Difference between pages "Hacking BootCamp: Exploits and Live Incident Investigation" and "BitLocker Disk Encryption"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(New page: '''Hacking BootCamp for Investigators''' [https://www.wetstonetech.com/cgi/shop.cgi?view,13] == == Hacking BootCamp for Investigators is designed for those responsible for cyber crime...)
 
(External Links)
 
Line 1: Line 1:
'''Hacking BootCamp for Investigators''' [https://www.wetstonetech.com/cgi/shop.cgi?view,13]
+
'''BitLocker Disk Encryption''' (BDE) is [[Full Volume Encryption]] solution by [[Microsoft]] first included with the Enterprise and Ultimate editions of [[Windows|Windows Vista]]. It is also present in [[Windows|Windows 7]] along with a system for encrypting removable storage media devices, like [[USB]], which is called BitLocker To Go. Unlike previous versions of BitLocker, BitLocker To Go allows the user to protect volumes with a password or smart card.
  
 +
== BitLocker ==
 +
Volumes encrypted with BitLocker will have a different signature than the standard [[NTFS]] header. Instead, they have in their volume header (first sector): <tt>2D 46 56 45 2D 46 53 2D</tt> or, in ASCII, <tt>-FVE-FS-</tt>.
  
==  ==
+
These volumes can be identified by the BitLocker GUID/UUID: 4967d63b-2e29-4ad8-8399-f6a339e3d00.
  
Hacking BootCamp for Investigators is designed for those responsible for cyber crime investigation who must posses a breadth of knowledge regarding the latest technologies, techniques and methodologies in use by cyber criminals. The most effective approach to get into the mind of cyber criminals is to utilize their tools and technologies in a hands-on environment and become familiar with the fundamental hacking process. This four day course is structured with interactive lab environments to allow students to work together and experience real investigative scenarios. Learn how to become the lead investigator in your office and learn to stay one step ahead of the criminals.
+
The actual data on the encrypted volume is protected with either 128-bit or 256-bit [[AES]] and optionally diffused using an algorithm called Elephant. The key used to do the encryption, the Full Volume Encryption Key (FVEK) and/or TWEAK key, is stored in the BitLocker metadata on the protected volume. The FVEK and/or TWEAK keys are encrypted using another key, namely the Volume Master Key (VMK). Several copies of the VMK are also stored in the metadata. Each copy of the VMK is encrypted using another key, also know as key-protector key. Some of the key-protectors are:
 +
* TPM (Trusted Platform Module)
 +
* Smart card
 +
* recovery password
 +
* start-up key
 +
* clear key; this key-protector provides no protection
 +
* user password
  
'''Classroom Environment'''
+
BitLocker has support for partial encrypted volumes.
  
WetStone has created a unique virtualized cyber-safe environment where investigator and IT professionals can use and experiment with some of the best ..
+
== BitLocker To Go ==
 
+
Volumes encrypted with BitLocker To Go will have a hybrid encrypted volume, meaning that part of the volume is unencrypted and contains applications to unlock the volume and the other part of the volume is encrypted. The "discovery drive" volume contains BitLocker To Go Reader to read from encrypted volumes on versions of Microsoft [[Windows]] without BitLocker support.
▫ Botnet       ▫ Password Cracking
+
▫ Rootkit       ▫ Trojan
+
▫ WORM Developing       ▫ Phishing
+
▫ Cracking       ▫ Wireless Surveillance
+
▫ Steganography              ▫ Sidejacking
+
▫ AntiForensic Tool       ▫ Denial of Service
+
  
This unique real time environment provides investigators with direct access and experience with both the cyber weapons and the latest investigation techniques to uncover nefarious activities quickly and efficiently.
+
== manage-bde ==
 +
To view the BitLocker Drive Encryption (BDE) status on a running Windows system:
 +
<pre>
 +
manage-bde.exe -status
 +
</pre>
  
 +
To obtain the recovery password for volume C:
 +
<pre>
 +
manage-bde.exe -protectors -get C: -Type recoverypassword
 +
</pre>
  
'''Skills Learned'''
+
Or just obtain the all “protectors” for volume C:
 +
<pre>
 +
manage-bde.exe -protectors -get C:
 +
</pre>
  
Upon completion of the course, students will have gained knowledge in the fundamentals of malicious software as it pertains to the hacking process.
+
== See Also ==
 +
* [[BitLocker:_how_to_image]]
 +
* [[Defeating Whole Disk Encryption]]
  
▫ Offensive planning and execution of cyber weapons
+
== External Links ==
▫ Investigative tools and techniques
+
▫ Cyber weapon identification
+
▫ Evidence extraction
+
▫ Malicious software analysis using Gargoyle Investigator™
+
  
Our trainers take you inside the minds of today’s criminals and students completeing the class will be able to execute a full investigation in the respective discipline. Participants proficiency in the above skills will be tested with certification exams.
+
* [http://www.nvlabs.in/archives/1-NVbit-Accessing-Bitlocker-volumes-from-linux.html NVbit : Accessing Bitlocker volumes from linux], 2008
 +
* Jesse D. Kornblum, [http://jessekornblum.com/publications/di09.html Implementing BitLocker for Forensic Analysis], ''Digital Investigation'', 2009
 +
* [http://en.wikipedia.org/wiki/BitLocker_Drive_Encryption Wikipedia entry on BitLocker]
 +
* [http://technet2.microsoft.com/WindowsVista/en/library/c61f2a12-8ae6-4957-b031-97b4d762cf311033.mspx?mfr=true Microsoft's Step by Step Guide]
 +
* [http://technet.microsoft.com/en-us/windowsvista/aa906017.aspx Microsoft Technical Overview]
 +
* [http://technet.microsoft.com/en-us/magazine/2009.05.win7.aspx An Introduction to Security in Windows 7]
 +
* [http://www.microsoft.com/whdc/system/platform/hwsecurity/BitLockerFAQ.mspx Microsoft FAQ]
 +
* [http://www.microsoft.com/downloads/details.aspx?FamilyID=131dae03-39ae-48be-a8d6-8b0034c92555&DisplayLang=en Microsoft Description of the Encryption Algorithm]
 +
* [http://secude.com/htm/801/en/White_Paper%3A_Cold_Boot_Attacks.htm Cold Boot Attacks, Full Disk Encryption, and BitLocker]
 +
* [http://technet.microsoft.com/en-us/library/hh831412.aspx What's New in BitLocker] in Windows 8
  
 +
== Tools ==
 +
* [http://www.hsc.fr/ressources/outils/dislocker/ dislocker]
 +
* [[libbde]]
  
----
+
[[Category:Disk encryption]]
 
+
[[Category:Windows]]
'''Contact Information:'''
+
 
+
1-877-WETSTONE ext. 2
+
 
+
www.wetstonetech.com [https://www.wetstonetech.com/index.html]
+

Revision as of 02:00, 27 June 2013

BitLocker Disk Encryption (BDE) is Full Volume Encryption solution by Microsoft first included with the Enterprise and Ultimate editions of Windows Vista. It is also present in Windows 7 along with a system for encrypting removable storage media devices, like USB, which is called BitLocker To Go. Unlike previous versions of BitLocker, BitLocker To Go allows the user to protect volumes with a password or smart card.

BitLocker

Volumes encrypted with BitLocker will have a different signature than the standard NTFS header. Instead, they have in their volume header (first sector): 2D 46 56 45 2D 46 53 2D or, in ASCII, -FVE-FS-.

These volumes can be identified by the BitLocker GUID/UUID: 4967d63b-2e29-4ad8-8399-f6a339e3d00.

The actual data on the encrypted volume is protected with either 128-bit or 256-bit AES and optionally diffused using an algorithm called Elephant. The key used to do the encryption, the Full Volume Encryption Key (FVEK) and/or TWEAK key, is stored in the BitLocker metadata on the protected volume. The FVEK and/or TWEAK keys are encrypted using another key, namely the Volume Master Key (VMK). Several copies of the VMK are also stored in the metadata. Each copy of the VMK is encrypted using another key, also know as key-protector key. Some of the key-protectors are:

  • TPM (Trusted Platform Module)
  • Smart card
  • recovery password
  • start-up key
  • clear key; this key-protector provides no protection
  • user password

BitLocker has support for partial encrypted volumes.

BitLocker To Go

Volumes encrypted with BitLocker To Go will have a hybrid encrypted volume, meaning that part of the volume is unencrypted and contains applications to unlock the volume and the other part of the volume is encrypted. The "discovery drive" volume contains BitLocker To Go Reader to read from encrypted volumes on versions of Microsoft Windows without BitLocker support.

manage-bde

To view the BitLocker Drive Encryption (BDE) status on a running Windows system:

manage-bde.exe -status

To obtain the recovery password for volume C:

manage-bde.exe -protectors -get C: -Type recoverypassword

Or just obtain the all “protectors” for volume C:

manage-bde.exe -protectors -get C:

See Also

External Links

Tools