Difference between pages "Training Courses and Providers" and "BitLocker Disk Encryption"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(On-going / Continuous Training)
 
(External Links)
 
Line 1: Line 1:
This is the list of Training Providers, who offer training courses of interest to practitioners and researchers in the field of Digital Forensics.   Conferences which may include training are located on the [[Upcoming_events]] page.
+
'''BitLocker Disk Encryption''' (BDE) is [[Full Volume Encryption]] solution by [[Microsoft]] first included with the Enterprise and Ultimate editions of [[Windows|Windows Vista]]. It is also present in [[Windows|Windows 7]] along with a system for encrypting removable storage media devices, like [[USB]], which is called BitLocker To Go. Unlike previous versions of BitLocker, BitLocker To Go allows the user to protect volumes with a password or smart card.
  
<b>PLEASE READ BEFORE YOU EDIT THE LIST BELOW</b><br>
+
== BitLocker ==
Some training providers offer on-going training courses that are available in an on-line "any time" format. Others have regularly scheduled training that is the same time each month.  Others have recurring training but are scheduled at various times throughout the year. Providers training courses should be listed in alphabetical order, and should be listed in the appropriate section.  Non-Commercial training is typically offered by governmental agencies or organizations that directly support law enforcement.  Tool Vendor training is training offered directly by a specific tool vendor, which may apply broadly, but generally is oriented to the vendor's specific tool (or tool suite).  Commercial Training is training offered by commercial companies which may or may not be oriented to a specific tool/tool suite, but is offered by a company other than a tool vendor.
+
Volumes encrypted with BitLocker will have a different signature than the standard [[NTFS]] header. Instead, they have in their volume header (first sector): <tt>2D 46 56 45 2D 46 53 2D</tt> or, in ASCII, <tt>-FVE-FS-</tt>.
  
<i>Some training opportunities may be <u>limited</u> to <b>Law Enforcement Only</b> or to a specific audience.  Such restrictions should be noted when known.</i>
+
These volumes can be identified by the BitLocker GUID/UUID: 4967d63b-2e29-4ad8-8399-f6a339e3d00.
== On-going / Continuous Training ==
+
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
|- style="background:#bfbfbf; font-weight: bold"
+
! width="40%"|Title
+
! width="20%"|Date/Location
+
! width="40%"|Website
+
|-
+
|- style="background:pink;align:left"
+
! DISTANCE LEARNING
+
|-
+
|Basic Computer Examiner Course - Computer Forensic Training Online
+
|Distance Learning Format
+
|http://www.cftco.com
+
|-
+
|Linux Data Forensics Training
+
|Distance Learning Format
+
|http://www.onlineforensictraining.com/courses.html
+
|-
+
|SANS On-Demand Training
+
|Distance Learning Format
+
|http://www.sans.org/ondemand/?portal=69456f95660ade45be29c00b0c14aea1
+
|-
+
|Champlain College - CCE Course
+
|Online / Distance Learning Format
+
|http://online.champlain.edu/computer-forensics-digital-investigation/CFDI_440
+
|-
+
|Las Positas College
+
|Online Computer Forensics Courses
+
|http://www.laspositascollege.edu
+
|-
+
|National Center for Media Forensics
+
|Distance and Concentrated Audio/Video/Image Forensics
+
|http://cam.ucdenver.edu/ncmf
+
|-
+
|- style="background:pink;align:left"
+
!RECURRING TRAINING
+
|-
+
|Evidence Recovery for Windows 7&reg; operating system;
+
|First full week every month<br>Brunswick, GA
+
|http://www.internetcrimes.net
+
|-
+
|Evidence Recovery for Windows 8&reg;
+
|Second full week every month<br>Brunswick, GA
+
|http://www.internetcrimes.net
+
|-
+
|Evidence Recovery for Windows Server&reg; 2008 and 2012
+
|Third full week every month<br>Brunswick, GA
+
|http://www.internetcrimes.net
+
|-
+
|}
+
  
==Non-Commercial Training==
+
The actual data on the encrypted volume is protected with either 128-bit or 256-bit [[AES]] and optionally diffused using an algorithm called Elephant. The key used to do the encryption, the Full Volume Encryption Key (FVEK) and/or TWEAK key, is stored in the BitLocker metadata on the protected volume. The FVEK and/or TWEAK keys are encrypted using another key, namely the Volume Master Key (VMK). Several copies of the VMK are also stored in the metadata. Each copy of the VMK is encrypted using another key, also know as key-protector key. Some of the key-protectors are:
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
* TPM (Trusted Platform Module)
|- style="background:#bfbfbf; font-weight: bold"
+
* Smart card
! width="40%"|Title
+
* recovery password
! width="40%"|Website
+
* start-up key
! width="20%"|Limitation
+
* clear key; this key-protector provides no protection
|-
+
* user password
|Defense Cyber Investigations Training Academy (DCITA)
+
|http://www.dc3.mil/dcita/dcitaAbout.php
+
|Limited To Certain Roles within US Government Agencies[http://www.dc3.mil/dcita/dcitaRegistration.php (1)]
+
|-
+
|Federal Law Enforcement Training Center
+
|http://www.fletc.gov/training/programs/technical-operations-division
+
|Limited To Law Enforcement
+
|-
+
|MSU National Forensics Training Center
+
|http://www.security.cse.msstate.edu/ftc
+
|Limited To Law Enforcement
+
|-
+
|IACIS
+
|http://www.iacis.com/training/course_listings
+
|Limited To Law Enforcement and Affiliate Members of IACIS
+
|-
+
|SEARCH
+
|http://www.search.org/programs/hightech/courses/
+
|Limited To Law Enforcement
+
|-
+
|National White Collar Crime Center
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited To Law Enforcement
+
|-
+
|}
+
  
==Tool Vendor Training==
+
BitLocker has support for partial encrypted volumes.
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
|- style="background:#bfbfbf; font-weight: bold"
+
! width="40%"|Title
+
! width="40%"|Website
+
! width="20%"|Limitation
+
|-
+
|AccessData (Forensic Tool Kit FTK)
+
|http://accessdata.com/training
+
|-
+
|ASR Data (SMART)
+
|http://www.asrdata.com/forensic-training/overview/
+
|-
+
|ATC-NY (P2P Marshal, Mac Marshal)
+
|http://p2pmarshal.atc-nycorp.com/index.php/training http://macmarshal.atc-nycorp.com/index.php/training
+
|-
+
|BlackBag Technologies (Mac Forensic Tools- BlackLight and SoftBlock)
+
|https://www.blackbagtech.com/training.html
+
|-
+
|Cellebrite (UFED)
+
|http://cellebrite.com/mobile-forensics-products/ufed-training.html
+
|-
+
|CPR Tools (Data Recovery)
+
|http://www.cprtools.net/training.php
+
|-
+
|Digital Intelligence (FRED Forensics Platform)
+
|http://www.digitalintelligence.com/forensictraining.php
+
|-
+
|e-fense, Inc. (Helix3 Pro)
+
|http://www.e-fense.com/training/index.php
+
|-
+
|Guidance Software (EnCase)
+
|http://www.guidancesoftware.com/computer-forensics-training-courses.htm
+
|-
+
|Micro Systemation (XRY)
+
|http://www.msab.com/training/schedule
+
|-
+
|Nuix (eDiscovery)
+
|http://www.nuix.com.au/eDiscovery.asp?active_page_id=147
+
|-
+
|Paraben (Paraben Suite)
+
|http://www.paraben-training.com/schedule.html
+
|-
+
|Software Analysis & Forensic Engineering (CodeSuite)
+
|http://www.safe-corp.biz/training.htm
+
|-
+
|Technology Pathways(ProDiscover)
+
|http://www.techpathways.com/DesktopDefault.aspx?tabindex=6&tabid=9
+
|-
+
|SubRosaSoft (MacForensicsLab)
+
|http://www.macforensicslab.com/ProductsAndServices/index.php?main_page=index&cPath=2
+
|-
+
|Volatility Labs (Volatility Framework)
+
|http://volatility-labs.blogspot.com/search/label/training
+
|-
+
|WetStone Technologies (Gargoyle, Stego Suite, LiveWire Investigator)
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|X-Ways Forensics (X-Ways Forensics)
+
|http://www.x-ways.net/training/
+
|-
+
|}
+
  
==Commercial Training (Non-Tool Vendor)==
+
== BitLocker To Go ==
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
Volumes encrypted with BitLocker To Go will have a hybrid encrypted volume, meaning that part of the volume is unencrypted and contains applications to unlock the volume and the other part of the volume is encrypted. The "discovery drive" volume contains BitLocker To Go Reader to read from encrypted volumes on versions of Microsoft [[Windows]] without BitLocker support.
|- style="background:#bfbfbf; font-weight: bold"
+
 
! width="40%"|Title
+
== manage-bde ==
! width="40%"|Website
+
To view the BitLocker Drive Encryption (BDE) status on a running Windows system:
! width="20%"|Limitation
+
<pre>
|-
+
manage-bde.exe -status
|Applied Security (Digital Forensics Training)
+
</pre>
|http://www.appliedsec.com/forensics/training.html
+
 
|-
+
To obtain the recovery password for volume C:
|BerlaCorp iOS and GPS Forensics Training
+
<pre>
|http://www.berlacorp.com/training.html
+
manage-bde.exe -protectors -get C: -Type recoverypassword
|-
+
</pre>
|Computer Forensic Training Center Online (CFTCO)
+
 
|http://www.cftco.com/
+
Or just obtain the all “protectors” for volume C:
|-
+
<pre>
|CCE Bootcamp
+
manage-bde.exe -protectors -get C:
|http://www.cce-bootcamp.com/
+
</pre>
|-
+
 
|Cyber Security Academy
+
== See Also ==
|http://www.cybersecurityacademy.com/
+
* [[BitLocker:_how_to_image]]
|-
+
* [[Defeating Whole Disk Encryption]]
|Dera Forensics Group
+
 
|http://www.deraforensicgroup.com/courses.htm
+
== External Links ==
|-
+
 
|e-fense Training
+
* [http://www.nvlabs.in/archives/1-NVbit-Accessing-Bitlocker-volumes-from-linux.html NVbit : Accessing Bitlocker volumes from linux], 2008
|http://www.e-fense.com/training/index.php
+
* Jesse D. Kornblum, [http://jessekornblum.com/publications/di09.html Implementing BitLocker for Forensic Analysis], ''Digital Investigation'', 2009
|-
+
* [http://en.wikipedia.org/wiki/BitLocker_Drive_Encryption Wikipedia entry on BitLocker]
|Forward Discovery, Inc.
+
* [http://technet2.microsoft.com/WindowsVista/en/library/c61f2a12-8ae6-4957-b031-97b4d762cf311033.mspx?mfr=true Microsoft's Step by Step Guide]
|http://www.forwarddiscovery.com
+
* [http://technet.microsoft.com/en-us/windowsvista/aa906017.aspx Microsoft Technical Overview]
|-
+
* [http://technet.microsoft.com/en-us/magazine/2009.05.win7.aspx An Introduction to Security in Windows 7]
|H-11 Digital Forensics
+
* [http://www.microsoft.com/whdc/system/platform/hwsecurity/BitLockerFAQ.mspx Microsoft FAQ]
|http://www.h11-digital-forensics.com/training/viewclasses.php
+
* [http://www.microsoft.com/downloads/details.aspx?FamilyID=131dae03-39ae-48be-a8d6-8b0034c92555&DisplayLang=en Microsoft Description of the Encryption Algorithm]
|-
+
* [http://secude.com/htm/801/en/White_Paper%3A_Cold_Boot_Attacks.htm Cold Boot Attacks, Full Disk Encryption, and BitLocker]
|High Tech Crime Institute
+
* [http://technet.microsoft.com/en-us/library/hh831412.aspx What's New in BitLocker] in Windows 8
|http://www.gohtci.com
+
 
|-
+
== Tools ==
|Infosec Institute
+
* [http://www.hsc.fr/ressources/outils/dislocker/ dislocker]
|http://www.infosecinstitute.com/courses/security_training_courses.html
+
* [[libbde]]
|-
+
 
|Intense School (a subsidiary of Infosec Institute)
+
[[Category:Disk encryption]]
|http://www.intenseschool.com/schedules
+
[[Category:Windows]]
|-
+
|MD5 Group (Computer Forensics and E-Discovery courses)(Dallas, TX)
+
|http://www.md5group.com
+
|-
+
|Mile 2 (Security and Forensics Certification Training)
+
|https://www.mile2.com/mile2-online-estore/classess.html
+
|-
+
|Mobile Forensics, Inc
+
|http://mobileforensicsinc.com/
+
|-
+
|NetSecurity
+
|http://www.netsecurity.com/training/registration_schedule.html
+
|-
+
|NID Forensics Academy (Certified Digital Forensic Investigator - CDFI Program)
+
|http://www.nidforensics.com.br/
+
|-
+
|NTI (an Armor Forensics Company) APPEARS DEFUNCT
+
|http://www.forensics-intl.com/training.html
+
|-
+
|Security University
+
|http://www.securityuniversity.net/classes.php
+
|-
+
|Steganography Analysis and Research Center (SARC)
+
|http://www.sarc-wv.com/training
+
|-
+
|Sumuri, LLC - Mac, Mobile, iLook Training
+
|http://www.sumuri.com/index.php/features/training-and-events-calendar
+
|-
+
|SysAdmin, Audit, Network, Security Institute (SANS)
+
|http://computer-forensics.sans.org/courses/
+
|-
+
|Teel Technologies Mobile Device Forensics Training
+
|http://www.teeltech.com/tt3/training.asp
+
|-
+
|viaForensics Advanced Mobile Forensics Training
+
|http://viaforensics.com/education/calendar/
+
|-
+
|Zeidman Consulting (MCLE)
+
|http://www.zeidmanconsulting.com/speaking.htm
+
|-
+
|}
+

Revision as of 01:00, 27 June 2013

BitLocker Disk Encryption (BDE) is Full Volume Encryption solution by Microsoft first included with the Enterprise and Ultimate editions of Windows Vista. It is also present in Windows 7 along with a system for encrypting removable storage media devices, like USB, which is called BitLocker To Go. Unlike previous versions of BitLocker, BitLocker To Go allows the user to protect volumes with a password or smart card.

Contents

BitLocker

Volumes encrypted with BitLocker will have a different signature than the standard NTFS header. Instead, they have in their volume header (first sector): 2D 46 56 45 2D 46 53 2D or, in ASCII, -FVE-FS-.

These volumes can be identified by the BitLocker GUID/UUID: 4967d63b-2e29-4ad8-8399-f6a339e3d00.

The actual data on the encrypted volume is protected with either 128-bit or 256-bit AES and optionally diffused using an algorithm called Elephant. The key used to do the encryption, the Full Volume Encryption Key (FVEK) and/or TWEAK key, is stored in the BitLocker metadata on the protected volume. The FVEK and/or TWEAK keys are encrypted using another key, namely the Volume Master Key (VMK). Several copies of the VMK are also stored in the metadata. Each copy of the VMK is encrypted using another key, also know as key-protector key. Some of the key-protectors are:

  • TPM (Trusted Platform Module)
  • Smart card
  • recovery password
  • start-up key
  • clear key; this key-protector provides no protection
  • user password

BitLocker has support for partial encrypted volumes.

BitLocker To Go

Volumes encrypted with BitLocker To Go will have a hybrid encrypted volume, meaning that part of the volume is unencrypted and contains applications to unlock the volume and the other part of the volume is encrypted. The "discovery drive" volume contains BitLocker To Go Reader to read from encrypted volumes on versions of Microsoft Windows without BitLocker support.

manage-bde

To view the BitLocker Drive Encryption (BDE) status on a running Windows system:

manage-bde.exe -status

To obtain the recovery password for volume C:

manage-bde.exe -protectors -get C: -Type recoverypassword

Or just obtain the all “protectors” for volume C:

manage-bde.exe -protectors -get C:

See Also

External Links

Tools