Difference between pages "Palm" and "BitLocker Disk Encryption"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Added Forensics section, added EnCase section)
 
(BitLocker)
 
Line 1: Line 1:
__TOC__
+
'''BitLocker Disk Encryption''' (BDE) is [[Full Volume Encryption]] solution by [[Microsoft]] first included with the Enterprise and Ultimate editions of [[Windows|Windows Vista]]. It is also present in [[Windows|Windows 7]] along with a system for encrypting removable storage media devices, like [[USB]], which is called BitLocker To Go. Unlike previous versions of BitLocker, BitLocker To Go allows the user to protect volumes with a password or smart card.
  
=Overview=
+
== BitLocker ==
 +
BitLocker encrypts data with either 128-bit or 256-bit [[AES]] and optionally using a diffuser algorithm called Elephant. The key used to do the encryption, the Full Volume Encryption Key (FVEK) and/or TWEAK key, is stored in the BitLocker metadata on the protected volume. The FVEK and/or TWEAK keys are encrypted using another key, namely the Volume Master Key (VMK). Several copies of the VMK are also stored in the metadata. Each copy of the VMK is encrypted using another key, also know as key-protector key. Some of the key-protectors are:
 +
* TPM (Trusted Platform Module)
 +
* Smart card
 +
* recovery password
 +
* start-up key
 +
* clear key; this key-protector provides no protection
 +
* user password
  
A "Palm" is a commonly referred to as a small-scale (hand-held) computer that runs Palm's PalmOS software.
+
BitLocker has support for partial encrypted volumes.
  
The Palm OS platform is an open architecture that provides a basis for third-party developers and original equipment manufacturers (OEMs) to create mobile computing solutions. The platform consists of five components:<br><br>
+
== How to detect ==
-- The reference hardware design<br>
+
Volumes encrypted with BitLocker will have a different signature than the standard [[NTFS]] header.
-- The device operating system called the Palm OS software<br>
+
-- The HotSync conduit data synchronization technology<br>
+
-- The platform component tools including an applications programming interface (API) that enables developers to write applications<br>
+
-- The software interface capabilities to support hardware add-ons<br>
+
  
(http://www.palm.com/us/company/pr/2000/092000.html, 2000)
+
A BitLocker encrypted volume starts with the "-FVE-FS-" signature.
  
 +
A hexdump of the start of the volume should look similar to:
 +
<pre>
 +
00000000  eb 58 90 2d 46 56 45 2d  46 53 2d 00 02 08 00 00  |.X.-FVE-FS-.....|
 +
00000010  00 00 00 00 00 f8 00 00  3f 00 ff 00 00 00 00 00  |........?.......|
 +
00000020  00 00 00 00 e0 1f 00 00  00 00 00 00 00 00 00 00  |................|
 +
00000030  01 00 06 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
 +
00000040  80 00 29 00 00 00 00 4e  4f 20 4e 41 4d 45 20 20  |..)....NO NAME  |
 +
00000050  20 20 46 41 54 33 32 20  20 20 33 c9 8e d1 bc f4  |  FAT32  3.....|
 +
</pre>
  
== History ==
+
These volumes can also be identified by the BitLocker GUID/UUID: 4967d63b-2e29-4ad8-8399-f6a339e3d00 or 4967d63b-2e29-4ad8-8399-f6a339e3d01 for BitLocker ToGo.
  
Palm Computing was founded by Jeff Hawkins, Donna Dubinsky and Ed Colligan. The original purpose of the company was to create handwriting recognition software for other devices (Graffiti). The initial idea for the devices came from Hawkins' habit of carrying a block of wood in his pocket.
+
<pre>
 +
000000a0 3b d6 67 49 29 2e d8 4a  83 99 f6 a3 39 e3 d0 01  |;.gI)..J....9...|
 +
</pre>
  
The initial Palm device released in 1996 was called the Pilot.  Because Pilot Pen Corporation brought forth a trademark infrigement case, the second generation device released in 1997 was named the PalmPilot.
+
== BitLocker To Go ==
 +
Volumes encrypted with BitLocker To Go will have a hybrid encrypted volume, meaning that part of the volume is unencrypted and contains applications to unlock the volume and the other part of the volume is encrypted. The "discovery drive" volume contains BitLocker To Go Reader to read from encrypted volumes on versions of Microsoft [[Windows]] without BitLocker support.
  
The Palm was not the original PDA device released, but benefited from the failure of Apple's Newton.
+
== manage-bde ==
 +
To view the BitLocker Drive Encryption (BDE) status on a running Windows system:
 +
<pre>
 +
manage-bde.exe -status
 +
</pre>
  
The Palm OS initially featured personal information management (PIM) tools such as Calendar, Contacts, Memo Pad, Expense and Tasks.
+
To obtain the recovery password for volume C:
 +
<pre>
 +
manage-bde.exe -protectors -get C: -Type recoverypassword
 +
</pre>
  
Presently, version 6.0 of the Palm OS is under development (Cobalt). Cobalt features a Linux-based kernel.  There are presently no devices released using Palm OS 6.
+
Or just obtain the all “protectors” for volume C:
 +
<pre>
 +
manage-bde.exe -protectors -get C:
 +
</pre>
  
=Features=
+
== See Also ==
<table>
+
* [[BitLocker:_how_to_image|BitLocker: How to image]]
<tr>
+
* [[Defeating Whole Disk Encryption]]
<td>'''Address Book''': Allows the user to keep track of their contacts.  Synchronized via HotSync manager</td>
+
</tr>
+
<tr>
+
<td>'''Calculator''': Basic 4 function calculator</td>
+
</tr>
+
<tr>
+
<td>'''Datebook''': Track appointments, birthdates and other important times during the year.  Synchronized via HotSync manager</td>
+
</tr>
+
<tr>
+
<td>'''Expenses''': Keep track of your spending habits.</td>
+
</tr>
+
<tr>
+
<td>'''HotSync''': Application that ran on your desktop or portable PC or Mac to allow for calendars and contacts to easily be synchronized with Palm device.</td>
+
</tr>
+
<tr>
+
<td>'''Memo Pad''': Write short notes.</td>
+
</tr>
+
<tr>
+
<td>'''Note Pad''': Scribble notes in your natural writing language.</td>
+
</tr>
+
<tr>
+
<td>'''To Do List''': Create a check list of items to accomplish.  Synchronized via HotSync manager.</td>
+
</tr>
+
<tr>
+
<td>'''Palm Photos''': Photo manager that allows sharing of photos between multiple palm devices.</td>
+
</tr>
+
</table>
+
  
=Palm Variants=
+
== External Links ==
  
-Version 3.1, 3.3, 3.5
+
* [http://en.wikipedia.org/wiki/BitLocker_Drive_Encryption Wikipedia entry on BitLocker]
Added support for color, multiple expansion ports, new processors, etc.
+
* [http://www.nvlabs.in/nvbit_bitlocker_white_paper.pdf Accessing Bitlocker volumes from linux], by Nitin Kumar and Vipin Kumar, 2008
 +
* [http://jessekornblum.com/publications/di09.html Implementing BitLocker for Forensic Analysis], ''Digital Investigation'', by Jesse D. Kornblum, 2009
 +
* [https://googledrive.com/host/0B3fBvzttpiiSX2VCRk16TnpDd0U/BitLocker%20Drive%20Encryption%20(BDE)%20format.pdf BitLocker Drive Encryption (BDE) format specification], by the [[libbde|libbde project]], March 2011
 +
* [http://technet2.microsoft.com/WindowsVista/en/library/c61f2a12-8ae6-4957-b031-97b4d762cf311033.mspx?mfr=true Microsoft's Step by Step Guide]
 +
* [http://technet.microsoft.com/en-us/windowsvista/aa906017.aspx Microsoft Technical Overview]
 +
* [http://technet.microsoft.com/en-us/magazine/2009.05.win7.aspx An Introduction to Security in Windows 7]
 +
* [http://www.microsoft.com/whdc/system/platform/hwsecurity/BitLockerFAQ.mspx Microsoft FAQ]
 +
* [http://www.microsoft.com/downloads/details.aspx?FamilyID=131dae03-39ae-48be-a8d6-8b0034c92555&DisplayLang=en Microsoft Description of the Encryption Algorithm]
 +
* [http://secude.com/htm/801/en/White_Paper%3A_Cold_Boot_Attacks.htm Cold Boot Attacks, Full Disk Encryption, and BitLocker]
 +
* [http://technet.microsoft.com/en-us/library/hh831412.aspx What's New in BitLocker] in Windows 8
  
-Version 4.0
+
== Tools ==
Added a standard interface for external FS access
+
* [http://www.hsc.fr/ressources/outils/dislocker/ dislocker]
 +
* [[libbde]]
  
-Version 5.0
+
[[Category:Disk encryption]]
First version to support Acorn Risc Machine (ARM) devices. Later versions which included OS 4.1.2 and 5.2, featured Graffiti 2. It began the separation of Palm OS and Palm One.
+
[[Category:Windows]]
 
+
-Version 6
+
Allowed ARM applications with multimedia support.
+
 
+
==Palm Pilot==
+
 
+
==3Com Audrey==
+
 
+
The 3Com Audrey was created to be a kitchen computer in 2000-2001.  It was a mainly a used to access the Internet.  Cisco then bought out 3Com and the Audrey was no more.  One noticeable aspect of the Audrey is how people can hack it.  They have turned it into anything from a web server to a chatting client.  It runs QNX with PalmOS extensions.  This allows it to be hacked extremely easily.
+
 
+
It runs on the Intel-compatible Cyrix-MediaGX processor. It uses Palm's HotSync technology to update the address book and date book with up to two Palms simultaneously.  It uses a USB Ethernet controller to connect to the Internet.  It also has built-in stereo speakers to play digital and streaming music.  You can either use the clear pen to input data, or pull out the wireless keyboard.  No graffiti is used. 
+
 
+
It was discontinued on March 21, 2001.  However, there is still an Audrey frenzy going on today.
+
 
+
==Fossil==
+
 
+
==Garmin==
+
 
+
==Kyocera==
+
 
+
Kyocera acquired QUALCOMM Incorporated's Code Division Multiple Access (CDMA) wireless phone business in February 2000 and incorporates QUALCOMM's CDMA technology in the development and manufacture of wireless phones. An agreement with Palm Inc. to license the Palm OS platform was reached by Kyocera and Palm after QUALCOMM's acquisition. It is the foundation for a suite of smartphones.
+
 
+
==QualComm==
+
 
+
In September 1998, QUALCOMM introduced the pdQ smartphone which was the first CDMA digital wireless phone to integrate the Palm OS software. QUALCOMM’s CDMA handset business was later bought by Kyocera in February 2000.
+
 
+
==Samsung==
+
 
+
==Sony Cli&Egrave;==
+
 
+
==Symbol==
+
 
+
==TapWave==
+
 
+
==TRG==
+
 
+
==Handspring Visor==
+
 
+
The original creators of the PalmPilot, Jeff Hawkins, Donna Dubinsky, and Ed Colligan, left Palm Computing after desputes with the parent company 3com. As a result, the trio founded Handspring in 1998. The first product released in 1999 was called the Handspring Visor, a clone of the original PalmPilot with minor additions, that used the newly created Palm OS. One of it's most prominent features was USB support and an expansion slot for memory cards, both of which were not yet popular at the time.
+
 
+
The Visor line includes:
+
<ul>
+
<li>Visor and Visor Deluxe</li>
+
<li>Visor Prism</li>
+
<li>Visor Platinum</li>
+
<li>Visor Edge</li>
+
<li>Visor Neo</li>
+
<li>Visor Pro</li>
+
</ul>
+
 
+
==Treo==
+
Treo manufacturers a variety of devices, including the LifeDrive, Treo 650 and 700w, Palm Z22 and Tx, and the Tungsten E2.  Each of these devices is marketed at a different segment of the market.  For example, the LifeDrive contains a 4GB integrated hard drive and is advertised as a portable multimedia device that plays videos and MP3s.  The LifeDrive Also includes integrated WiFi and Bluetooth capabilities.  The Treo 650 and 700w are the company's Smartphones.  The Treo 650 runs Palm OS, while the 700w runs on Windows Mobile.  The Z22, Tx, and Tungsten E2 are primarily designed to be personal organizers.
+
 
+
=Forensics=
+
Forensics for Palm devices is a nascent field.  There are several tools available for the image acquisition and analysis of Palm devices.
+
 
+
==EnCase==
+
EnCase, published by Guidance Software, is a complete cyber forensics software package that handles all steps of the investigative process, from the acquisition to the report creation.  The software includes built-in capabilities for performing MD5 hashing, data carving, deleted file recovery, and many other functions.
+
 
+
Although traditionally relegated to the realm of desktop computer forensics investigations, EnCase does support the acquisition and analysis of a limited number of Palm devices.
+
 
+
=References=
+
http://www.answers.com/topic/palm-os
+
 
+
http://www.palm.com/us/
+
 
+
http://www.encase.com
+

Revision as of 14:28, 23 December 2013

BitLocker Disk Encryption (BDE) is Full Volume Encryption solution by Microsoft first included with the Enterprise and Ultimate editions of Windows Vista. It is also present in Windows 7 along with a system for encrypting removable storage media devices, like USB, which is called BitLocker To Go. Unlike previous versions of BitLocker, BitLocker To Go allows the user to protect volumes with a password or smart card.

BitLocker

BitLocker encrypts data with either 128-bit or 256-bit AES and optionally using a diffuser algorithm called Elephant. The key used to do the encryption, the Full Volume Encryption Key (FVEK) and/or TWEAK key, is stored in the BitLocker metadata on the protected volume. The FVEK and/or TWEAK keys are encrypted using another key, namely the Volume Master Key (VMK). Several copies of the VMK are also stored in the metadata. Each copy of the VMK is encrypted using another key, also know as key-protector key. Some of the key-protectors are:

  • TPM (Trusted Platform Module)
  • Smart card
  • recovery password
  • start-up key
  • clear key; this key-protector provides no protection
  • user password

BitLocker has support for partial encrypted volumes.

How to detect

Volumes encrypted with BitLocker will have a different signature than the standard NTFS header.

A BitLocker encrypted volume starts with the "-FVE-FS-" signature.

A hexdump of the start of the volume should look similar to:

00000000  eb 58 90 2d 46 56 45 2d  46 53 2d 00 02 08 00 00  |.X.-FVE-FS-.....|
00000010  00 00 00 00 00 f8 00 00  3f 00 ff 00 00 00 00 00  |........?.......|
00000020  00 00 00 00 e0 1f 00 00  00 00 00 00 00 00 00 00  |................|
00000030  01 00 06 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000040  80 00 29 00 00 00 00 4e  4f 20 4e 41 4d 45 20 20  |..)....NO NAME  |
00000050  20 20 46 41 54 33 32 20  20 20 33 c9 8e d1 bc f4  |  FAT32   3.....|

These volumes can also be identified by the BitLocker GUID/UUID: 4967d63b-2e29-4ad8-8399-f6a339e3d00 or 4967d63b-2e29-4ad8-8399-f6a339e3d01 for BitLocker ToGo.

000000a0  3b d6 67 49 29 2e d8 4a  83 99 f6 a3 39 e3 d0 01  |;.gI)..J....9...|

BitLocker To Go

Volumes encrypted with BitLocker To Go will have a hybrid encrypted volume, meaning that part of the volume is unencrypted and contains applications to unlock the volume and the other part of the volume is encrypted. The "discovery drive" volume contains BitLocker To Go Reader to read from encrypted volumes on versions of Microsoft Windows without BitLocker support.

manage-bde

To view the BitLocker Drive Encryption (BDE) status on a running Windows system:

manage-bde.exe -status

To obtain the recovery password for volume C:

manage-bde.exe -protectors -get C: -Type recoverypassword

Or just obtain the all “protectors” for volume C:

manage-bde.exe -protectors -get C:

See Also

External Links

Tools