Difference between pages "FAT" and "BitLocker Disk Encryption"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (Added 4 additional links)
 
(External Links)
 
Line 1: Line 1:
=Technical Overview=
+
'''BitLocker Disk Encryption''' (BDE) is [[Full Volume Encryption]] solution by [[Microsoft]] first included with the Enterprise and Ultimate editions of [[Windows|Windows Vista]]. It is also present in [[Windows|Windows 7]] along with a system for encrypting removable storage media devices, like [[USB]], which is called BitLocker To Go. Unlike previous versions of BitLocker, BitLocker To Go allows the user to protect volumes with a password or smart card.
  
FAT, or file allocation table, is a file system that is designed to keep track of allocation status of clusters on a hard drive.  Developed in 1977 by Microsoft Corporation, FAT was originally intended to be a file system for the Microsoft Disk BASIC interpreter.  FAT was quickly incorporated into an early version of Tim Patterson's QDOS, which was a moniker for "Quick and Dirty Operating System". Microsoft later purchased the rights to QDOS and released it under Microsoft branding as PC-DOS and later, MS-DOS.
+
== BitLocker ==
 +
Volumes encrypted with BitLocker will have a different signature than the standard [[NTFS]] header. Instead, they have in their volume header (first sector): <tt>2D 46 56 45 2D 46 53 2D</tt> or, in ASCII, <tt>-FVE-FS-</tt>.
  
==File Allocation Table Structure==
+
These volumes can be identified by the BitLocker GUID/UUID: 4967d63b-2e29-4ad8-8399-f6a339e3d00.
  
[[Image:Yale fat16 diagram.jpg|frame|Basic layout of the FAT16 file system.]]
+
The actual data on the encrypted volume is protected with either 128-bit or 256-bit [[AES]] and optionally diffused using an algorithm called Elephant. The key used to do the encryption, the Full Volume Encryption Key (FVEK) and/or TWEAK key, is stored in the BitLocker metadata on the protected volume. The FVEK and/or TWEAK keys are encrypted using another key, namely the Volume Master Key (VMK). Several copies of the VMK are also stored in the metadata. Each copy of the VMK is encrypted using another key, also know as key-protector key. Some of the key-protectors are:
The FAT file system is composed of several areas:
+
* TPM (Trusted Platform Module)
 +
* Smart card
 +
* recovery password
 +
* start-up key
 +
* clear key; this key-protector provides no protection
 +
* user password
  
*  Boot Record or Boot Sector
+
BitLocker has support for partial encrypted volumes.
*  FATs
+
*  Root Directory or Root Folder
+
*  Data Area
+
*  Clusters
+
*  Wasted Sectors
+
  
'''Boot Record'''
+
== BitLocker To Go ==
 +
Volumes encrypted with BitLocker To Go will have a hybrid encrypted volume, meaning that part of the volume is unencrypted and contains applications to unlock the volume and the other part of the volume is encrypted. The "discovery drive" volume contains BitLocker To Go Reader to read from encrypted volumes on versions of Microsoft [[Windows]] without BitLocker support.
  
When a computer is powered on, a POST (power-on self test) is performed, and control is then transferred to the MBR (Master Boot Record).  The MBR is present no matter what file system is in use, and contains information about how the storage device is logically partitioned.  When using a FAT file system, the MBR hands off control of the computer to the Boot Record, which is the first sector on the partition.  The Boot Record, which occupies a reserved area on the partition, contains executable code, in addition to information such as an OEM identifier, number of FATs, media descriptor (type of storage device), and information about the operating system to be booted.  Once the Boot Record code executes, control is handed off to the operating system installed on that partition.  
+
== manage-bde ==
 +
To view the BitLocker Drive Encryption (BDE) status on a running Windows system:
 +
<pre>
 +
manage-bde.exe -status
 +
</pre>
  
'''FATs'''
+
To obtain the recovery password for volume C:
 +
<pre>
 +
manage-bde.exe -protectors -get C: -Type recoverypassword
 +
</pre>
  
The primary task of the FATs is to keep track of the allocation status of clusters, or logical groupings of sectors, on the disk drive. There are four different possible FAT entries: allocated (along with the address of the next cluster associated with the file), unallocated, end of file, and bad sector.
+
Or just obtain the all “protectors” for volume C:
 +
<pre>
 +
manage-bde.exe -protectors -get C:
 +
</pre>
  
In order to provide redundancy in case of data corruption, two FATs, FAT1 and FAT2, are stored in the file system.
+
== See Also ==
 +
* [[BitLocker:_how_to_image]]
 +
* [[Defeating Whole Disk Encryption]]
  
'''Root Directory'''
+
== External Links ==
  
The Root Directory, sometimes referred to as the Root Folder, contains an entry for each file and directory stored in the file system. This information includes the file name, starting cluster number, and file size. This information is changed whenever a file is created or subsequently modified. Root directory has a fixed size of 512 entries on a hard disk and the size on a floppy disk depends.
+
* [http://www.nvlabs.in/archives/1-NVbit-Accessing-Bitlocker-volumes-from-linux.html NVbit : Accessing Bitlocker volumes from linux], 2008
 +
* Jesse D. Kornblum, [http://jessekornblum.com/publications/di09.html Implementing BitLocker for Forensic Analysis], ''Digital Investigation'', 2009
 +
* [http://en.wikipedia.org/wiki/BitLocker_Drive_Encryption Wikipedia entry on BitLocker]
 +
* [http://technet2.microsoft.com/WindowsVista/en/library/c61f2a12-8ae6-4957-b031-97b4d762cf311033.mspx?mfr=true Microsoft's Step by Step Guide]
 +
* [http://technet.microsoft.com/en-us/windowsvista/aa906017.aspx Microsoft Technical Overview]
 +
* [http://technet.microsoft.com/en-us/magazine/2009.05.win7.aspx An Introduction to Security in Windows 7]
 +
* [http://www.microsoft.com/whdc/system/platform/hwsecurity/BitLockerFAQ.mspx Microsoft FAQ]
 +
* [http://www.microsoft.com/downloads/details.aspx?FamilyID=131dae03-39ae-48be-a8d6-8b0034c92555&DisplayLang=en Microsoft Description of the Encryption Algorithm]
 +
* [http://secude.com/htm/801/en/White_Paper%3A_Cold_Boot_Attacks.htm Cold Boot Attacks, Full Disk Encryption, and BitLocker]
 +
* [http://technet.microsoft.com/en-us/library/hh831412.aspx What's New in BitLocker] in Windows 8
  
'''Data Area'''
+
== Tools ==
 +
* [http://www.hsc.fr/ressources/outils/dislocker/ dislocker]
 +
* [[libbde]]
  
The Boot Record, FATs, and Root Directory are collectively referred to as the System Area.  The remaining space on the logical drive is called the Data Area, which is where files are actually stored.  It should be noted that when a file is deleted by the operating system, the data stored in the Data Area remains intact until it is overwritten.
+
[[Category:Disk encryption]]
 
+
[[Category:Windows]]
'''Clusters'''
+
 
+
In order for FAT to manage files with satisfactory efficiency, it groups sectors into larger blocks referred to as clusters. A cluster is the smallest unit of disk space that can be allocated to a file, which is why clusters are often called allocation units. Cluster size is determined by the size of the disk volume and every file must be allocated an even number of clusters. Cluster sizing has a significant impact on performance and disk utilization. Larger cluster sizes result in more wasted space because files are less likely to fill up an even number of clusters.
+
 
+
A cluster ranges in size from 4 sectors (2,048 bytes) to 64 sectors (32,768 bytes). The sectors in a cluster are continuous, therefore each cluster is a continuous block of space on the disk.
+
 
+
'''Wasted Sectors'''
+
 
+
Wasted Sectors are a result of the number of data sectors not being evenly distributed by the cluster size. It's made up of unused bytes left at the end of a file. Small files on a hard drive are the reason for wasted space and the bigger the hard drive the more wasted space there is.
+
 
+
==Versions==
+
 
+
There are three variants of FAT in existence: FAT12, FAT16, and FAT32.
+
 
+
'''FAT12'''
+
<br />
+
*  FAT12 is the oldest type of FAT that uses a 12 bit file allocation table entry. 
+
*  FAT12 can hold a max of 4,086 clusters (which is 2<sup>12</sup> clusters minus a few values that are reserved for values used in  the FAT). 
+
*  It is used for floppy disks and hard drive partitions that are smaller than 16 MB. 
+
*  All 1.44 MB 3.5" floppy disks are formatted using FAT12.
+
*  Cluster size that is used is between 0.5 KB to 4 KB.
+
 
+
'''FAT16'''
+
<br/>
+
*  It is called FAT16 because all entries are 16 bit.
+
*  FAT16 can hold a max of 65,536 addressable units (2 <sub>26</sub>
+
*  It is used for small and moderate sized hard disk volumes.
+
*  The actual capacity is 65,525 due to some reserved values
+
 
+
'''FAT32'''
+
<br />
+
FAT32 is the enhanced version of the FAT system implemented beginning with Windows 95 OSR2, Windows 98, and Windows Me.
+
Features include:
+
*  Drives of up to 2 terabytes are supported (Windows 2000 only supports up to 32 gigabytes)
+
*  Since FAT32 uses smaller clusters (of 4 kilobytes each), it uses hard drive space more efficiently. This is a 10 to 15 percent improvement over FAT or FAT16.
+
*  The limitations of FAT or FAT 16 on the number of root folder entries have been eliminated. In FAT32, the root folder is an ordinary cluster chain, and can be located anywhere on the drive.
+
*  File allocation mirroring can be disabled in FAT32. This allows a different copy of the file allocation table then the default to be active.
+
<br />
+
'''Comparison of FAT Versions'''
+
 
+
Table adapted from:
+
http://en.wikipedia.org/wiki/File_Allocation_Table
+
 
+
 
+
<table cellpadding="2" border="1">
+
<tr bgcolor="lightgreen" align="center">
+
<td bgcolor="white"></td>
+
<td><b>FAT12</b></td>
+
<td><b>FAT16</b></td>
+
<td><b>FAT32</b></td>
+
 
+
</tr>
+
<tr align="center">
+
<th bgcolor="lightgrey">Developer</th>
+
<td colspan="3">Microsoft</td>
+
</tr>
+
<tr align="center">
+
<th bgcolor="lightgrey" rowspan="2">Full Name</th>
+
<td colspan="3">File Allocation Table</td>
+
</tr>
+
<tr align="center">
+
<td>(12-bit version)</td>
+
<td>(16-bit version)</td>
+
 
+
<td>(32-bit version)</td>
+
</tr>
+
<tr align="center">
+
<th bgcolor="lightgrey">Introduced</th>
+
<td>1977 (Microsoft Disk BASIC)</td>
+
<td>July 1988 (MS-DOS 4.0)</td>
+
 
+
<td>August 1996 (Windows 95 OSR2)</td>
+
</tr>
+
<tr align="center">
+
<th bgcolor="lightgrey">Partition identifier</th>
+
<td>0x01 (MBR)</td>
+
<td>0x04, 0x06, 0x0E (MBR)</td>
+
 
+
<td>0x0B, 0x0C (MBR)<br />
+
<small>EBD0A0A2-B9E5-4433<br />
+
-87C0-68B6B72699C7</small> (GPT)</td>
+
</tr>
+
<tr bgcolor="lightgreen" align="center">
+
<th>Structures</th>
+
<th><b>FAT12</b></th>
+
 
+
<th><b>FAT16</b></th>
+
<th><b>FAT32</b></th>
+
</tr>
+
<tr align="center">
+
<th bgcolor="lightgrey">Directory contents</th>
+
<td colspan="3">Table</td>
+
</tr>
+
<tr align="center">
+
<th bgcolor="lightgrey">File allocation</th>
+
<td colspan="3">Linked List</td>
+
</tr>
+
 
+
<tr align="center">
+
<th bgcolor="lightgrey">Bad blocks</th>
+
<td colspan="3">Linked List</td>
+
</tr>
+
<tr bgcolor="lightgreen" align="center">
+
<th>Limits</th>
+
<th><b>FAT12</b></th>
+
<th><b>FAT16</b></th>
+
<th><b>FAT32</b></th>
+
</tr>
+
<tr align="center">
+
 
+
<th bgcolor="lightgrey">Max file size</th>
+
<td>32 MiB</td>
+
<td>2 GiB </td>
+
<td>4 GiB</td>
+
</tr>
+
<tr align="center">
+
<th bgcolor="lightgrey">Max number of files</th>
+
<td>4,077</td>
+
<td>65,517</td>
+
<td>268,435,437</td>
+
</tr>
+
<tr align="center">
+
<th bgcolor="lightgrey">Max filename size</th>
+
<td colspan="3">8.3 or 255 characters when using LFNs</td>
+
</tr>
+
<tr align="center">
+
<th bgcolor="lightgrey">Max volume size</th>
+
<td>16 MiB</td>
+
<td>2 GiB for all (4 GiB for some)</td>
+
<td>32 GiB for all OS (2 TiB for some)</td>
+
</tr>
+
<tr align="center">
+
<th bgcolor="lightgrey">Max clusters</th>
+
<td>4080</td>
+
<td>65520</td>
+
<td>4177918</td>
+
</tr>
+
<tr bgcolor="lightgreen" align="center">
+
<th>Features</th>
+
<th><b>FAT12</b></th>
+
<th><b>FAT16</b></th>
+
<th><b>FAT32</b></th>
+
</tr>
+
 
+
<tr align="center">
+
<th bgcolor="lightgrey">Dates recorded</th>
+
<td colspan="3">Creation, modified, access</td>
+
</tr>
+
<tr align="center">
+
<th bgcolor="lightgrey">Date range</th>
+
<td colspan="3">January 1, 1980 - December 31, 2107</td>
+
 
+
</tr>
+
<tr align="center">
+
<th bgcolor="lightgrey">Forks</th>
+
<td colspan="3">Not natively</td>
+
</tr>
+
<tr align="center">
+
<th bgcolor="lightgrey">Unicode File Names</th>
+
<td colspan="3">System Character Set</td>
+
</tr>
+
<tr align="center">
+
<th bgcolor="lightgrey">Attributes</th>
+
<td colspan="3">Read-only, hidden, system, volume label, subdirectory, archive</td>
+
</tr>
+
<tr align="center">
+
<th bgcolor="lightgrey">Permissions</th>
+
<td colspan="3">No</td>
+
 
+
</tr>
+
<tr align="center">
+
<th bgcolor="lightgrey">Transparent compression</th>
+
<td colspan="2">Per-volume, Stacker, DoubleSpace, DriveSpace</td>
+
<td>No</td>
+
</tr>
+
<tr align="center">
+
<th bgcolor="lightgrey">Transparent encryption</th>
+
 
+
<td colspan="2">Per-volume only with DR-DOS</td>
+
<td>No</td>
+
</tr>
+
<tr bgcolor="lightgreen" align="center">
+
<th>Overall Performance</th>
+
<th><b>FAT12</b></th>
+
<th><b>FAT16</b></th>
+
<th><b>FAT32</b></th>
+
</tr>
+
 
+
<tr align="center">
+
<th bgcolor="lightgrey">Fault Tolerance</th>
+
<td>Minimal</td>
+
<td colspan="2">Average</td>
+
</tr>
+
<tr align="center">
+
<th bgcolor="lightgrey">Disk Space Economy</th>
+
<td>Average</td>
+
<td>Minimal on large volumes</td>
+
<td>Max</td>
+
</tr>
+
</table>
+
<br/>
+
==Applications of FAT==
+
 
+
Due to its low cost, mobility, and non-volatile nature, flash memory has quickly become the choice medium for storing and transferring data in consumer electronic devices. The majority of flash memory storage is formatted using the FAT file system.  In addition, FAT is also frequently used in electronic devices with miniature hard drives.
+
 
+
Examples of devices in which FAT is utilized include:
+
 
+
* USB thumb drives
+
* Digital cameras
+
* Digital camcorders
+
* Portable audio and video players
+
* Multifunction printers
+
* Electronic photo frames
+
* Electronic musical instruments
+
* Standard televisions
+
* PDAs
+
 
+
=Forensics Issues=
+
==Data Recovery==
+
Recovering directory entries from FAT filesystems as part of [[recovering deleted data]] can be accomplished by looking for entries that begin with a sigma 0xe5. When a file or directory is deleted under a FAT filesystem, the first character of its name is changed to sigma. The remainder of the directory entry information remains intact.
+
 
+
The pointers are also changed to zero for each cluster used by the file.  Recovery tools look at the FAT to find the entry for the file.  The location of the starting cluster will still be there.  It is not deleted or modified.  The tool will go straight to that cluster and try to recover the file using the file size as a determinant.  Some tools will go to the starting cluster and recover the next "X" number of clusters needed for the specific file size.  However, this tool is not ideal.  An ideal tool will locate "X" number of available clusters.  Since files are most often fragmented, this will be a more precise way to recover the file.
+
 
+
An issue arises when two files in the same row of clusters are deleted.  If the clusters are not in sequential order, the tool will automatically receive "X" number of clusters.  However, because the file was fragmented, it's most likely that all the clusters obtained will not all contain data for that file.  If these two deleted files are in the same row of clusters, it is highly unlikely the file can be recovered.
+
 
+
==File Slack==
+
File slack is data that starts from the end of the file written and continues to the end of the sectors designated to the file.    There are two types of file slack, RAM slack, and Residual slack.  RAM slack starts from the end of the file and goes to the end of that sector.  Residual slack then starts at the next sector and goes to the end of the cluster allocated for the file.  File slack is a helpful tool when analyzing a hard drive because the old data that is not overwritten by the new file is still in tact. Go to http://www.pcguide.com/ref/hdd/file/partSizes-c.html for examples.
+
 
+
<br/>
+
 
+
'''References:'''
+
----
+
 
+
http://en.wikipedia.org/wiki/File_Allocation_Table
+
 
+
http://www.microsoft.com
+
 
+
http://www.ntfs.com
+
 
+
http://www.ntfs.com/ntfs_vs_fat.htm
+
 
+
http://support.microsoft.com/kb/q154997/#XSLTH3126121123120121120120
+
 
+
http://www.dewassoc.com/kbase/hard_drives/boot_sector.htm
+
 
+
http://www2.tech.purdue.edu/cpt/courses/cpt499s/
+
 
+
http://home.no.net/tkos/info/fat.html
+
 
+
http://www.ntfs.com/fat-systems.htm
+
 
+
http://www.microsoft.com/whdc/system/platform/firmware/fatgen.mspx
+
 
+
http://support.microsoft.com/kb/q140418
+

Revision as of 01:00, 27 June 2013

BitLocker Disk Encryption (BDE) is Full Volume Encryption solution by Microsoft first included with the Enterprise and Ultimate editions of Windows Vista. It is also present in Windows 7 along with a system for encrypting removable storage media devices, like USB, which is called BitLocker To Go. Unlike previous versions of BitLocker, BitLocker To Go allows the user to protect volumes with a password or smart card.

BitLocker

Volumes encrypted with BitLocker will have a different signature than the standard NTFS header. Instead, they have in their volume header (first sector): 2D 46 56 45 2D 46 53 2D or, in ASCII, -FVE-FS-.

These volumes can be identified by the BitLocker GUID/UUID: 4967d63b-2e29-4ad8-8399-f6a339e3d00.

The actual data on the encrypted volume is protected with either 128-bit or 256-bit AES and optionally diffused using an algorithm called Elephant. The key used to do the encryption, the Full Volume Encryption Key (FVEK) and/or TWEAK key, is stored in the BitLocker metadata on the protected volume. The FVEK and/or TWEAK keys are encrypted using another key, namely the Volume Master Key (VMK). Several copies of the VMK are also stored in the metadata. Each copy of the VMK is encrypted using another key, also know as key-protector key. Some of the key-protectors are:

  • TPM (Trusted Platform Module)
  • Smart card
  • recovery password
  • start-up key
  • clear key; this key-protector provides no protection
  • user password

BitLocker has support for partial encrypted volumes.

BitLocker To Go

Volumes encrypted with BitLocker To Go will have a hybrid encrypted volume, meaning that part of the volume is unencrypted and contains applications to unlock the volume and the other part of the volume is encrypted. The "discovery drive" volume contains BitLocker To Go Reader to read from encrypted volumes on versions of Microsoft Windows without BitLocker support.

manage-bde

To view the BitLocker Drive Encryption (BDE) status on a running Windows system:

manage-bde.exe -status

To obtain the recovery password for volume C:

manage-bde.exe -protectors -get C: -Type recoverypassword

Or just obtain the all “protectors” for volume C:

manage-bde.exe -protectors -get C:

See Also

External Links

Tools