Difference between pages "Determining OS version from an evidence image" and "BitLocker Disk Encryption"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(HP/UX)
 
(BitLocker)
 
Line 1: Line 1:
One of the first steps an examiners will need to carry out once they have an evidence image is to log system metadata, including OS version and patch level. This may be of particular importance if the image in question is from a machine that is suspected of having been compromised.
+
'''BitLocker Disk Encryption''' (BDE) is [[Full Volume Encryption]] solution by [[Microsoft]] first included with the Enterprise and Ultimate editions of [[Windows|Windows Vista]]. It is also present in [[Windows|Windows 7]] along with a system for encrypting removable storage media devices, like [[USB]], which is called BitLocker To Go. Unlike previous versions of BitLocker, BitLocker To Go allows the user to protect volumes with a password or smart card.
  
==Windows==
+
== BitLocker ==
 +
BitLocker encrypts data with either 128-bit or 256-bit [[AES]] and optionally using a diffuser algorithm called Elephant. The key used to do the encryption, the Full Volume Encryption Key (FVEK) and/or TWEAK key, is stored in the BitLocker metadata on the protected volume. The FVEK and/or TWEAK keys are encrypted using another key, namely the Volume Master Key (VMK). Several copies of the VMK are also stored in the metadata. Each copy of the VMK is encrypted using another key, also know as key-protector key. Some of the key-protectors are:
 +
* TPM (Trusted Platform Module)
 +
* Smart card
 +
* recovery password
 +
* start-up key
 +
* clear key; this key-protector provides no protection
 +
* user password
  
===Windows 95/98/ME===
+
BitLocker has support for partial encrypted volumes.
  
Establish the boot volume, verify that it is a FAT file system, and locate the hidden text file \MSDOS.SYS. Locate the [Options]WinVer parameter:
+
== How to detect ==
 +
Volumes encrypted with BitLocker will have a different signature than the standard [[NTFS]] header.
  
{| class="wikitable"
+
A BitLocker encrypted volume starts with the "-FVE-FS-" signature.
|-
+
! WinVer
+
! OS
+
|-
+
| 4.00.0950
+
| Windows 95
+
|-
+
| 4.00.1111
+
| Windows 95 OSR2
+
|-
+
| 4.03.1212
+
| Windows 95 OSR2.1
+
|-
+
| 4.03.1214
+
| Windows 95 OSR2.5
+
|-
+
| 4.10.1998
+
| Windows 98
+
|-
+
| 4.10.2222
+
| Windows 98 SE
+
|-
+
| 4.90.3000
+
| Windows ME
+
|}
+
  
Alternatively, establish WinDir ([Paths]WinDir in \MSDOS.SYS), locate the %WINDIR%\SYSTEM.DAT registry file. Next, look up the registry key Software\Microsoft\Windows\CurrentVersion\, and values Version and VersionNumber. (Backup copies of SYSTEM.DAT may be found in .CAB files in %WINDIR%\SYSBCKUP.)
+
A hexdump of the start of the volume should look similar to:
 +
<pre>
 +
00000000  eb 58 90 2d 46 56 45 2d  46 53 2d 00 02 08 00 00  |.X.-FVE-FS-.....|
 +
00000010  00 00 00 00 00 f8 00 00  3f 00 ff 00 00 00 00 00  |........?.......|
 +
00000020  00 00 00 00 e0 1f 00 00  00 00 00 00 00 00 00 00  |................|
 +
00000030  01 00 06 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
 +
00000040  80 00 29 00 00 00 00 4e  4f 20 4e 41 4d 45 20 20  |..)....NO NAME  |
 +
00000050  20 20 46 41 54 33 32 20  20 20 33 c9 8e d1 bc f4  |  FAT32  3.....|
 +
</pre>
  
===Windows NT===
+
These volumes can also be identified by the BitLocker GUID/UUID: 4967d63b-2e29-4ad8-8399-f6a339e3d00 or 4967d63b-2e29-4ad8-8399-f6a339e3d01 for BitLocker ToGo.
  
===Windows 2000/2003/XP/Vista===
+
<pre>
Information about a running system can be displayed using the command `ver` (and `systeminfo` on some systems).
+
000000a0  3b d6 67 49 29 2e d8 4a  83 99 f6 a3 39 e3 d0 01  |;.gI)..J....9...|
 +
</pre>
  
During a forensic examination, information regarding the version of Windows can be found in a number of places.  For example, by default, the Windows directory on Windows XP is "C:\Windows", where on Windows NT and 2000, it was "C:\Winnt".  This is not definitive, however, because this directory name is easily modified during installation.
+
== BitLocker To Go ==
 +
Volumes encrypted with BitLocker To Go will have a hybrid encrypted volume, meaning that part of the volume is unencrypted and contains applications to unlock the volume and the other part of the volume is encrypted. The "discovery drive" volume contains BitLocker To Go Reader to read from encrypted volumes on versions of Microsoft [[Windows]] without BitLocker support.
  
Determining the version of Windows from the Software Registry Hive file - navigate to the ''Microsoft\Windows NT\CurrentVersion'' key, and examine the values beneath the key; specifically, values such as ProductName, CSDVersion, ProductId (if available), BuildLab, and on Vista, BuildLabEx.
+
== manage-bde ==
 +
To view the BitLocker Drive Encryption (BDE) status on a running Windows system:
 +
<pre>
 +
manage-bde.exe -status
 +
</pre>
  
Determining the version of Windows from file version information - locate the file %WinDir%\system32\ntoskrnl.exe and review the file version information/strings from the resource section of the PE file.  You can view this information with a hex editor, or extract it using a variety of means.  There is a Perl module (Win32::File::VersionInfo) that will allow you to extract this information, and the Perl script [http://sourceforge.net/project/showfiles.php?group_id=164158&package_id=203967 kern.pl] illustrates a platform independent means of examining the PE header and ultimately locating the file version information.
+
To obtain the recovery password for volume C:
 
+
<pre>
In order to determine the difference between Windows XP Professional and Home versions, look for the %WinDir%\system32\prodspec.ini file; it contains information regarding the Product type (either XP Pro or Home). Another way to do this is to look at Microsoft Product Code (first 5 digits of ''Product ID''). Some of these values:
+
manage-bde.exe -protectors -get C: -Type recoverypassword
 
+
</pre>
{| class="wikitable" border="1"
+
|-
+
!Value (MPC)!!Version
+
|-
+
|55034 || Windows XP Professional English
+
|-
+
|55683 || Windows XP Professional Russian
+
|-
+
|55681 || Windows XP Home Edition Russian
+
|}
+
 
+
==Unix/Linux==
+
Information about a running system, including the kernel version, can be displayed using the command `uname -a`. However, this is not much good if you performing dead analysis on a disk image.
+
 
+
===Linux===
+
A number of Linux distributions create a file in ''/etc'' to identify the release or version installed.
+
  
 +
Or just obtain the all “protectors” for volume C:
 
<pre>
 
<pre>
/etc/issue
+
manage-bde.exe -protectors -get C:
/etc/issue.net
+
 
</pre>
 
</pre>
  
{| class="wikitable" border="1"
+
== See Also ==
|-
+
* [[BitLocker:_how_to_image|BitLocker: How to image]]
!Distro!!Tag
+
* [[Defeating Whole Disk Encryption]]
|-
+
|Red Hat || /etc/redhat-release
+
|-
+
|Debian  || /etc/debian-version
+
|}
+
 
+
=== (Open) Solaris ===
+
 
+
===Free/Net/OpenBSD===
+
A first indicator of the presence of a BSDs operating system is the partition table on a MBR-partitioned disk:
+
 
+
{| class="wikitable" border="1"
+
|-
+
!OS!!Partition type
+
|-
+
|FreeBSD || FreeBSD (0xA5)
+
|-
+
|OpenBSD || OpenBSD (0xA6)
+
|-
+
|NetBSD || NetBSD (0xA9)
+
|-
+
|}
+
 
+
You can get the release and version of BSDs operating system inside the kernel images, even with only a disk image.
+
 
+
{| class="wikitable" border="1"
+
|-
+
!OS!!Kernel path
+
|-
+
|FreeBSD || /boot/kernel/kernel
+
|-
+
|OpenBSD || /bsd
+
|-
+
|NetBSD || /netbsd
+
|-
+
|}
+
 
+
You can use <tt>strings</tt> and <tt>grep</tt> tools to find this information with <tt>strings kernel_path | grep os_name</tt>. (e.g.: <tt>strings /bsd | grep OpenBSD</tt>)
+
 
+
===AIX===
+
  
===HP/UX===
+
== External Links ==
  
===Other===
+
* [http://en.wikipedia.org/wiki/BitLocker_Drive_Encryption Wikipedia entry on BitLocker]
* BSDI
+
* [http://www.nvlabs.in/nvbit_bitlocker_white_paper.pdf Accessing Bitlocker volumes from linux], by Nitin Kumar and Vipin Kumar, 2008
 +
* [http://jessekornblum.com/publications/di09.html Implementing BitLocker for Forensic Analysis], ''Digital Investigation'', by Jesse D. Kornblum, 2009
 +
* [https://googledrive.com/host/0B3fBvzttpiiSX2VCRk16TnpDd0U/BitLocker%20Drive%20Encryption%20(BDE)%20format.pdf BitLocker Drive Encryption (BDE) format specification], by the [[libbde|libbde project]], March 2011
 +
* [http://technet2.microsoft.com/WindowsVista/en/library/c61f2a12-8ae6-4957-b031-97b4d762cf311033.mspx?mfr=true Microsoft's Step by Step Guide]
 +
* [http://technet.microsoft.com/en-us/windowsvista/aa906017.aspx Microsoft Technical Overview]
 +
* [http://technet.microsoft.com/en-us/magazine/2009.05.win7.aspx An Introduction to Security in Windows 7]
 +
* [http://www.microsoft.com/whdc/system/platform/hwsecurity/BitLockerFAQ.mspx Microsoft FAQ]
 +
* [http://www.microsoft.com/downloads/details.aspx?FamilyID=131dae03-39ae-48be-a8d6-8b0034c92555&DisplayLang=en Microsoft Description of the Encryption Algorithm]
 +
* [http://secude.com/htm/801/en/White_Paper%3A_Cold_Boot_Attacks.htm Cold Boot Attacks, Full Disk Encryption, and BitLocker]
 +
* [http://technet.microsoft.com/en-us/library/hh831412.aspx What's New in BitLocker] in Windows 8
  
==Other==
+
== Tools ==
* Plan9
+
* [http://www.hsc.fr/ressources/outils/dislocker/ dislocker]
* QNX RTOS
+
* [[libbde]]
* OS2
+
* MacOS-X/IOS
+
  
[[Category:Howtos]]
+
[[Category:Disk encryption]]
 +
[[Category:Windows]]

Revision as of 13:28, 23 December 2013

BitLocker Disk Encryption (BDE) is Full Volume Encryption solution by Microsoft first included with the Enterprise and Ultimate editions of Windows Vista. It is also present in Windows 7 along with a system for encrypting removable storage media devices, like USB, which is called BitLocker To Go. Unlike previous versions of BitLocker, BitLocker To Go allows the user to protect volumes with a password or smart card.

Contents

BitLocker

BitLocker encrypts data with either 128-bit or 256-bit AES and optionally using a diffuser algorithm called Elephant. The key used to do the encryption, the Full Volume Encryption Key (FVEK) and/or TWEAK key, is stored in the BitLocker metadata on the protected volume. The FVEK and/or TWEAK keys are encrypted using another key, namely the Volume Master Key (VMK). Several copies of the VMK are also stored in the metadata. Each copy of the VMK is encrypted using another key, also know as key-protector key. Some of the key-protectors are:

  • TPM (Trusted Platform Module)
  • Smart card
  • recovery password
  • start-up key
  • clear key; this key-protector provides no protection
  • user password

BitLocker has support for partial encrypted volumes.

How to detect

Volumes encrypted with BitLocker will have a different signature than the standard NTFS header.

A BitLocker encrypted volume starts with the "-FVE-FS-" signature.

A hexdump of the start of the volume should look similar to:

00000000  eb 58 90 2d 46 56 45 2d  46 53 2d 00 02 08 00 00  |.X.-FVE-FS-.....|
00000010  00 00 00 00 00 f8 00 00  3f 00 ff 00 00 00 00 00  |........?.......|
00000020  00 00 00 00 e0 1f 00 00  00 00 00 00 00 00 00 00  |................|
00000030  01 00 06 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000040  80 00 29 00 00 00 00 4e  4f 20 4e 41 4d 45 20 20  |..)....NO NAME  |
00000050  20 20 46 41 54 33 32 20  20 20 33 c9 8e d1 bc f4  |  FAT32   3.....|

These volumes can also be identified by the BitLocker GUID/UUID: 4967d63b-2e29-4ad8-8399-f6a339e3d00 or 4967d63b-2e29-4ad8-8399-f6a339e3d01 for BitLocker ToGo.

000000a0  3b d6 67 49 29 2e d8 4a  83 99 f6 a3 39 e3 d0 01  |;.gI)..J....9...|

BitLocker To Go

Volumes encrypted with BitLocker To Go will have a hybrid encrypted volume, meaning that part of the volume is unencrypted and contains applications to unlock the volume and the other part of the volume is encrypted. The "discovery drive" volume contains BitLocker To Go Reader to read from encrypted volumes on versions of Microsoft Windows without BitLocker support.

manage-bde

To view the BitLocker Drive Encryption (BDE) status on a running Windows system:

manage-bde.exe -status

To obtain the recovery password for volume C:

manage-bde.exe -protectors -get C: -Type recoverypassword

Or just obtain the all “protectors” for volume C:

manage-bde.exe -protectors -get C:

See Also

External Links

Tools