Difference between pages "Upcoming events" and "BitLocker Disk Encryption"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Conferences)
 
(How to detect)
 
Line 1: Line 1:
<b>PLEASE READ BEFORE YOU EDIT THE LISTS BELOW</b><br>
+
'''BitLocker Disk Encryption''' (BDE) is [[Full Volume Encryption]] solution by [[Microsoft]] first included with the Enterprise and Ultimate editions of [[Windows|Windows Vista]]. It is also present in [[Windows|Windows 7]] along with a system for encrypting removable storage media devices, like [[USB]], which is called BitLocker To Go. Unlike previous versions of BitLocker, BitLocker To Go allows the user to protect volumes with a password or smart card.
When events begin the same day, events of a longer length should be listed first. New postings of events with the same date(s) as other events should be added after events already in the list. Please use three-letter month abbreviations (i.e. Sep, NOT Sept. or September), use two digit dates (i.e. Jan 01 NOT Jan 1), and use date ranges rather than listing every date during an event(i.e. Jan 02-05, NOT Jan 02, 03, 04, 05).<br>
+
<i>Some events may be <u>limited</u> to <b>Law Enforcement Only</b> or to a specific audience.  Such restrictions should be noted when known.</i>
+
  
This is a BY DATE listing of upcoming events relevant to [[digital forensics]]. It is not an all inclusive list, but includes most well-known activities.  Some events may duplicate events on the generic [[conferences]] page, but entries in this list have specific dates and locations for the upcoming event.
+
== BitLocker ==
 +
BitLocker encrypts data with either 128-bit or 256-bit [[AES]] and optionally using a diffuser algorithm called Elephant. The key used to do the encryption, the Full Volume Encryption Key (FVEK) and/or TWEAK key, is stored in the BitLocker metadata on the protected volume. The FVEK and/or TWEAK keys are encrypted using another key, namely the Volume Master Key (VMK). Several copies of the VMK are also stored in the metadata. Each copy of the VMK is encrypted using another key, also know as key-protector key. Some of the key-protectors are:
 +
* TPM (Trusted Platform Module)
 +
* Smart card
 +
* recovery password
 +
* start-up key
 +
* clear key; this key-protector provides no protection
 +
* user password
  
This listing is divided into three sections (described as follows):<br>
+
BitLocker has support for partial encrypted volumes.
<ol><li><b><u>[[Upcoming_events#Calls_For_Papers|Calls For Papers]]</u></b> - Calls for papers for either Journals or for Conferences, relevant to Digital Forensics (Name, Closing Date, URL)</li><br>
+
<li><b><u>[[Upcoming_events#Conferences|Conferences]]</u></b> - Conferences relevant for Digital Forensics (Name, Date, Location, URL)</li><br>
+
<li><b><u>[[Training Courses and Providers]]</u></b> - Training </li><br></ol>
+
  
== Calls For Papers ==
+
=== BitLocker To Go ===
Please help us keep this up-to-date with deadlines for upcoming conferences that would be appropriate for forensic research.
+
Volumes encrypted with BitLocker To Go will have a hybrid encrypted volume, meaning that part of the volume is unencrypted and contains applications to unlock the volume and the other part of the volume is encrypted. The "discovery drive" volume contains BitLocker To Go Reader to read from encrypted volumes on versions of Microsoft [[Windows]] without BitLocker support.
  
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
== How to detect ==
|- style="background:#bfbfbf; font-weight: bold"
+
Volumes encrypted with BitLocker will have a different signature than the standard [[NTFS]] header.  
! width="30%|Title
+
! width="15%"|Due Date
+
! width="15%"|Notification Date
+
! width="40%"|Website
+
|-
+
|CyberPatterns 2014
+
|Jan 03, 2014
+
|Jan 17, 2014
+
|http://tech.brookes.ac.uk/CyberPatterns2014/CFPCyberpatterns2014.pdf
+
|-
+
|12th International Conference on Applied Cryptography and Network Security
+
|Jan 10, 2014
+
|Mar 14, 2014
+
|http://acns2014.epfl.ch/callpapers.php
+
|-
+
|9th Annual Conference on Digital Forensics, Security and Law
+
|Jan 15, 2014
+
|
+
|http://www.digitalforensics-conference.org/callforpapers.htm
+
|-
+
|USENIX Annual Technical Conference
+
|Jan 28, 2014
+
|Apr 07, 2014
+
|https://www.usenix.org/conference/atc14/call-for-papers
+
|-
+
|Audio Engineering Society (AES) Conference on Audio Forensics
+
|Jan 31, 2014
+
|Mar 15, 2014
+
|http://www.aes.org/conferences/54/downloads/54thCallForContributions.pdf
+
|-
+
|DFRWS - USA 2014
+
|Feb 13, 2014
+
|Apr 07, 2014
+
|http://dfrws.org/2014/cfp.shtml
+
|-
+
|}
+
  
See also [http://www.wikicfp.com/cfp/servlet/tool.search?q=forensics WikiCFP 'Forensics']
+
A BitLocker encrypted volume starts with the "-FVE-FS-" signature.
  
== Conferences ==
+
A hexdump of the start of the volume should look similar to:
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
<pre>
|- style="background:#bfbfbf; font-weight: bold"
+
00000000  eb 58 90 2d 46 56 45 2d  46 53 2d 00 02 08 00 00  |.X.-FVE-FS-.....|
! width="40%"|Title
+
00000010  00 00 00 00 00 f8 00 00  3f 00 ff 00 00 00 00 00  |........?.......|
! width="20%"|Date/Location
+
00000020  00 00 00 00 e0 1f 00 00  00 00 00 00 00 00 00 00  |................|
! width="40%"|Website
+
00000030  01 00 06 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
|-
+
00000040  80 00 29 00 00 00 00 4e  4f 20 4e 41 4d 45 20 20  |..)....NO NAME  |
|IFIP WG 11.9 International Conference on Digital Forensics
+
00000050  20 20 46 41 54 33 32 20 20 20 33 c9 8e d1 bc f4  | FAT32  3.....|
|Jan 08-10<br>Vienna, Austria
+
</pre>
|http://www.ifip119.org/Conferences/
+
|-
+
|AAFS 66th Annual Scientific Meeting
+
|Feb 17-22<br>Seattle, WA, USA
+
|http://www.aafs.org/aafs-66th-annual-scientific-meeting
+
|-
+
|21st Network & Distributed System Security Symposium
+
|Feb 23-26<br>San Diego, CA, USA
+
|http://www.internetsociety.org/events/ndss-symposium
+
|-
+
|Fourth ACM Conference on Data and Application Security and Privacy 2014
+
|Mar 03-05<br>San Antonio, TX, USA
+
|http://www1.it.utsa.edu/codaspy/
+
|-
+
|9th International Conference on Cyber Warfare and Security (ICCWS-2014)
+
|Mar 24-25<br>West Lafayette, IN, USA
+
|http://academic-conferences.org/iciw/iciw2014/iciw14-home.htm
+
|-
+
|CyberPatterns 2014
+
|Apr 11<br>Oxford, United Kingdom
+
|http://tech.brookes.ac.uk/CyberPatterns2014/
+
|-
+
|US Cyber Crime Conference 2014
+
|Apr 29-May 02<br>Leesburg, VA
+
|http://www.usacybercrime.com/
+
|-
+
|DFRWS-Europe 2014
+
|May 07-09<br>Amsterdam, Netherlands
+
|http://dfrws.org/2014eu/index.shtml
+
|-
+
|8th International Conference on IT Security Incident Management & IT Forensics
+
|May 12-14<br>Muenster, Germany
+
|http://www1.gi-ev.de/fachbereiche/sicherheit/fg/sidar/imf/imf2014/
+
|-
+
|2014 IEEE Symposium on Security and Privacy
+
|May 16-23<br>Berkley, CA, USA
+
|http://www.ieee.org/conferences_events/conferences/conferencedetails/index.html?Conf_ID=16517
+
|-
+
|9th ADFSL Conference on Digital Forensics, Security and Law
+
|May 28-29<br>Richmond, VA
+
|http://www.digitalforensics-conference.org/
+
|-
+
|Techno-Security and Forensics Conference
+
|Jun 01-04<br>Myrtle Beach, SC, USA
+
|http://www.techsec.com/html/Security%20Conference%202014.html
+
|-
+
|Mobile Forensics World
+
|Jun 01-04<br>Myrtle Beach, SC, USA
+
|http://www.techsec.com/html/MFC-2014-Spring.html
+
|-
+
|12th International Conference on Applied Cryptography and Network Security
+
|Jun 10-13<br>Lausanne, Switzerland
+
|http://acns2014.epfl.ch/
+
|-
+
|54th Conference on Audio Forensics
+
|Jun 12-14<br>London, England
+
|http://www.aes.org/conferences/54/
+
|-
+
|2014 USENIX Annual Technical Conference
+
|Jun 19-20<br>Philadelphia, PA, USA
+
|https://www.usenix.org/conference/atc14
+
|-
+
|44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks
+
|Jun 23-26<br>Atlanta, GA, USA
+
|http://www.dsn.org/
+
|-
+
|Symposium On Usable Privacy and Security (SOUPS) 2014
+
|Jul 09-11<br>Menlo Park, CA, USA
+
|http://cups.cs.cmu.edu/soups/2013/
+
|-
+
|Black Hat USA 2014
+
|Aug 02-07<br>Las Vegas, NV, USA
+
|https://www.blackhat.com
+
|-
+
|DFRWS 2014
+
|Aug 03-06<br>Denver, CO, USA
+
|http://dfrws.org/2014/index.shtml
+
|-
+
|RCFG GMU 2014
+
|Aug 04-08<br>Fairfax, VA, USA
+
|http://www.rcfg.org/gmu/
+
|-
+
|23rd USENIX Security Symposium
+
|Aug 20-22<br>San Diego, CA, USA
+
|https://www.usenix.org/conferences
+
|-
+
|25th Annual Conference & Digital Multimedia Evidence Training Symposium
+
|Oct 06-10<br>Coeur d’Alene, ID, USA
+
|http://www.leva.org/annual-training-conference/
+
|-
+
|}
+
  
==See Also==
+
These volumes can also be identified by a GUID:
* [[Training Courses and Providers]]
+
* for BitLocker: 4967d63b-2e29-4ad8-8399-f6a339e3d00
==References==
+
* for BitLocker ToGo 4967d63b-2e29-4ad8-8399-f6a339e3d01.
* [http://faculty.cs.tamu.edu/guofei/sec_conf_stat.htm Computer Security Conference Ranking and Statistic]
+
 
* [http://www.kdnuggets.com/meetings/ Meetings and Conferences in Data Mining and Discovery]
+
Which in a hexdump of the start of the volume should look similar to:
* http://www.conferencealerts.com/data.htm Data Mining Conferences World-Wide]
+
<pre>
 +
000000a0  3b d6 67 49 29 2e d8 4a  83 99 f6 a3 39 e3 d0 01  |;.gI)..J....9...|
 +
</pre>
 +
 
 +
== manage-bde ==
 +
To view the BitLocker Drive Encryption (BDE) status on a running Windows system:
 +
<pre>
 +
manage-bde.exe -status
 +
</pre>
 +
 
 +
To obtain the recovery password for volume C:
 +
<pre>
 +
manage-bde.exe -protectors -get C: -Type recoverypassword
 +
</pre>
 +
 
 +
Or just obtain the all “protectors” for volume C:
 +
<pre>
 +
manage-bde.exe -protectors -get C:
 +
</pre>
 +
 
 +
== See Also ==
 +
* [[BitLocker:_how_to_image|BitLocker: How to image]]
 +
* [[Defeating Whole Disk Encryption]]
 +
 
 +
== External Links ==
 +
 
 +
* [http://en.wikipedia.org/wiki/BitLocker_Drive_Encryption Wikipedia entry on BitLocker]
 +
* [http://www.nvlabs.in/nvbit_bitlocker_white_paper.pdf Accessing Bitlocker volumes from linux], by Nitin Kumar and Vipin Kumar, 2008
 +
* [http://jessekornblum.com/publications/di09.html Implementing BitLocker for Forensic Analysis], ''Digital Investigation'', by Jesse D. Kornblum, 2009
 +
* [https://googledrive.com/host/0B3fBvzttpiiSX2VCRk16TnpDd0U/BitLocker%20Drive%20Encryption%20(BDE)%20format.pdf BitLocker Drive Encryption (BDE) format specification], by the [[libbde|libbde project]], March 2011
 +
* [http://technet2.microsoft.com/WindowsVista/en/library/c61f2a12-8ae6-4957-b031-97b4d762cf311033.mspx?mfr=true Microsoft's Step by Step Guide]
 +
* [http://technet.microsoft.com/en-us/windowsvista/aa906017.aspx Microsoft Technical Overview]
 +
* [http://technet.microsoft.com/en-us/magazine/2009.05.win7.aspx An Introduction to Security in Windows 7]
 +
* [http://www.microsoft.com/whdc/system/platform/hwsecurity/BitLockerFAQ.mspx Microsoft FAQ]
 +
* [http://www.microsoft.com/downloads/details.aspx?FamilyID=131dae03-39ae-48be-a8d6-8b0034c92555&DisplayLang=en Microsoft Description of the Encryption Algorithm]
 +
* [http://secude.com/htm/801/en/White_Paper%3A_Cold_Boot_Attacks.htm Cold Boot Attacks, Full Disk Encryption, and BitLocker]
 +
* [http://technet.microsoft.com/en-us/library/hh831412.aspx What's New in BitLocker] in Windows 8
 +
 
 +
== Tools ==
 +
* [http://www.hsc.fr/ressources/outils/dislocker/ dislocker]
 +
* [[libbde]]
 +
 
 +
[[Category:Disk encryption]]
 +
[[Category:Windows]]

Revision as of 13:30, 23 December 2013

BitLocker Disk Encryption (BDE) is Full Volume Encryption solution by Microsoft first included with the Enterprise and Ultimate editions of Windows Vista. It is also present in Windows 7 along with a system for encrypting removable storage media devices, like USB, which is called BitLocker To Go. Unlike previous versions of BitLocker, BitLocker To Go allows the user to protect volumes with a password or smart card.

Contents

BitLocker

BitLocker encrypts data with either 128-bit or 256-bit AES and optionally using a diffuser algorithm called Elephant. The key used to do the encryption, the Full Volume Encryption Key (FVEK) and/or TWEAK key, is stored in the BitLocker metadata on the protected volume. The FVEK and/or TWEAK keys are encrypted using another key, namely the Volume Master Key (VMK). Several copies of the VMK are also stored in the metadata. Each copy of the VMK is encrypted using another key, also know as key-protector key. Some of the key-protectors are:

  • TPM (Trusted Platform Module)
  • Smart card
  • recovery password
  • start-up key
  • clear key; this key-protector provides no protection
  • user password

BitLocker has support for partial encrypted volumes.

BitLocker To Go

Volumes encrypted with BitLocker To Go will have a hybrid encrypted volume, meaning that part of the volume is unencrypted and contains applications to unlock the volume and the other part of the volume is encrypted. The "discovery drive" volume contains BitLocker To Go Reader to read from encrypted volumes on versions of Microsoft Windows without BitLocker support.

How to detect

Volumes encrypted with BitLocker will have a different signature than the standard NTFS header.

A BitLocker encrypted volume starts with the "-FVE-FS-" signature.

A hexdump of the start of the volume should look similar to:

00000000  eb 58 90 2d 46 56 45 2d  46 53 2d 00 02 08 00 00  |.X.-FVE-FS-.....|
00000010  00 00 00 00 00 f8 00 00  3f 00 ff 00 00 00 00 00  |........?.......|
00000020  00 00 00 00 e0 1f 00 00  00 00 00 00 00 00 00 00  |................|
00000030  01 00 06 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000040  80 00 29 00 00 00 00 4e  4f 20 4e 41 4d 45 20 20  |..)....NO NAME  |
00000050  20 20 46 41 54 33 32 20  20 20 33 c9 8e d1 bc f4  |  FAT32   3.....|

These volumes can also be identified by a GUID:

  • for BitLocker: 4967d63b-2e29-4ad8-8399-f6a339e3d00
  • for BitLocker ToGo 4967d63b-2e29-4ad8-8399-f6a339e3d01.

Which in a hexdump of the start of the volume should look similar to:

000000a0  3b d6 67 49 29 2e d8 4a  83 99 f6 a3 39 e3 d0 01  |;.gI)..J....9...|

manage-bde

To view the BitLocker Drive Encryption (BDE) status on a running Windows system:

manage-bde.exe -status

To obtain the recovery password for volume C:

manage-bde.exe -protectors -get C: -Type recoverypassword

Or just obtain the all “protectors” for volume C:

manage-bde.exe -protectors -get C:

See Also

External Links

Tools