Difference between pages "BitLocker Disk Encryption" and "Windows Shadow Volumes"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(How to detect)
 
(How to analyze Shadow Volumes)
 
Line 1: Line 1:
'''BitLocker Disk Encryption''' (BDE) is [[Full Volume Encryption]] solution by [[Microsoft]] first included with the Enterprise and Ultimate editions of [[Windows|Windows Vista]]. It is also present in [[Windows|Windows 7]] along with a system for encrypting removable storage media devices, like [[USB]], which is called BitLocker To Go. Unlike previous versions of BitLocker, BitLocker To Go allows the user to protect volumes with a password or smart card.
+
{{expand}}
  
== BitLocker ==
+
==Volume Shadow Copy Service==
BitLocker encrypts data with either 128-bit or 256-bit [[AES]] and optionally using a diffuser algorithm called Elephant. The key used to do the encryption, the Full Volume Encryption Key (FVEK) and/or TWEAK key, is stored in the BitLocker metadata on the protected volume. The FVEK and/or TWEAK keys are encrypted using another key, namely the Volume Master Key (VMK). Several copies of the VMK are also stored in the metadata. Each copy of the VMK is encrypted using another key, also know as key-protector key. Some of the key-protectors are:
+
Windows has included the Volume Shadow Copy Service in it's releases since Windows XP. The Shadow Copy Service creates differential backups periodically to create restore points for the user.  Windows 7 Professional and Ultimate editions include tools to work with and manage the Volume Shadow Copy Service, including the ability to [[mount shadow volumes on disk images]].
* TPM (Trusted Platform Module)
+
* Smart card
+
* recovery password
+
* start-up key
+
* clear key; this key-protector provides no protection
+
* user password
+
  
BitLocker has support for partial encrypted volumes.
+
In Windows 8 the shadow volumes seem to have been superseded by File History. For now it looks like it uses similar structures as its predecessors.
  
=== BitLocker To Go ===
+
== Also see ==
Volumes encrypted with BitLocker To Go will have a hybrid encrypted volume, meaning that part of the volume is unencrypted and contains applications to unlock the volume and the other part of the volume is encrypted. The "discovery drive" volume contains BitLocker To Go Reader to read from encrypted volumes on versions of Microsoft [[Windows]] without BitLocker support.
+
* [[Windows]]
 +
* [[Windows File History | File History]]
 +
* How to: [[Mount shadow volumes on disk images]]
  
== How to detect ==
+
== External Links ==
Volumes encrypted with BitLocker will have a different signature than the standard [[NTFS]] header.
+
  
A BitLocker encrypted volume starts with the "-FVE-FS-" signature.
+
=== How to analyze Shadow Volumes ===
 +
* [http://computer-forensics.sans.org/blog/2008/10/10/shadow-forensics/ VISTA and Windows 7 Shadow Volume Forensics], by [[Rob Lee]], October 2008
 +
* [http://windowsir.blogspot.ch/2011/01/accessing-volume-shadow-copies.html Accessing Volume Shadow Copies], by [[Harlan Carvey]], January 2011
 +
* [http://windowsir.blogspot.ch/2011/01/more-vscs.html More VSCs], by [[Harlan Carvey]], January 2011
 +
* [http://journeyintoir.blogspot.ch/2011/04/little-help-with-volume-shadow-copies.html A Little Help with Volume Shadow Copies], by [[Corey Harrell]], April 2011
 +
* [http://toorcon.techpathways.com/uploads/VolumeShadowCopyWithProDiscover-0511.pdf Volume Shadow Copy with ProDiscover], May 2011
 +
* [http://windowsir.blogspot.ch/2011/09/howto-mount-and-access-vscs.html HowTo: Mount and Access VSCs], by [[Harlan Carvey]], September 2011
 +
* [http://computer-forensics.sans.org/blog/2011/09/16/shadow-timelines-and-other-shadowvolumecopy-digital-forensics-techniques-with-the-sleuthkit-on-windows/ Shadow Timelines And Other VolumeShadowCopy Digital Forensics Techniques with the Sleuthkit on Windows], by [[Rob Lee]], September 2011
 +
* [http://journeyintoir.blogspot.ch/2012/01/ripping-volume-shadow-copies.html Ripping Volume Shadow Copies – Introduction], by [[Corey Harrell]], January 2012
 +
* [http://journeyintoir.blogspot.ch/2012/02/ripping-vscs-practitioner-method.html Ripping VSCs – Practitioner Method], by [[Corey Harrell]], February 2012
 +
* [http://journeyintoir.blogspot.ch/2012/02/ripping-vscs-practitioner-examples.html Ripping VSCs – Practitioner Examples], by [[Corey Harrell]], February 2012
 +
* [http://journeyintoir.blogspot.ch/2012/02/ripping-vscs-developer-method.html Ripping VSCs – Developer Method], by [[Corey Harrell]], February 2012
 +
* [http://journeyintoir.blogspot.ch/2012/02/ripping-vscs-developer-examples.html Ripping VSCs – Developer Examples], by [[Corey Harrell]], February 2012
 +
* [http://journeyintoir.blogspot.ch/2012/02/examining-vscs-with-gui-tools.html Examining VSCs with GUI Tools], by [[Corey Harrell]], February 2012
 +
* [http://dfstream.blogspot.ch/2012/03/vsc-toolset-gui-tool-for-shadow-copies.html VSC Toolset: A GUI Tool for Shadow Copies], by [[Jason Hale]], March 2012
 +
* [http://encase-forensic-blog.guidancesoftware.com/2012/06/examining-volume-shadow-copies-easy-way.html Examining Volume Shadow Copies – The Easy Way!], by [[Simon Key]], June 2012
 +
* [http://justaskweg.com/?p=351 Getting Ready for a Shadow Volume Exam], by [[Jimmy Weg]], June 2012
 +
* [http://justaskweg.com/?p=466 Mounting Shadow Volumes], by [[Jimmy Weg]], July 2012
 +
* [http://justaskweg.com/?p=518 Examining the Shadow Volumes with X-Ways Forensics], by [[Jimmy Weg]], July 2012
 +
* [http://justaskweg.com/?p=710 “Weg, I’m afraid that I don’t have VMware. How do I Examime Shadow Volumes?”], by [[Jimmy Weg]], August 2012
 +
* [http://sandersonforensics.com/forum/content.php?168-Reconnoitre "Examining shadow copies with Reconnoitre (and without vssadmin), it's as easy as 1, 2, 3"], by [[Paul Sanderson]], January 2013
  
A hexdump of the start of the volume should look similar to:
+
* [http://computerforensicsblog.champlain.edu/2014/02/05/volume-shadow-copy-part-2/ Volume Shadow Copy Part 2], by Ryan Montelbano, Scott Barrett, Jacob Blend, February 5, 2014
<pre>
+
* [http://computerforensicsblog.champlain.edu/2014/02/26/volume-shadow-copy-part-3/ Volume Shadow Copy Part 3], by Scott Barrett, February 26, 2014
00000000  eb 58 90 2d 46 56 45 2d  46 53 2d 00 02 08 00 00  |.X.-FVE-FS-.....|
+
* [http://computerforensicsblog.champlain.edu/2014/03/26/volume-shadow-copy-part-4/ Volume Shadow Copy Part 4], by Ryan Montelbano, March 26, 2014
00000010  00 00 00 00 00 f8 00 00  3f 00 ff 00 00 00 00 00  |........?.......|
+
00000020  00 00 00 00 e0 1f 00 00  00 00 00 00 00 00 00 00  |................|
+
00000030  01 00 06 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+
00000040  80 00 29 00 00 00 00 4e  4f 20 4e 41 4d 45 20 20  |..)....NO NAME  |
+
00000050  20 20 46 41 54 33 32 20  20 20 33 c9 8e d1 bc f4  |  FAT32  3.....|
+
</pre>
+
  
These volumes can also be identified by a GUID:
+
=== Shadow Volumes in depth ===
* for BitLocker: 4967d63b-2e29-4ad8-8399-f6a339e3d00
+
* [http://www.qccis.com/docs/publications/WP-VSS.pdf Reliably recovering evidential data from Volume Shadow Copies in Windows Vista and Windows 7], by [[James Crabtree]] and [[Gary Evans]], 2010
* for BitLocker ToGo 4967d63b-2e29-4ad8-8399-f6a339e3d01.
+
* [http://forensic4cast.com/2010/04/19/into-the-shadows/ Into The Shadows] and [http://www.forensic4cast.com/2010/04/presentation-into-the-shadows/ Presentation], by [[Lee Whitfield]], April 2010
 
+
* [https://googledrive.com/host/0B3fBvzttpiiSZDZXRFVMdnZCeHc/Volume%20Shadow%20Snapshot%20(VSS)%20format.pdf Volume Shadow Snapshot format], by the [[libvshadow|libvshadow project]], March 2011
Which in a hexdump of the start of the volume should look similar to:
+
* [https://googledrive.com/host/0B3fBvzttpiiSZDZXRFVMdnZCeHc/Paper%20-%20Windowless%20Shadow%20Snapshots.pdf Windowless Shadow Snapshots - Analyzing Volume Shadow Snapshots (VSS) without using Windows] and [http://www.basistech.com/about-us/events/open-source-forensics-conference/ OSDFC 2012] [https://googledrive.com/host/0B3fBvzttpiiSZDZXRFVMdnZCeHc/Slides%20-%20Windowless%20Shadow%20Snapshots.pdf Slides], by [[Joachim Metz]], October 2012
<pre>
+
000000a0  3b d6 67 49 29 2e d8 4a  83 99 f6 a3 39 e3 d0 01  |;.gI)..J....9...|
+
</pre>
+
 
+
== manage-bde ==
+
To view the BitLocker Drive Encryption (BDE) status on a running Windows system:
+
<pre>
+
manage-bde.exe -status
+
</pre>
+
 
+
To obtain the recovery password for volume C:
+
<pre>
+
manage-bde.exe -protectors -get C: -Type recoverypassword
+
</pre>
+
 
+
Or just obtain the all “protectors” for volume C:
+
<pre>
+
manage-bde.exe -protectors -get C:
+
</pre>
+
 
+
== See Also ==
+
* [[BitLocker:_how_to_image|BitLocker: How to image]]
+
* [[Defeating Whole Disk Encryption]]
+
 
+
== External Links ==
+
  
* [http://en.wikipedia.org/wiki/BitLocker_Drive_Encryption Wikipedia entry on BitLocker]
+
=== Other ===
* [http://www.nvlabs.in/nvbit_bitlocker_white_paper.pdf Accessing Bitlocker volumes from linux], by Nitin Kumar and Vipin Kumar, 2008
+
* [http://lanmaster53.com/talks/#hack3rcon2 Lurking in the Shadows – Hack3rcon II]
* [http://jessekornblum.com/publications/di09.html Implementing BitLocker for Forensic Analysis], ''Digital Investigation'', by Jesse D. Kornblum, 2009
+
* [http://pauldotcom.com/2012/10/volume-shadow-copies---the-los.html Volume Shadow Copies - The Lost Post], [[Mark Baggett]], October 2012
* [https://googledrive.com/host/0B3fBvzttpiiSX2VCRk16TnpDd0U/BitLocker%20Drive%20Encryption%20(BDE)%20format.pdf BitLocker Drive Encryption (BDE) format specification], by the [[libbde|libbde project]], March 2011
+
* [http://technet2.microsoft.com/WindowsVista/en/library/c61f2a12-8ae6-4957-b031-97b4d762cf311033.mspx?mfr=true Microsoft's Step by Step Guide]
+
* [http://technet.microsoft.com/en-us/windowsvista/aa906017.aspx Microsoft Technical Overview]
+
* [http://technet.microsoft.com/en-us/magazine/2009.05.win7.aspx An Introduction to Security in Windows 7]
+
* [http://www.microsoft.com/whdc/system/platform/hwsecurity/BitLockerFAQ.mspx Microsoft FAQ]
+
* [http://www.microsoft.com/downloads/details.aspx?FamilyID=131dae03-39ae-48be-a8d6-8b0034c92555&DisplayLang=en Microsoft Description of the Encryption Algorithm]
+
* [http://secude.com/htm/801/en/White_Paper%3A_Cold_Boot_Attacks.htm Cold Boot Attacks, Full Disk Encryption, and BitLocker]
+
* [http://technet.microsoft.com/en-us/library/hh831412.aspx What's New in BitLocker] in Windows 8
+
  
 
== Tools ==
 
== Tools ==
* [http://www.hsc.fr/ressources/outils/dislocker/ dislocker]
+
* [[EnCase]] with VSS Examiner Enscript (available from the downloads section of the GSI Support Portal)
* [[libbde]]
+
* [[libvshadow]]
 +
* [[ProDiscover]]
 +
* [http://www.shadowexplorer.com/ ShadowExplorer]
 +
* [http://dfstream.blogspot.ch/p/vsc-toolset.html VSC Toolset]
 +
* [[X-Ways AG|X-Ways Forensics]]
 +
* [http://sandersonforensics.com/forum/content.php?168-Reconnoitre Reconnoitre]
  
[[Category:Disk encryption]]
+
[[Category:Volume Systems]]
[[Category:Windows]]
+

Latest revision as of 11:36, 7 April 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Volume Shadow Copy Service

Windows has included the Volume Shadow Copy Service in it's releases since Windows XP. The Shadow Copy Service creates differential backups periodically to create restore points for the user. Windows 7 Professional and Ultimate editions include tools to work with and manage the Volume Shadow Copy Service, including the ability to mount shadow volumes on disk images.

In Windows 8 the shadow volumes seem to have been superseded by File History. For now it looks like it uses similar structures as its predecessors.

Also see

External Links

How to analyze Shadow Volumes

Shadow Volumes in depth

Other

Tools