Difference between pages "BitLocker: how to image" and "Windows Vista"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(See Also)
 
(External Links)
 
Line 1: Line 1:
 +
== New Features ==
 +
* [[BitLocker Disk Encryption | BitLocker]]
 +
* [[Windows Desktop Search | Search]] integrated in operating system
 +
* [[ReadyBoost]]
 +
* [[SuperFetch]]
 +
* [[NTFS|Transactional NTFS (TxF)]]
 +
* [[Windows NT Registry File (REGF)|Transactional Registry (TxR)]]
 +
* [[Windows Shadow Volumes|Shadow Volumes]]; the volume-based storage of the Volume Shadow Copy data
 +
* $Recycle.Bin
 +
* [[Windows XML Event Log (EVTX)]]
 +
* [[User Account Control (UAC)]]
  
= Imaging Options =
+
== File System ==
 +
The file system used by Windows Vista is primarily [[NTFS]].
  
There are multiple ways to image a computer with BitLocker security in place, namely:
+
In Windows Vista, NTFS no longer tracks the Last Access time of a file by default. This feature can be enabled by setting the NtfsDisableLastAccessUpdate value to '0' in the Registry key:
* Offline imaging
+
<pre>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem</pre>
* Live imaging
+
  
== Offline imaging ==
+
Note that this feature has been around since as early as Windows 2000 [http://technet.microsoft.com/en-us/library/cc959914.aspx].
  
One can make an offline image with the image containing encrypted information.
+
== Registry ==
 +
The [[Windows_Registry|Windows Registry]] remains a central component of the Windows Vista operating system.
  
Multiple options to offline decrypt the information, provided the password or recovery password is available, are available. Some of which are:
+
== See Also ==
* [http://www.hsc.fr/ressources/outils/dislocker/ dislocker]
+
* [[Windows]]
* [[EnCase]] (as of version 6) with the (optional) encryption module
+
* [[Windows 7]]
* [[libbde]]
+
* [[Windows 8]]
  
The recovery password is a long series of digits broken up into 8 segments.
+
== External Links ==
<pre>
+
* [https://www.symantec.com/avcenter/reference/Vista_Network_Attack_Surface_RTM.pdf Windows Vista Network Attack Surface Analysis], James Hoagland, Matt Conover, Tim Newsham, Ollie Whitehouse
123456-123456-123456-123456-123456-123456-13456-123456
+
</pre>
+
 
+
Note that there is no white space in the recovery password including not at the end, e.g. EnCase does not accept the recovery password if there is trailing white space.
+
 
+
The recovery password can be recovered from a BitLocker enabled computer provided it can be logged into e.g. by running:
+
<pre>
+
manage-bde.exe -protectors -get C: -Type recoverypassword
+
</pre>
+
 
+
The basic steps are:
+
 
+
# Make an offline full disk image.
+
# Recover the password, this can be done by booting the original computer, or by creating a clone and booting the clone.  (booting from a clone has not been tested at this time.)
+
## Once booted log into the computer
+
## Use the BitLocker control panel applet to display the password.  This can also be done from the command-line.
+
## record the password
+
#:
+
# For EnCase v6 or higher with the encryption module installed
+
## Load the image into EnCase
+
## You will be prompted for the password.  Simply enter it and continue.
+
## If you prefer to have an un-encrypted image to work with other tools or share with co-workers, you can "re-acquire" the image from within EnCase.  The new image will have unencrypted data.
+
## After adding the encrypted image into your case, simply right click on the drive in the left panel and select acquire.  Select "do not add to case".  You will be presented a dialog window to enter new information about the image.  Make sure the destination you select for your new image does not exist.
+
 
+
== Live imaging ==
+
 
+
=== FTK Lite ===
+
==== Imaging of a physical drive ====
+
 
+
Using FTK Imager lite, it was determined a live image of the physical system disk resulted in an image with an encrypted bitlocker container on it.
+
 
+
Note that the phrase "physical" here corresponds directly with FTK Imagers use of the term in their image acquire menu.
+
 
+
==== Imaging of a logical partition ====
+
 
+
I was able to add a partition and create an image in which the data was unencrypted.
+
 
+
Note that the phrase "logical" here corresponds directly with FTK Imagers use of the term in their image acquire menu.
+
 
+
==== Files and Folders collections ====
+
 
+
This was not attempted, but it seems reasonable to assume this will collect unencrypted files.
+
 
+
 
+
=== X-Ways ===
+
==== Imaging of a physical drive ====
+
 
+
X-Ways support states this is not supported.
+
 
+
==== Imaging of a logical partition ====
+
 
+
X-Ways support states that this should work.
+
 
+
In at least one instance, I was able to add C: drive (not the physical disk, just the partition) and create an image that could in turn be processed by X-Ways.  Both existing and deleted files were available within X-Ways after processing.
+
 
+
There has been atleast one report on the X-Ways forum that this feature does not work, so it may not work for all configurations of bitlocker.
+
 
+
== See Also ==
+
* [[BitLocker Disk Encryption]]
+
* [[Defeating Whole Disk Encryption]]
+
  
[[Category:Disk encryption]]
+
[[Category:Operating systems]]
[[Category:Howto]]
+
[[Category:Windows]]
+

Revision as of 11:04, 17 September 2013

Contents

New Features

File System

The file system used by Windows Vista is primarily NTFS.

In Windows Vista, NTFS no longer tracks the Last Access time of a file by default. This feature can be enabled by setting the NtfsDisableLastAccessUpdate value to '0' in the Registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem

Note that this feature has been around since as early as Windows 2000 [1].

Registry

The Windows Registry remains a central component of the Windows Vista operating system.

See Also

External Links