Difference between pages "User:Helixgroup" and "BitLocker Disk Encryption"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
m
 
(BitLocker)
 
Line 1: Line 1:
''The danger in using a wiki as a collaboration tool is that other people will edit it.  
+
'''BitLocker Disk Encryption''' (BDE) is [[Full Volume Encryption]] solution by [[Microsoft]] first included with the Enterprise and Ultimate editions of [[Windows|Windows Vista]]. It is also present in [[Windows|Windows 7]] along with a system for encrypting removable storage media devices, like [[USB]], which is called BitLocker To Go. Unlike previous versions of BitLocker, BitLocker To Go allows the user to protect volumes with a password or smart card.
  
Information on cryptographic file system was moved to [[File Systems#Cryptographic File Systems]]
+
== BitLocker ==
 +
BitLocker encrypts data with either 128-bit or 256-bit [[AES]] and optionally using a diffuser algorithm called Elephant. The key used to do the encryption, the Full Volume Encryption Key (FVEK) and/or TWEAK key, is stored in the BitLocker metadata on the protected volume. The FVEK and/or TWEAK keys are encrypted using another key, namely the Volume Master Key (VMK). Several copies of the VMK are also stored in the metadata. Each copy of the VMK is encrypted using another key, also know as key-protector key. Some of the key-protectors are:
 +
* TPM (Trusted Platform Module)
 +
* Smart card
 +
* recovery password
 +
* start-up key
 +
* clear key; this key-protector provides no protection
 +
* user password
  
 +
BitLocker has support for partial encrypted volumes.
  
 +
== How to detect ==
 +
Volumes encrypted with BitLocker will have a different signature than the standard [[NTFS]] header.
  
=== Vendor's product overview: ===
+
A BitLocker encrypted volume starts with the "-FVE-FS-" signature.
Seagate FDE: http://www.seagate.com/docs/pdf/marketing/PO-Momentus-FDE.pdf
+
  
Network Appliance: http://www.netapp.com/ftp/decru-fileshredding.pdf
+
A hexdump of the start of the volume should look similar to:
 +
<pre>
 +
00000000  eb 58 90 2d 46 56 45 2d  46 53 2d 00 02 08 00 00  |.X.-FVE-FS-.....|
 +
00000010  00 00 00 00 00 f8 00 00  3f 00 ff 00 00 00 00 00  |........?.......|
 +
00000020  00 00 00 00 e0 1f 00 00  00 00 00 00 00 00 00 00  |................|
 +
00000030  01 00 06 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
 +
00000040  80 00 29 00 00 00 00 4e  4f 20 4e 41 4d 45 20 20  |..)....NO NAME  |
 +
00000050  20 20 46 41 54 33 32 20  20 20 33 c9 8e d1 bc f4  |  FAT32  3.....|
 +
</pre>
  
NetApps DataFort: http://www.decru.com/products/pdf/dsEseries.pdf
+
These volumes can also be identified by the BitLocker GUID/UUID: 4967d63b-2e29-4ad8-8399-f6a339e3d00 or 4967d63b-2e29-4ad8-8399-f6a339e3d01 for BitLocker ToGo.
  
Decru Lifetime Key Management: http://www.decru.com/products/ltkm.htm
+
<pre>
 +
000000a0  3b d6 67 49 29 2e d8 4a  83 99 f6 a3 39 e3 d0 01  |;.gI)..J....9...|
 +
</pre>
  
Decru Whitepaper: http://www.forensicswiki.org/images/6/6f/Securing_Storage_White_Paper.pdf
+
== BitLocker To Go ==
 +
Volumes encrypted with BitLocker To Go will have a hybrid encrypted volume, meaning that part of the volume is unencrypted and contains applications to unlock the volume and the other part of the volume is encrypted. The "discovery drive" volume contains BitLocker To Go Reader to read from encrypted volumes on versions of Microsoft [[Windows]] without BitLocker support.
  
Price for Decru DataFort E510 1.6 for NAS: http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss346_art680,00.html
+
== manage-bde ==
 +
To view the BitLocker Drive Encryption (BDE) status on a running Windows system:
 +
<pre>
 +
manage-bde.exe -status
 +
</pre>
  
DecruDataFort E440: http://www.computerworld.com/hardwaretopics/storage/story/0,10801,78766,00.html
+
To obtain the recovery password for volume C:
 +
<pre>
 +
manage-bde.exe -protectors -get C: -Type recoverypassword
 +
</pre>
  
[[User:Lenageraghty|Lenageraghty]] 22:08, 7 November 2005 (EST)
+
Or just obtain the all “protectors” for volume C:
 +
<pre>
 +
manage-bde.exe -protectors -get C:
 +
</pre>
  
=== SAM Useful TCFS site: ===
+
== See Also ==
 +
* [[BitLocker:_how_to_image|BitLocker: How to image]]
 +
* [[Defeating Whole Disk Encryption]]
  
Transparent CryptoGraphical file system: http://www.tcfs.it/index.php?pc=2
+
== External Links ==
  
TCFS intro: http://www.linuxjournal.com/article/2174
+
* [http://en.wikipedia.org/wiki/BitLocker_Drive_Encryption Wikipedia entry on BitLocker]
 +
* [http://www.nvlabs.in/nvbit_bitlocker_white_paper.pdf Accessing Bitlocker volumes from linux], by Nitin Kumar and Vipin Kumar, 2008
 +
* [http://jessekornblum.com/publications/di09.html Implementing BitLocker for Forensic Analysis], ''Digital Investigation'', by Jesse D. Kornblum, 2009
 +
* [https://googledrive.com/host/0B3fBvzttpiiSX2VCRk16TnpDd0U/BitLocker%20Drive%20Encryption%20(BDE)%20format.pdf BitLocker Drive Encryption (BDE) format specification], by the [[libbde|libbde project]], March 2011
 +
* [http://technet2.microsoft.com/WindowsVista/en/library/c61f2a12-8ae6-4957-b031-97b4d762cf311033.mspx?mfr=true Microsoft's Step by Step Guide]
 +
* [http://technet.microsoft.com/en-us/windowsvista/aa906017.aspx Microsoft Technical Overview]
 +
* [http://technet.microsoft.com/en-us/magazine/2009.05.win7.aspx An Introduction to Security in Windows 7]
 +
* [http://www.microsoft.com/whdc/system/platform/hwsecurity/BitLockerFAQ.mspx Microsoft FAQ]
 +
* [http://www.microsoft.com/downloads/details.aspx?FamilyID=131dae03-39ae-48be-a8d6-8b0034c92555&DisplayLang=en Microsoft Description of the Encryption Algorithm]
 +
* [http://secude.com/htm/801/en/White_Paper%3A_Cold_Boot_Attacks.htm Cold Boot Attacks, Full Disk Encryption, and BitLocker]
 +
* [http://technet.microsoft.com/en-us/library/hh831412.aspx What's New in BitLocker] in Windows 8
  
--[[User:Samlam|Samlam]] 19:56, 13 November 2005 (EST)
+
== Tools ==
 +
* [http://www.hsc.fr/ressources/outils/dislocker/ dislocker]
 +
* [[libbde]]
  
=== ERIC Seagate new offerings: ===
+
[[Category:Disk encryption]]
Full Disk Encryption: http://www.eweek.com/article2/0,1759,1825740,00.asp
+
[[Category:Windows]]
 
+
Seagate product specification: http://www.seagate.com/content/docs/pdf/marketing/PO-Momentus-FDE.pdf
+
 
+
 
+
[[User:Samlam|Samlam]] 12:10, 13 November 2005 (EST)
+
 
+
=== Cryptographcial File Systems: ===
+
[[File Systems#Cryptographic File Systems]] Readings on crytographical file systems.
+
=== Some Questions / Notes from BJ===
+
I added to the existing outline below.  We only get 15 pages max, so we might have to limit ourselves to 2 pages (3 tops) per EFS, so there might be too many items for each EFS listed, but I think it would be good for us to be consistent and have the same items in each EFS.
+
 
+
I think we should start filling out what we can in the outline during this week, so that we can "refine as we go". 
+
 
+
Please make sure and add your citations, also.  Do not worry about format; we will do that later; but make sure all the information is there.
+
 
+
=== Suggestion of outline : ===
+
*Introduction (BJ)
+
**Definition of an Encrypting File System
+
**Purpose/Goal of an EFS
+
***Purpose: to add an additional layer of security, controlled by the user, over that user's data
+
***Goal: to allow users to feel confident the data placed in the EFS cannot be compromised.
+
**Overview of General Workings
+
***(description of common functionality and common processes to all or most EFS)
+
***You have data in memory, you want to save it to disk, you only want "authorized" people to see it; not even system administrators and/or backup operators
+
***You control access by "owning" the key
+
***Key is generated (somehow)
+
***There is overhead in the process of encrypting/decrypting (unavoidable)
+
**Overview of Common Usage
+
***Maybe some categories of users and what they are looking for:
+
***"business critical applications" like databases, etc. where business relies on data being available and secure
+
***"business users" like managers who want to secure employee reviews, HR people wanting to secure salary information, etc.
+
***"casual users" people who just want to make sure their data is secure.
+
**The currently available systems (market share?)
+
**Why we choose CFS TCFS and Network Applicances
+
*Study of 4 systems in depth, including why this system is selected for study.
+
**CFS (LENA)
+
***Overview
+
****When Developed
+
****Platform(s)
+
****Current Version
+
***Key Management
+
***Ease of Use for End Users
+
***Legal Issues
+
***Failure Modes
+
***Challenges in Installation/Use by System Administrator
+
***Performance
+
***Cost
+
***Conclusion (?? what would that be??)
+
**TCFS (SAM)
+
***Overview
+
****When Developed
+
****Platform(s)
+
****Current Version
+
***Key Management
+
***Ease of Use for End Users
+
***Legal Issues
+
***Failure Modes
+
***Challenges in Installation/Use by System Administrator
+
***Performance
+
***Cost
+
***Conclusion (?? what would that be??)
+
**Network Appliance DataForte and Seagate (ERIC)
+
***Overview
+
****When Developed
+
****Platform(s)
+
****Current Version
+
***Key Management
+
***Ease of Use for End Users
+
***Legal Issues
+
***Failure Modes
+
***Challenges in Installation/Use by System Administrator
+
***Performance
+
***Cost
+
***Conclusion (?? what would that be??)
+
**Windows EFS (BJ)
+
***Overview
+
****When Developed
+
****Platform(s)
+
****Current Version
+
***Key Management
+
***Ease of Use for End Users
+
***Legal Issues
+
***Failure Modes
+
***Challenges in Installation/Use by System Administrator
+
***Performance
+
***Cost
+
***Conclusion (?? what would that be??)
+
*Common Issues/Problems (ALL)
+
**Impact on computer forensics
+
**Impact on end-users (i.e. what if you are away on a business trip and you have to go to the hospital and all of your files are encrypted on your laptop?) (or even worse, what if you die and all your financial information is encrypted?)
+
**Impact on business owners (e.g. what if an employee quits and all that person's data files, contact info, etc. are encrypted)
+
*Future (ALL)
+
**What would be useful to add or remove
+
**How we would accomplish the changes we suggest
+
*Conclusion. (ALL)
+
 
+
[[User:bjl170|bjl170]] 20:23, 14 November 2005 (EST)
+
 
+
[[User:Lenageraghty|Lenageraghty]] 08:36, 11 November 2005 (EST)
+
 
+
=== Questions : ===
+
* What systems are currently available ?
+
 
+
[[User:Lenageraghty|Lenageraghty]] 08:48, 11 November 2005 (EST)
+
 
+
=== Suggestions/Questions/Outline ?: ===
+
* Solutions from other storage vendors.
+
* Desirable features for a cryptographical file system.
+
* cost
+
** performance
+
** total solution for end-users
+
** Key management for cryptographical file system
+
** Ease of use by end-users
+
** Failure modes
+
** Challenges in using/installing
+
 
+
[[User:Lenageraghty|Lenageraghty]] 22:48, 7 November 2005 (EST)
+
 
+
===== comment from TA (Joe)  =====
+
That looks like some of the right inroads.  Remember that the paper is
+
not very long, so you may want to focus on the three systems and do a
+
deep analysis.  Certainly some things to think about:
+
      Simson's lecture where he talked about it
+
      Failure modes of such systems
+
      Challenges in using/installing
+
 
+
''comment from teacher:'' Please remember that this Wiki is publically accessible on the Internet. It's great if you can improve the resource for everbody. But do try to do that, rather than just creating your own space...
+

Revision as of 13:28, 23 December 2013

BitLocker Disk Encryption (BDE) is Full Volume Encryption solution by Microsoft first included with the Enterprise and Ultimate editions of Windows Vista. It is also present in Windows 7 along with a system for encrypting removable storage media devices, like USB, which is called BitLocker To Go. Unlike previous versions of BitLocker, BitLocker To Go allows the user to protect volumes with a password or smart card.

Contents

BitLocker

BitLocker encrypts data with either 128-bit or 256-bit AES and optionally using a diffuser algorithm called Elephant. The key used to do the encryption, the Full Volume Encryption Key (FVEK) and/or TWEAK key, is stored in the BitLocker metadata on the protected volume. The FVEK and/or TWEAK keys are encrypted using another key, namely the Volume Master Key (VMK). Several copies of the VMK are also stored in the metadata. Each copy of the VMK is encrypted using another key, also know as key-protector key. Some of the key-protectors are:

  • TPM (Trusted Platform Module)
  • Smart card
  • recovery password
  • start-up key
  • clear key; this key-protector provides no protection
  • user password

BitLocker has support for partial encrypted volumes.

How to detect

Volumes encrypted with BitLocker will have a different signature than the standard NTFS header.

A BitLocker encrypted volume starts with the "-FVE-FS-" signature.

A hexdump of the start of the volume should look similar to:

00000000  eb 58 90 2d 46 56 45 2d  46 53 2d 00 02 08 00 00  |.X.-FVE-FS-.....|
00000010  00 00 00 00 00 f8 00 00  3f 00 ff 00 00 00 00 00  |........?.......|
00000020  00 00 00 00 e0 1f 00 00  00 00 00 00 00 00 00 00  |................|
00000030  01 00 06 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000040  80 00 29 00 00 00 00 4e  4f 20 4e 41 4d 45 20 20  |..)....NO NAME  |
00000050  20 20 46 41 54 33 32 20  20 20 33 c9 8e d1 bc f4  |  FAT32   3.....|

These volumes can also be identified by the BitLocker GUID/UUID: 4967d63b-2e29-4ad8-8399-f6a339e3d00 or 4967d63b-2e29-4ad8-8399-f6a339e3d01 for BitLocker ToGo.

000000a0  3b d6 67 49 29 2e d8 4a  83 99 f6 a3 39 e3 d0 01  |;.gI)..J....9...|

BitLocker To Go

Volumes encrypted with BitLocker To Go will have a hybrid encrypted volume, meaning that part of the volume is unencrypted and contains applications to unlock the volume and the other part of the volume is encrypted. The "discovery drive" volume contains BitLocker To Go Reader to read from encrypted volumes on versions of Microsoft Windows without BitLocker support.

manage-bde

To view the BitLocker Drive Encryption (BDE) status on a running Windows system:

manage-bde.exe -status

To obtain the recovery password for volume C:

manage-bde.exe -protectors -get C: -Type recoverypassword

Or just obtain the all “protectors” for volume C:

manage-bde.exe -protectors -get C:

See Also

External Links

Tools