Difference between pages "Residual Data on Used Equipment" and "BitLocker Disk Encryption"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (Used Hard Drives)
 
(External Links)
 
Line 1: Line 1:
Used hard drives are frequently a good source of images for testing forensic tools. That's because many individuals, companies and organizations neglect to properly sanitize their hard drives before they are sold on the secondary market.
+
'''BitLocker Disk Encryption''' (BDE) is [[Full Volume Encryption]] solution by [[Microsoft]] first included with the Enterprise and Ultimate editions of [[Windows|Windows Vista]]. It is also present in [[Windows|Windows 7]] along with a system for encrypting removable storage media devices, like [[USB]], which is called BitLocker To Go. Unlike previous versions of BitLocker, BTG allows the user to protect volumes with a password or smart card.
  
You can find used hard drives on eBay, at swap meets, yard sales, and even on the street.  
+
== BitLocker ==
 +
Volumes encrypted with BitLocker will have a different signature than the standard [[NTFS]] header. Instead, they have in their volume header (first sector): <tt>2D 46 56 45 2D 46 53 2D</tt> or, in ASCII, <tt>-FVE-FS-</tt>.
  
 +
These volumes can be identified by the BitLocker GUID/UUID: 4967d63b-2e29-4ad8-8399-f6a339e3d00.
  
=Media Accounts=
+
The actual data on the encrypted volume is protected with either 128-bit or 256-bit [[AES]] and optionally diffused using an algorithm called Elephant. The key used to do the encryption, the Full Volume Encryption Key (FVEK) and/or TWEAK key, is stored in the BitLocker metadata on the protected volume. The FVEK and/or TWEAK keys are encrypted using another key, namely the Volume Master Key (VMK). Several copies of the VMK are also stored in the metadata. Each copy of the VMK is encrypted using another key, also know as key-protector key. Some of the key-protectors are:
==Used Hard Drives==
+
* TPM (Trusted Platform Module)
 +
* Smart card
 +
* recovery password
 +
* start-up key
 +
* clear key; this key-protector provides no protection
 +
* user password
  
There have been several incidents in which individual have purchased a large number of hard drives and written about what they have found. This web page is an attempt to catalog all of those stories in chronological order.
+
BitLocker has support for partial encrypted volumes.
  
* '''2003-01''': [[Simson Garfinkel]] and Abhi Shelat at MIT publish a study in ''IEEE Security and Privacy Magazine''  which documents large amount of personal and business-sensitive information found on 150 drives purchased on the secondary market.
+
== BitLocker To Go ==
 +
Volumes encrypted with BitLocker To Go will have a hybrid encrypted volume, meaning that part of the volume is unencrypted and contains applications to unlock the volume and the other part of the volume is encrypted. The "discovery drive" volume contains BitLocker To Go Reader to read from encrypted volumes on versions of Microsoft [[Windows]] without BitLocker support.
  
* '''2006-06''': A man buys a family's hard drive at a fleamarket in Chicago after the family's hard drive is upgraded by Best Buy. Apparently somebody at Best Buy violated company policy and instead of destroying the hard drive, they sold it. [http://www.youtube.com/watch?v=pcyemfJ5H3o&NR Target 5 Investigation]
+
== manage-bde ==
 +
To view the BitLocker Drive Encryption (BDE) status on a running Windows system:
 +
<pre>
 +
manage-bde.exe -status
 +
</pre>
  
* '''2006-08-10''': The University of Glamorgan in Wales purchased 317 used hard drives from the UK, Australia, Germany, and the US. 25% of the 200 drives purchased from the UK market had been completely wiped. 40% of the purchased drives didn't work.  40% came from businesses, of which 23% contained enough information to identify the company. 5% had business sensitive information. 25% came from individuals, of which many had pornography, and 2 had to be referred to the police for suspected child pornography.
+
To obtain the recovery password for volume C:
 +
<pre>
 +
manage-bde.exe -protectors -get C: -Type recoverypassword
 +
</pre>
  
* '''2006-08-14''': [http://news.bbc.co.uk/2/hi/business/4790293.stm BBC News] reports on bank account information recovered from used PC hard drives and being sold in Nigeria for £20 each. The PCs had apparently come from recycling points run by UK town councils that are then "recycled" by being sent to Africa.
+
Or just obtain the all “protectors” for volume C:
 +
<pre>
 +
manage-bde.exe -protectors -get C:
 +
</pre>
  
* '''2006-08-15''': Simson Garfinkel presents results of a study of 1000 hard drives (750 working) at the 2006 Workshop on Digital Forensics. Results of the study show that information can be correlated across hard drives using Garfinkel's [[Cross Drive Analysis]] approach.
+
== See Also ==
 +
* [[BitLocker:_how_to_image]]
 +
* [[Defeating Whole Disk Encryption]]
  
* '''2007-02-06''': [http://www.fulcruminquiry.com Fulcrum Inquiry], a Los Angeles litigation support firm, purchased 70 used hard drives from 14 firms and discovered confidential information on 2/3rds of the drives.
+
== External Links ==
  
* '''2007-08-30''': Bill Ries-Kinght, an IT consultant, purchases a 120GB Seagate hard drive on eBay for $69. Although the drive was advertised as being new, it apparently was previously used by the campaign of Mike Beebe, who won the Arkansas state governorship in November 2006. "Among the files were documents listing the private cell phone numbers of political allies, including US Senators Blanch Lincoln and Mark Pryor and US Representatives Marion Berry, Mike Ross and Vic Snyder. It also included talking points to guide the candidate as he called influential people whose support he sought," states an article published in [http://www.theregister.co.uk/2007/08/30/governors_data_sold_on_ebay/ The Register].
+
* [http://www.nvlabs.in/archives/1-NVbit-Accessing-Bitlocker-volumes-from-linux.html NVbit : Accessing Bitlocker volumes from linux], 2008
 +
* Jesse D. Kornblum, [http://jessekornblum.com/publications/di09.html Implementing BitLocker for Forensic Analysis], ''Digital Investigation'', 2009
 +
* [http://en.wikipedia.org/wiki/BitLocker_Drive_Encryption Wikipedia entry on BitLocker]
 +
* [http://technet2.microsoft.com/WindowsVista/en/library/c61f2a12-8ae6-4957-b031-97b4d762cf311033.mspx?mfr=true Microsoft's Step by Step Guide]
 +
* [http://technet.microsoft.com/en-us/windowsvista/aa906017.aspx Microsoft Technical Overview]
 +
* [http://technet.microsoft.com/en-us/magazine/2009.05.win7.aspx An Introduction to Security in Windows 7]
 +
* [http://www.microsoft.com/whdc/system/platform/hwsecurity/BitLockerFAQ.mspx Microsoft FAQ]
 +
* [http://www.microsoft.com/downloads/details.aspx?FamilyID=131dae03-39ae-48be-a8d6-8b0034c92555&DisplayLang=en Microsoft Description of the Encryption Algorithm]
 +
* [http://secude.com/htm/801/en/White_Paper%3A_Cold_Boot_Attacks.htm Cold Boot Attacks, Full Disk Encryption, and BitLocker]
 +
* [http://code.google.com/p/libbde/ Project to read BitLocker encrypted volumes]
 +
* [http://technet.microsoft.com/en-us/library/hh831412.aspx What's New in BitLocker] in Windows 8
  
* '''2008-01-28''': Gregory Evans, a security consultant in Marina Del Ray, Calif., bought a $500 computer at a swap meet from a former mortgage company. It contained credit reports on 300 people in a deleted file, according to an article published in [http://www.nydailynews.com/money/2008/01/28/2008-01-28_sensitive_info_lives_on_in_old_computers.html The New York Daily NEws]. The security consultant was also able to recover the usernames and passwords of the mortgage company's former employees.
+
[[Category:Disk encryption]]
 
+
[[Category:Windows]]
*'''2009-02-10''': Michael Kessler, CEO of Kessler International, a New York City forensics firm, bought 100 "relatively modern drives, the vast majority of them Serial ATA" from eBay over the course of 6 months. The drives ranged in size from 400GB to 300GB. 40% of the drives were found to contain sensitive data. [http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=storage&articleId=9127717&taxonomyId=19&intsrc=kc_top]
+
 
+
*'''2009-05-07''': University of Glamorgan bought disks in its annual survey of used hard drives and found "Details of test launch procedures for the THAAD (Terminal High Altitude Area Defence) ground-to-air missile defence system. [http://news.bbc.co.uk/2/hi/uk_news/wales/8036324.stm Missile data found on hard drives, BBC News, May 7, 2009]
+
 
+
*'''2009-07-30''': Reporters working for the PBS show Frontline on an article about electronic waste find hard drives in Ghana that contain "hundreds and hundreds of documents about government contracts" from a hard drive that had been previously used by a TSA subcontractor. The documents were marked "competitive sensitive" and covered contracts with the Defense Intelligence Agency. The hard drive was not encrypted.  [http://itworld.com/security/69758/reporters-find-northrop-grumman-data-ghana-market Robert McMillan, IT World, June 24, 2009]
+
 
+
==Cell Phones==
+
* [http://www.wired.com/techbiz/media/news/2003/08/60052 BlackBerry Reveals Bank's Secrets], Wired, August 8, 2005.
+
* [http://www.taipeitimes.com/News/feat/archives/2008/09/28/2003424400 Who has your old phone's data], Pete Warren, The Guardian, London, Sept. 28, 2008, page 13.
+
* [http://www.myfoxdc.com/myfox/pages/News/Detail?contentId=8055902&version=1&locale=EN-US&layoutCode=TSTY&pageId=3.2.1 McCain Campaign Sells Info-Loaded Blackberry to FOX 5 Reporter], by Tisha Thompson and Rick Yarborough, FOX 5 Investigative Unit, 11 December 2008.  (See also [http://www.theregister.co.uk/2008/12/12/mccain_blackberry/])
+
 
+
==Cameras==
+
* [http://www.telegraph.co.uk/news/uknews/3107003/Camera-sold-on-eBay-contained-MI6-files.html Camera sold on eBay contained MI6 files], Jessica Salter, Telegraph, September 30, 2008.
+
 
+
==Network Equipment==
+
* [http://www.pcpro.co.uk/news/227190/council-sells-security-hole-on-ebay.html Council sells security hole on Ebay], Matthew Sparkes, PC Pro, September 29, 2008 - Kirkless Council (UK) sells a Cisco [[VPN]] 3002 Concentrator on Ebay for 99 pence. The device is purchased by Andrew Mason, a security consultant, who discovers that the Cisco [[VPN]] device still has the full configuration for the Kirkless Council and the device hasn't been deactivated.
+
 
+
==MP3 Players==
+
* [http://news.yahoo.com/s/ap/20090127/ap_on_re_as/as_new_zealand_us_military_files NZ man's MP3 player holds US military files], Associated Press, Jan 27, 2009. A man from New Zealand bought an MP3 player at a thrift shop in Oklahoma that had 60 US military files, "including names and telephone numbers for American soldiers."
+
 
+
=See Also=
+
[[Residual Data]]
+

Revision as of 13:17, 18 May 2012

BitLocker Disk Encryption (BDE) is Full Volume Encryption solution by Microsoft first included with the Enterprise and Ultimate editions of Windows Vista. It is also present in Windows 7 along with a system for encrypting removable storage media devices, like USB, which is called BitLocker To Go. Unlike previous versions of BitLocker, BTG allows the user to protect volumes with a password or smart card.

BitLocker

Volumes encrypted with BitLocker will have a different signature than the standard NTFS header. Instead, they have in their volume header (first sector): 2D 46 56 45 2D 46 53 2D or, in ASCII, -FVE-FS-.

These volumes can be identified by the BitLocker GUID/UUID: 4967d63b-2e29-4ad8-8399-f6a339e3d00.

The actual data on the encrypted volume is protected with either 128-bit or 256-bit AES and optionally diffused using an algorithm called Elephant. The key used to do the encryption, the Full Volume Encryption Key (FVEK) and/or TWEAK key, is stored in the BitLocker metadata on the protected volume. The FVEK and/or TWEAK keys are encrypted using another key, namely the Volume Master Key (VMK). Several copies of the VMK are also stored in the metadata. Each copy of the VMK is encrypted using another key, also know as key-protector key. Some of the key-protectors are:

  • TPM (Trusted Platform Module)
  • Smart card
  • recovery password
  • start-up key
  • clear key; this key-protector provides no protection
  • user password

BitLocker has support for partial encrypted volumes.

BitLocker To Go

Volumes encrypted with BitLocker To Go will have a hybrid encrypted volume, meaning that part of the volume is unencrypted and contains applications to unlock the volume and the other part of the volume is encrypted. The "discovery drive" volume contains BitLocker To Go Reader to read from encrypted volumes on versions of Microsoft Windows without BitLocker support.

manage-bde

To view the BitLocker Drive Encryption (BDE) status on a running Windows system:

manage-bde.exe -status

To obtain the recovery password for volume C:

manage-bde.exe -protectors -get C: -Type recoverypassword

Or just obtain the all “protectors” for volume C:

manage-bde.exe -protectors -get C:

See Also

External Links