Difference between pages "Timestomp" and "BitLocker Disk Encryption"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(External Links)
 
Line 1: Line 1:
{{Expand}}
+
'''BitLocker Disk Encryption''' (BDE) is [[Full Volume Encryption]] solution by [[Microsoft]] first included with the Enterprise and Ultimate editions of [[Windows|Windows Vista]]. It is also present in [[Windows|Windows 7]] along with a system for encrypting removable storage media devices, like [[USB]], which is called BitLocker To Go. Unlike previous versions of BitLocker, BitLocker To Go allows the user to protect volumes with a password or smart card.
  
[[Image:timestomp_mace.jpg|thumb|100px|right|Timestomp MACE Values]] Timestomp is a utility co-authored by developers [[James C. Foster]] and [[Vincent Liu]]. The software's goal is to allow for the deletion or modification of time stamp-related information on files.  Take for example the following screenshot of a command prompt window displaying the MACE values for a document file titled "text.txt".  There are (4) four date time and date stamps displayed that are useful to Forensic Examiners in reconstructing when data was last modified, accessed, created, or entered into the NTFS Master File Table by the Operating system or manually by the user.
+
== BitLocker ==
 +
Volumes encrypted with BitLocker will have a different signature than the standard [[NTFS]] header. Instead, they have in their volume header (first sector): <tt>2D 46 56 45 2D 46 53 2D</tt> or, in ASCII, <tt>-FVE-FS-</tt>.
  
 +
These volumes can be identified by the BitLocker GUID/UUID: 4967d63b-2e29-4ad8-8399-f6a339e3d00.
  
[[Image:timestomp_mace_change.jpg|thumb|100px|right|Timestomp MACE Change]] Using the Timestomp application, I have completely changed the modified date and time stamp (i.e., evidenced by the second screenshot). If I were to change it, along with the other entries to more believable dates and times, then the validity of the document falls into question as does its ability to completely slip by an examiner's watchful eye if looking for modified files in an entirely different year or date span.
+
The actual data on the encrypted volume is protected with either 128-bit or 256-bit [[AES]] and optionally diffused using an algorithm called Elephant. The key used to do the encryption, the Full Volume Encryption Key (FVEK) and/or TWEAK key, is stored in the BitLocker metadata on the protected volume. The FVEK and/or TWEAK keys are encrypted using another key, namely the Volume Master Key (VMK). Several copies of the VMK are also stored in the metadata. Each copy of the VMK is encrypted using another key, also know as key-protector key. Some of the key-protectors are:
 +
* TPM (Trusted Platform Module)
 +
* Smart card
 +
* recovery password
 +
* start-up key
 +
* clear key; this key-protector provides no protection
 +
* user password
  
 +
BitLocker has support for partial encrypted volumes.
  
[[Image:timestomp_mace_change_proof.jpg|thumb|100px|right|Timestomp MACE Change Proof]] Here is a final screenshot of the Operating System's interpretation of the Modified time stamp. It reflects the change exactly.
+
== BitLocker To Go ==
 +
Volumes encrypted with BitLocker To Go will have a hybrid encrypted volume, meaning that part of the volume is unencrypted and contains applications to unlock the volume and the other part of the volume is encrypted. The "discovery drive" volume contains BitLocker To Go Reader to read from encrypted volumes on versions of Microsoft [[Windows]] without BitLocker support.
  
 +
== manage-bde ==
 +
To view the BitLocker Drive Encryption (BDE) status on a running Windows system:
 +
<pre>
 +
manage-bde.exe -status
 +
</pre>
  
Note: Although this program is designed to frustrate forensic analysis, it should be noted that its use can be easily detected. Because the program can delete all time stamp information, the lack of time stamp values would lead an examiner to the conclusion that something is amiss on the system.  Microsoft-based Windows operating system record at least some timestamp information. The total absence of such is a dead giveaway that a user has tried to hide something. On the flipside, if the values are simply changed to believable values, then there is little chance of the change(s) being noticed at a casual glace.
+
To obtain the recovery password for volume C:
 +
<pre>
 +
manage-bde.exe -protectors -get C: -Type recoverypassword
 +
</pre>
 +
 
 +
Or just obtain the all “protectors” for volume C:
 +
<pre>
 +
manage-bde.exe -protectors -get C:
 +
</pre>
 +
 
 +
== See Also ==
 +
* [[BitLocker:_how_to_image]]
 +
* [[Defeating Whole Disk Encryption]]
  
 
== External Links ==
 
== External Links ==
* [http://www.metasploit.com/projects/antiforensics/timestomp.exe Download Timestomp.exe]
 
* [http://www.blackhat.com/presentations/bh-usa-05/bh-us-05-foster-liu-update.pdf Presentation at Blackhat 2005]
 
  
[[Category:Anti-forensics tools]]
+
* [http://www.nvlabs.in/archives/1-NVbit-Accessing-Bitlocker-volumes-from-linux.html NVbit : Accessing Bitlocker volumes from linux], 2008
 +
* Jesse D. Kornblum, [http://jessekornblum.com/publications/di09.html Implementing BitLocker for Forensic Analysis], ''Digital Investigation'', 2009
 +
* [http://en.wikipedia.org/wiki/BitLocker_Drive_Encryption Wikipedia entry on BitLocker]
 +
* [http://technet2.microsoft.com/WindowsVista/en/library/c61f2a12-8ae6-4957-b031-97b4d762cf311033.mspx?mfr=true Microsoft's Step by Step Guide]
 +
* [http://technet.microsoft.com/en-us/windowsvista/aa906017.aspx Microsoft Technical Overview]
 +
* [http://technet.microsoft.com/en-us/magazine/2009.05.win7.aspx An Introduction to Security in Windows 7]
 +
* [http://www.microsoft.com/whdc/system/platform/hwsecurity/BitLockerFAQ.mspx Microsoft FAQ]
 +
* [http://www.microsoft.com/downloads/details.aspx?FamilyID=131dae03-39ae-48be-a8d6-8b0034c92555&DisplayLang=en Microsoft Description of the Encryption Algorithm]
 +
* [http://secude.com/htm/801/en/White_Paper%3A_Cold_Boot_Attacks.htm Cold Boot Attacks, Full Disk Encryption, and BitLocker]
 +
* [http://technet.microsoft.com/en-us/library/hh831412.aspx What's New in BitLocker] in Windows 8
 +
 
 +
== Tools ==
 +
* [http://www.hsc.fr/ressources/outils/dislocker/ dislocker]
 +
* [[libbde]]
 +
 
 +
[[Category:Disk encryption]]
 +
[[Category:Windows]]

Revision as of 02:00, 27 June 2013

BitLocker Disk Encryption (BDE) is Full Volume Encryption solution by Microsoft first included with the Enterprise and Ultimate editions of Windows Vista. It is also present in Windows 7 along with a system for encrypting removable storage media devices, like USB, which is called BitLocker To Go. Unlike previous versions of BitLocker, BitLocker To Go allows the user to protect volumes with a password or smart card.

BitLocker

Volumes encrypted with BitLocker will have a different signature than the standard NTFS header. Instead, they have in their volume header (first sector): 2D 46 56 45 2D 46 53 2D or, in ASCII, -FVE-FS-.

These volumes can be identified by the BitLocker GUID/UUID: 4967d63b-2e29-4ad8-8399-f6a339e3d00.

The actual data on the encrypted volume is protected with either 128-bit or 256-bit AES and optionally diffused using an algorithm called Elephant. The key used to do the encryption, the Full Volume Encryption Key (FVEK) and/or TWEAK key, is stored in the BitLocker metadata on the protected volume. The FVEK and/or TWEAK keys are encrypted using another key, namely the Volume Master Key (VMK). Several copies of the VMK are also stored in the metadata. Each copy of the VMK is encrypted using another key, also know as key-protector key. Some of the key-protectors are:

  • TPM (Trusted Platform Module)
  • Smart card
  • recovery password
  • start-up key
  • clear key; this key-protector provides no protection
  • user password

BitLocker has support for partial encrypted volumes.

BitLocker To Go

Volumes encrypted with BitLocker To Go will have a hybrid encrypted volume, meaning that part of the volume is unencrypted and contains applications to unlock the volume and the other part of the volume is encrypted. The "discovery drive" volume contains BitLocker To Go Reader to read from encrypted volumes on versions of Microsoft Windows without BitLocker support.

manage-bde

To view the BitLocker Drive Encryption (BDE) status on a running Windows system:

manage-bde.exe -status

To obtain the recovery password for volume C:

manage-bde.exe -protectors -get C: -Type recoverypassword

Or just obtain the all “protectors” for volume C:

manage-bde.exe -protectors -get C:

See Also

External Links

Tools