypting removable storage media devices, like USB, which is called BitLocker To Go. Unlike previous versions of BitLocker, BitLocker To Go allows the user to protect volumes with a password or smart card.

BitLocker

BitLocker encrypts data with either 128-bit or 256-bit AES and optionally using a diffuser algorithm called Elephant. The key used to do the encryption, the Full Volume Encryption Key (FVEK) and/or TWEAK key, is stored in the BitLocker metadata on the protected volume. The FVEK and/or TWEAK keys are encrypted using another key, namely the Volume Master Key (VMK). Several copies of the VMK are also stored in the metadata. Each copy of the VMK is encrypted using another key, also know as key-protector key. Some of the key-protectors are:

  • TPM (Trusted Platform Module)
  • Smart card
  • recovery password
  • start-up key
  • clear key; this key-protector provides no protection
  • user password

BitLocker has support for partial encrypted volumes.

How to detect

Volumes encrypted with BitLocker will have a different signature than the standard NTFS header.

A BitLocker encrypted volume starts with the "-FVE-FS-" signature.

A hexdump of the start of the volume should look similar to:

00000000  eb 58 90 2d 46 56 45 2d  46 53 2d 00 02 08 00 00  |.X.-FVE-FS-.....|
00000010  00 00 00 00 00 f8 00 00  3f 00 ff 00 00 00 00 00  |........?.......|
00000020  00 00 00 00 e0 1f 00 00  00 00 00 00 00 00 00 00  |................|
00000030  01 00 06 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000040  80 00 29 00 00 00 00 4e  4f 20 4e 41 4d 45 20 20  |..)....NO NAME  |
00000050  20 20 46 41 54 33 32 20  20 20 33 c9 8e d1 bc f4  |  FAT32   3.....|

These volumes can also be identified by the BitLocker GUID/UUID: 4967d63b-2e29-4ad8-8399-f6a339e3d00 or 4967d63b-2e29-4ad8-8399-f6a339e3d01 for BitLocker ToGo.

000000a0  3b d6 67 49 29 2e d8 4a  83 99 f6 a3 39 e3 d0 01  |;.gI)..J....9...|

BitLocker To Go

Volumes encrypted with BitLocker To Go will have a hybrid encrypted volume, meaning that part of the volume is unencrypted and contains applications to unlock the volume and the other part of the volume is encrypted. The "discovery drive" volume contains BitLocker To Go Reader to read from encrypted volumes on versions of Microsoft Windows without BitLocker support.

manage-bde

To view the BitLocker Drive Encryption (BDE) status on a running Windows system:

manage-bde.exe -status

To obtain the recovery password for volume C:

manage-bde.exe -protectors -get C: -Type recoverypassword

Or just obtain the all “protectors” for volume C:

manage-bde.exe -protectors -get C:

See Also

External Links

Tools