Difference between pages "BitLocker: how to image" and "Malware"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Traditional Imaging)
 
(Exploit Kit)
 
Line 1: Line 1:
 +
'''Malware''' is a short version of '''Malicious Software'''.
  
= Imaging Options =
+
Malware is software used for data theft, device damage, harassment, etc. It is very similar to computer malware. It installs things such as trojans, worms, and botnets to the affected device. It is illegal to knowingly distribute malware.
  
There are multiple ways to image a computer with bitlocker security in place.
+
== Virus ==
 +
A computer program that can automatically copy itself and infect a computer.
  
== Traditional Imaging ==
+
== Worm ==
 +
A self-replicating computer program that can automatically infect computers on a network.
  
One can make a traditional image with the image containing encrypted information.
+
== Trojan horse ==
 +
A computer program which appears to perform a certain action, but actually performs many different forms of codes.
  
Options to offline decrypt the information, provided the password or recovery password is available, exists some are:
+
== Spyware ==
* [http://www.hsc.fr/ressources/outils/dislocker/ dislocker]
+
A computer program that can automatically intercept or take partial control over the user's interaction.
* [[EnCase]] (as of version 6) with the (optional) encryption module
+
* [[libbde]]
+
  
The recovery password is a long series of digits broken up into 8 segments.
+
== Exploit Kit ==
<pre>
+
A toolkit that automates the exploitation of client-side vulnerabilities, targeting browsers and programs that a website can invoke through the browser [http://blog.zeltser.com/post/1410922437/what-are-exploit-kits]. Often utilizing a drive-by-download.
123456-123456-123456-123456-123456-123456-13456-123456
+
</pre>
+
  
There is no whitespace in the password including not at the end.
+
=== Drive-by-download ===
 +
Any download that happens without a person's knowledge [http://en.wikipedia.org/wiki/Drive-by_download].
  
The recovery password can be recovered from a BitLocker enabled computer provided it can be logged into or if stored in escrow.
+
== See Also ==
  
The basic steps are:
+
== External Links ==
 +
* [http://en.wikipedia.org/wiki/Malware Wikipedia entry on malware]
 +
* [http://en.wikipedia.org/wiki/Drive-by_download Wikipedia drive-by-download]
 +
* [http://www.viruslist.com/ Viruslist.com]
 +
* [http://code.google.com/p/androguard/wiki/DatabaseAndroidMalwares Androguard]: A list of recognized Android malware
  
# Make a "traditional" full disk image.
+
=== Exploit Kit ===
# Recover the password, this can be done by booting the original computer, or by creating a clone and booting the clone.  (booting from a clone has not been tested at this time.)
+
* [http://blog.zeltser.com/post/1410922437/what-are-exploit-kits What Are Exploit Kits?], by [[Lenny Zeltser]], October 26, 2010
## Once booted log into the computer
+
* [http://nakedsecurity.sophos.com/2013/07/02/the-four-seasons-of-glazunov-digging-further-into-sibhost-and-flimkit/ The four seasons of Glazunov: digging further into Sibhost and Flimkit], by Fraser Howard, July 2, 2013
## Use the BitLocker control panel applet to display the password.  This can also be done from the command-line.
+
## record the password
+
#:
+
# For EnCase v6 or higher with the encryption module installed
+
## Load the image into EnCase
+
## You will be prompted for the password.  Simply enter it and continue.
+
## If you prefer to have an un-encrypted image to work with other tools or share with co-workers, you can "re-acquire" the image from within EnCase.  The new image will have unencrypted data.
+
## After adding the encrypted image into your case, simply right click on the drive in the left panel and select acquire.  Select "do not add to case".  You will be presented a dialog window to enter new information about the image.  Make sure the destination you select for your new image does not exist.
+
 
+
== Live Imaging ==
+
 
+
=== FTK Live Imaging of a physical drive ===
+
 
+
Using FTK Imager lite, it was determined a live image of the physical system disk resulted in an image with an encrypted bitlocker container on it.
+
 
+
Note that the phrase "physical" here corresponds directly with FTK Imagers use of the term in their image acquire menu.
+
 
+
=== FTK Live Imaging of a logical partition ===
+
 
+
This has not been verified to work or fail at this time.
+
 
+
Note that the phrase "logical" here corresponds directly with FTK Imagers use of the term in their image acquire menu.
+
 
+
=== FTK Live Files and Folders collections ===
+
 
+
This was not attempted, but it seems reasonable to assume this will collect unencrypted files.
+
 
+
== See Also ==
+
* [[BitLocker Disk Encryption]]
+
* [[Defeating Whole Disk Encryption]]
+
  
[[Category:Disk encryption]]
+
[[Category:Malware]]
[[Category:Windows]]
+

Revision as of 01:05, 21 October 2013

Malware is a short version of Malicious Software.

Malware is software used for data theft, device damage, harassment, etc. It is very similar to computer malware. It installs things such as trojans, worms, and botnets to the affected device. It is illegal to knowingly distribute malware.

Virus

A computer program that can automatically copy itself and infect a computer.

Worm

A self-replicating computer program that can automatically infect computers on a network.

Trojan horse

A computer program which appears to perform a certain action, but actually performs many different forms of codes.

Spyware

A computer program that can automatically intercept or take partial control over the user's interaction.

Exploit Kit

A toolkit that automates the exploitation of client-side vulnerabilities, targeting browsers and programs that a website can invoke through the browser [1]. Often utilizing a drive-by-download.

Drive-by-download

Any download that happens without a person's knowledge [2].

See Also

External Links

Exploit Kit