Difference between pages "Linux Unified Key Setup (LUKS)" and "BitLocker Disk Encryption"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(How to detect)
 
(BitLocker)
 
Line 1: Line 1:
{{expand}}
+
'''BitLocker Disk Encryption''' (BDE) is [[Full Volume Encryption]] solution by [[Microsoft]] first included with the Enterprise and Ultimate editions of [[Windows|Windows Vista]]. It is also present in [[Windows|Windows 7]] along with a system for encrypting removable storage media devices, like [[USB]], which is called BitLocker To Go. Unlike previous versions of BitLocker, BitLocker To Go allows the user to protect volumes with a password or smart card.
  
Linux Unified Key Setup (LUKS) is commonly used by Linux to encrypt storage media volumes. LUKS is implemented in the Linux kernel in dm-crypt (dm = Device Mapper) and the user-space component cryptsetup.
+
== BitLocker ==
 +
BitLocker encrypts data with either 128-bit or 256-bit [[AES]] and optionally using a diffuser algorithm called Elephant. The key used to do the encryption, the Full Volume Encryption Key (FVEK) and/or TWEAK key, is stored in the BitLocker metadata on the protected volume. The FVEK and/or TWEAK keys are encrypted using another key, namely the Volume Master Key (VMK). Several copies of the VMK are also stored in the metadata. Each copy of the VMK is encrypted using another key, also know as key-protector key. Some of the key-protectors are:
 +
* TPM (Trusted Platform Module)
 +
* Smart card
 +
* recovery password
 +
* start-up key
 +
* clear key; this key-protector provides no protection
 +
* user password
  
LUKS supports various encryption methods, like:
+
BitLocker has support for partial encrypted volumes.
* [[AES]]
+
* [[Anubis]]
+
* [[Blowfish|BlowFish]]
+
* [[Cast5]]
+
* [[Cast6]]
+
* [[Serpent]]
+
* Tnepres a reversed variant of [[Serpent]]
+
* [[Twofish|TwoFish]]
+
 
+
These encryption methods can be used in various chaining modes and with various initialization vector modes.
+
  
 
== How to detect ==
 
== How to detect ==
A LUKS encrypted volume starts with the "LUKS\xba\xbe" signature.
+
Volumes encrypted with BitLocker will have a different signature than the standard [[NTFS]] header.
 +
 
 +
A BitLocker encrypted volume starts with the "-FVE-FS-" signature.
  
 
A hexdump of the start of the volume should look similar to:
 
A hexdump of the start of the volume should look similar to:
 
<pre>
 
<pre>
00000000  4c 55 4b 53 ba be 00 01  61 65 73 00 00 00 00 00  |LUKS....aes.....|
+
00000000  eb 58 90 2d 46 56 45 2d  46 53 2d 00 02 08 00 00  |.X.-FVE-FS-.....|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+
00000010  00 00 00 00 00 f8 00 00  3f 00 ff 00 00 00 00 00  |........?.......|
00000020  00 00 00 00 00 00 00 00 63 62 63 2d 65 73 73 69 |........cbc-essi|
+
00000020 00 00 00 00 e0 1f 00 00 00 00 00 00 00 00 00 00  |................|
00000030  76 3a 73 68 61 32 35 36 00 00 00 00 00 00 00 00  |v:sha256........|
+
00000030  01 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|
00000040  00 00 00 00 00 00 00 00 72 69 70 65 6d 64 31 36 |........ripemd16|
+
00000040  80 00 29 00 00 00 00 4e 4f 20 4e 41 4d 45 20 20 |..)....NO NAME  |
00000050  30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |0...............|
+
00000050  20 20 46 41 54 33 32 20 20 20 33 c9 8e d1 bc f4 | FAT32  3.....|
 
</pre>
 
</pre>
  
The encryption method in the example is:
+
These volumes can also be identified by the BitLocker GUID/UUID: 4967d63b-2e29-4ad8-8399-f6a339e3d00 or 4967d63b-2e29-4ad8-8399-f6a339e3d01 for BitLocker ToGo.
 +
 
 
<pre>
 
<pre>
aes
+
000000a0  3b d6 67 49 29 2e d8 4a  83 99 f6 a3 39 e3 d0 01  |;.gI)..J....9...|
 
</pre>
 
</pre>
  
The encryption mode is in the format:
+
== BitLocker To Go ==
 +
Volumes encrypted with BitLocker To Go will have a hybrid encrypted volume, meaning that part of the volume is unencrypted and contains applications to unlock the volume and the other part of the volume is encrypted. The "discovery drive" volume contains BitLocker To Go Reader to read from encrypted volumes on versions of Microsoft [[Windows]] without BitLocker support.
 +
 
 +
== manage-bde ==
 +
To view the BitLocker Drive Encryption (BDE) status on a running Windows system:
 
<pre>
 
<pre>
chaining_mode[-initialization_vector_mode[:initialization_vector_options]]
+
manage-bde.exe -status
 
</pre>
 
</pre>
  
Which in the example is:
+
To obtain the recovery password for volume C:
 
<pre>
 
<pre>
cbc-essiv:sha256
+
manage-bde.exe -protectors -get C: -Type recoverypassword
 
</pre>
 
</pre>
  
And the password hashing method in the example is:
+
Or just obtain the all “protectors” for volume C:
 
<pre>
 
<pre>
ripemd160
+
manage-bde.exe -protectors -get C:
 
</pre>
 
</pre>
 +
 +
== See Also ==
 +
* [[BitLocker:_how_to_image|BitLocker: How to image]]
 +
* [[Defeating Whole Disk Encryption]]
  
 
== External Links ==
 
== External Links ==
* [http://clemens.endorphin.org/nmihde/nmihde-A4-ds.pdf New Methods in Hard Disk Encryption], by Clemens Fruhwirth, July 18, 2005
 
* [http://wiki.cryptsetup.googlecode.com/git/LUKS-standard/on-disk-format.pdf LUKS On-Disk Format Specification - Version 1.2.1], by Clemens Fruhwirth, October 16, 2011
 
* [https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-LUKS_Disk_Encryption.html LUKS Disk Encryption], by [[RedHat]]
 
* [https://googledrive.com/host/0B3fBvzttpiiSNUVYSFF1TmRONmc/Linux%20Unified%20Key%20Setup%20(LUKS)%20Disk%20Encryption%20format.pdf LUKS Disk Encryption format specification], by the [[libluksde|libluksde project]], July 2013
 
* [http://www.jakoblell.com/blog/2013/12/22/practical-malleability-attack-against-cbc-encrypted-luks-partitions/ Practical malleability attack against CBC-Encrypted LUKS partitions], by Jakob Lell, December 22, 2013
 
  
 +
* [http://en.wikipedia.org/wiki/BitLocker_Drive_Encryption Wikipedia entry on BitLocker]
 +
* [http://www.nvlabs.in/nvbit_bitlocker_white_paper.pdf Accessing Bitlocker volumes from linux], by Nitin Kumar and Vipin Kumar, 2008
 +
* [http://jessekornblum.com/publications/di09.html Implementing BitLocker for Forensic Analysis], ''Digital Investigation'', by Jesse D. Kornblum, 2009
 +
* [https://googledrive.com/host/0B3fBvzttpiiSX2VCRk16TnpDd0U/BitLocker%20Drive%20Encryption%20(BDE)%20format.pdf BitLocker Drive Encryption (BDE) format specification], by the [[libbde|libbde project]], March 2011
 +
* [http://technet2.microsoft.com/WindowsVista/en/library/c61f2a12-8ae6-4957-b031-97b4d762cf311033.mspx?mfr=true Microsoft's Step by Step Guide]
 +
* [http://technet.microsoft.com/en-us/windowsvista/aa906017.aspx Microsoft Technical Overview]
 +
* [http://technet.microsoft.com/en-us/magazine/2009.05.win7.aspx An Introduction to Security in Windows 7]
 +
* [http://www.microsoft.com/whdc/system/platform/hwsecurity/BitLockerFAQ.mspx Microsoft FAQ]
 +
* [http://www.microsoft.com/downloads/details.aspx?FamilyID=131dae03-39ae-48be-a8d6-8b0034c92555&DisplayLang=en Microsoft Description of the Encryption Algorithm]
 +
* [http://secude.com/htm/801/en/White_Paper%3A_Cold_Boot_Attacks.htm Cold Boot Attacks, Full Disk Encryption, and BitLocker]
 +
* [http://technet.microsoft.com/en-us/library/hh831412.aspx What's New in BitLocker] in Windows 8
 +
 +
== Tools ==
 +
* [http://www.hsc.fr/ressources/outils/dislocker/ dislocker]
 +
* [[libbde]]
  
 
[[Category:Disk encryption]]
 
[[Category:Disk encryption]]
[[Category:Linux]]
+
[[Category:Windows]]

Revision as of 13:28, 23 December 2013

BitLocker Disk Encryption (BDE) is Full Volume Encryption solution by Microsoft first included with the Enterprise and Ultimate editions of Windows Vista. It is also present in Windows 7 along with a system for encrypting removable storage media devices, like USB, which is called BitLocker To Go. Unlike previous versions of BitLocker, BitLocker To Go allows the user to protect volumes with a password or smart card.

BitLocker

BitLocker encrypts data with either 128-bit or 256-bit AES and optionally using a diffuser algorithm called Elephant. The key used to do the encryption, the Full Volume Encryption Key (FVEK) and/or TWEAK key, is stored in the BitLocker metadata on the protected volume. The FVEK and/or TWEAK keys are encrypted using another key, namely the Volume Master Key (VMK). Several copies of the VMK are also stored in the metadata. Each copy of the VMK is encrypted using another key, also know as key-protector key. Some of the key-protectors are:

  • TPM (Trusted Platform Module)
  • Smart card
  • recovery password
  • start-up key
  • clear key; this key-protector provides no protection
  • user password

BitLocker has support for partial encrypted volumes.

How to detect

Volumes encrypted with BitLocker will have a different signature than the standard NTFS header.

A BitLocker encrypted volume starts with the "-FVE-FS-" signature.

A hexdump of the start of the volume should look similar to:

00000000  eb 58 90 2d 46 56 45 2d  46 53 2d 00 02 08 00 00  |.X.-FVE-FS-.....|
00000010  00 00 00 00 00 f8 00 00  3f 00 ff 00 00 00 00 00  |........?.......|
00000020  00 00 00 00 e0 1f 00 00  00 00 00 00 00 00 00 00  |................|
00000030  01 00 06 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000040  80 00 29 00 00 00 00 4e  4f 20 4e 41 4d 45 20 20  |..)....NO NAME  |
00000050  20 20 46 41 54 33 32 20  20 20 33 c9 8e d1 bc f4  |  FAT32   3.....|

These volumes can also be identified by the BitLocker GUID/UUID: 4967d63b-2e29-4ad8-8399-f6a339e3d00 or 4967d63b-2e29-4ad8-8399-f6a339e3d01 for BitLocker ToGo.

000000a0  3b d6 67 49 29 2e d8 4a  83 99 f6 a3 39 e3 d0 01  |;.gI)..J....9...|

BitLocker To Go

Volumes encrypted with BitLocker To Go will have a hybrid encrypted volume, meaning that part of the volume is unencrypted and contains applications to unlock the volume and the other part of the volume is encrypted. The "discovery drive" volume contains BitLocker To Go Reader to read from encrypted volumes on versions of Microsoft Windows without BitLocker support.

manage-bde

To view the BitLocker Drive Encryption (BDE) status on a running Windows system:

manage-bde.exe -status

To obtain the recovery password for volume C:

manage-bde.exe -protectors -get C: -Type recoverypassword

Or just obtain the all “protectors” for volume C:

manage-bde.exe -protectors -get C:

See Also

External Links

Tools