BitLocker Disk Encryption
IndicatorDrives protected with BitLocker will have a different signature than the standard NTFS header. Instead, they have in their first sector:
EB 52 90 2D 46 56 45 2D 46 53 2Dor, in ASCII,
The program uses either 128 or 256 AES with an elephant diffuser. See the links section for full details.
- Conducting forensic analysis on BitLocker protected volumes was discussed in the paper Implementing BitLocker for Forensic Analysis.
- Wikipedia entry on BitLocker
- Microsoft's Step by Step Guide
- Microsoft Technical Overview
- Microsoft FAQ
- Microsoft Description of the Encryption Algorithm
- Cold Boot Attacks, Full Disk Encryption, and BitLocker