Difference between pages "Hacking BootCamp: Exploits and Live Incident Investigation" and "BitLocker Disk Encryption"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
 
(External Links)
 
Line 1: Line 1:
'''Hacking BootCamp:  Exploits and Live Incident Investigation''' [http://www.wetstonetech.com/cgi-bin/shop.cgi?view,21]
+
'''BitLocker Disk Encryption''' (BDE) is [[Full Volume Encryption]] solution by [[Microsoft]] first included with the Enterprise and Ultimate editions of [[Windows|Windows Vista]]. It is also present in [[Windows|Windows 7]] along with a system for encrypting removable storage media devices, like [[USB]], which is called BitLocker To Go. Unlike previous versions of BitLocker, BitLocker To Go allows the user to protect volumes with a password or smart card.
  
 +
== BitLocker ==
 +
Volumes encrypted with BitLocker will have a different signature than the standard [[NTFS]] header. Instead, they have in their volume header (first sector): <tt>2D 46 56 45 2D 46 53 2D</tt> or, in ASCII, <tt>-FVE-FS-</tt>.
  
==  ==
+
These volumes can be identified by the BitLocker GUID/UUID: 4967d63b-2e29-4ad8-8399-f6a339e3d00.
  
WetStone has engineered a three-day interactive lab environment that allows each student to experience real investigative  scenarios in a cyber safe environment. WetStone’s multi-pronged approach to this bootcamp allows each student to utilize the latest tools and technologies used by today’s criminals, and to practice the requisite live approach to investigation. This learning environment is the most effective approach to acquiring deep knowledge regarding both the latest threats and to  practice in live investigation techniques and methodologies.
+
The actual data on the encrypted volume is protected with either 128-bit or 256-bit [[AES]] and optionally diffused using an algorithm called Elephant. The key used to do the encryption, the Full Volume Encryption Key (FVEK) and/or TWEAK key, is stored in the BitLocker metadata on the protected volume. The FVEK and/or TWEAK keys are encrypted using another key, namely the Volume Master Key (VMK). Several copies of the VMK are also stored in the metadata. Each copy of the VMK is encrypted using another key, also know as key-protector key. Some of the key-protectors are:
 
+
* TPM (Trusted Platform Module)
 +
* Smart card
 +
* recovery password
 +
* start-up key
 +
* clear key; this key-protector provides no protection
 +
* user password
  
'''Classroom Environment'''
+
BitLocker has support for partial encrypted volumes.
  
WetStone has created a unique virtualized cyber-safe environment where investigator and IT professionals can use and experiment with some of the best ..
+
== BitLocker To Go ==
 
+
Volumes encrypted with BitLocker To Go will have a hybrid encrypted volume, meaning that part of the volume is unencrypted and contains applications to unlock the volume and the other part of the volume is encrypted. The "discovery drive" volume contains BitLocker To Go Reader to read from encrypted volumes on versions of Microsoft [[Windows]] without BitLocker support.
▫ Botnet      
+
▫ Rootkit      
+
▫ Wireless Cracking      
+
▫ Live Triage             
+
▫ Memory Analysis      
+
▫ Live Triage             
+
▫ Memory Analysis
+
▫ Log Analysis
+
▫ Process Port Linkage
+
  
 +
== manage-bde ==
 +
To view the BitLocker Drive Encryption (BDE) status on a running Windows system:
 +
<pre>
 +
manage-bde.exe -status
 +
</pre>
  
Our trainers take you inside the minds of today’s criminals and students completeing the class will be able to execute a full investigation in the respective discipline. Participants proficiency in the above skills will be tested with certification exams.
+
To obtain the recovery password for volume C:
 +
<pre>
 +
manage-bde.exe -protectors -get C: -Type recoverypassword
 +
</pre>
  
 +
Or just obtain the all “protectors” for volume C:
 +
<pre>
 +
manage-bde.exe -protectors -get C:
 +
</pre>
  
----
+
== See Also ==
 +
* [[BitLocker:_how_to_image]]
 +
* [[Defeating Whole Disk Encryption]]
  
'''Contact Information:'''
+
== External Links ==
  
1-877-WETSTONE ext. 2
+
* [http://www.nvlabs.in/archives/1-NVbit-Accessing-Bitlocker-volumes-from-linux.html NVbit : Accessing Bitlocker volumes from linux], 2008
 +
* Jesse D. Kornblum, [http://jessekornblum.com/publications/di09.html Implementing BitLocker for Forensic Analysis], ''Digital Investigation'', 2009
 +
* [http://en.wikipedia.org/wiki/BitLocker_Drive_Encryption Wikipedia entry on BitLocker]
 +
* [http://technet2.microsoft.com/WindowsVista/en/library/c61f2a12-8ae6-4957-b031-97b4d762cf311033.mspx?mfr=true Microsoft's Step by Step Guide]
 +
* [http://technet.microsoft.com/en-us/windowsvista/aa906017.aspx Microsoft Technical Overview]
 +
* [http://technet.microsoft.com/en-us/magazine/2009.05.win7.aspx An Introduction to Security in Windows 7]
 +
* [http://www.microsoft.com/whdc/system/platform/hwsecurity/BitLockerFAQ.mspx Microsoft FAQ]
 +
* [http://www.microsoft.com/downloads/details.aspx?FamilyID=131dae03-39ae-48be-a8d6-8b0034c92555&DisplayLang=en Microsoft Description of the Encryption Algorithm]
 +
* [http://secude.com/htm/801/en/White_Paper%3A_Cold_Boot_Attacks.htm Cold Boot Attacks, Full Disk Encryption, and BitLocker]
 +
* [http://technet.microsoft.com/en-us/library/hh831412.aspx What's New in BitLocker] in Windows 8
  
www.wetstonetech.com [https://www.wetstonetech.com/index.html]
+
== Tools ==
 +
* [http://www.hsc.fr/ressources/outils/dislocker/ dislocker]
 +
* [[libbde]]
 +
 
 +
[[Category:Disk encryption]]
 +
[[Category:Windows]]

Revision as of 01:00, 27 June 2013

BitLocker Disk Encryption (BDE) is Full Volume Encryption solution by Microsoft first included with the Enterprise and Ultimate editions of Windows Vista. It is also present in Windows 7 along with a system for encrypting removable storage media devices, like USB, which is called BitLocker To Go. Unlike previous versions of BitLocker, BitLocker To Go allows the user to protect volumes with a password or smart card.

Contents

BitLocker

Volumes encrypted with BitLocker will have a different signature than the standard NTFS header. Instead, they have in their volume header (first sector): 2D 46 56 45 2D 46 53 2D or, in ASCII, -FVE-FS-.

These volumes can be identified by the BitLocker GUID/UUID: 4967d63b-2e29-4ad8-8399-f6a339e3d00.

The actual data on the encrypted volume is protected with either 128-bit or 256-bit AES and optionally diffused using an algorithm called Elephant. The key used to do the encryption, the Full Volume Encryption Key (FVEK) and/or TWEAK key, is stored in the BitLocker metadata on the protected volume. The FVEK and/or TWEAK keys are encrypted using another key, namely the Volume Master Key (VMK). Several copies of the VMK are also stored in the metadata. Each copy of the VMK is encrypted using another key, also know as key-protector key. Some of the key-protectors are:

  • TPM (Trusted Platform Module)
  • Smart card
  • recovery password
  • start-up key
  • clear key; this key-protector provides no protection
  • user password

BitLocker has support for partial encrypted volumes.

BitLocker To Go

Volumes encrypted with BitLocker To Go will have a hybrid encrypted volume, meaning that part of the volume is unencrypted and contains applications to unlock the volume and the other part of the volume is encrypted. The "discovery drive" volume contains BitLocker To Go Reader to read from encrypted volumes on versions of Microsoft Windows without BitLocker support.

manage-bde

To view the BitLocker Drive Encryption (BDE) status on a running Windows system:

manage-bde.exe -status

To obtain the recovery password for volume C:

manage-bde.exe -protectors -get C: -Type recoverypassword

Or just obtain the all “protectors” for volume C:

manage-bde.exe -protectors -get C:

See Also

External Links

Tools