Difference between pages "BitLocker Disk Encryption" and "Adrian Santangelo"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(External Links)
 
m (Formatting, added additional information)
 
Line 1: Line 1:
'''BitLocker Disk Encryption''' (BDE) is [[Full Volume Encryption]] solution by [[Microsoft]] first included with the Enterprise and Ultimate editions of [[Windows|Windows Vista]]. It is also present in [[Windows|Windows 7]] along with a system for encrypting removable storage media devices, like [[USB]], which is called BitLocker To Go. Unlike previous versions of BitLocker, BitLocker To Go allows the user to protect volumes with a password or smart card.
+
[[File:AdrianSantangelo.jpg|200px|thumb|right|Adrian Santangelo]] Adrian Santangelo has over a decade of computer forensic experience which started with deep roots in information and network security. He has been a self-employed computer security and forensic consultant all his adult life. After starting ISC Unlimited as a computer security consulting firm in 1996, he quickly branched out to digital forensics and cyber sleuthing. He has been an active participant in many online forums and mailing list discussions, with plenty of information readily available about him with a simple Google search. (Much of his online security history has been done under an alias.)
  
== BitLocker ==
+
He currently owns and operates Interpreting Technology, an information technology consulting firm. In Feb 2012, he was sworn in as a Skagit County Sheriff's Deputy, commissioned for computer crime and forensics. (He is currently a computer crime and forensic consultant to both law enforcement  and attorneys.) His current career goal is to branch out as either a law enforcement team leader for digital forensics, focusing on northwest Washington state, or to continue to be a professional forensics consultant to the public and private sector. He is well known locally for his network security and computer repair talents. Currently held (or close to acquiring) certifications include: MCP, MNE, A+, Security+, Network+, MCSE, CCNA, CEH, CISSP, CFCE, CCE, and CHFI.
Volumes encrypted with BitLocker will have a different signature than the standard [[NTFS]] header. Instead, they have in their volume header (first sector): <tt>2D 46 56 45 2D 46 53 2D</tt> or, in ASCII, <tt>-FVE-FS-</tt>.
+
  
These volumes can be identified by the BitLocker GUID/UUID: 4967d63b-2e29-4ad8-8399-f6a339e3d00.
+
On this wiki, Adrian Santangelo is known as [[User:Adrian Santangelo]].
  
The actual data on the encrypted volume is protected with either 128-bit or 256-bit [[AES]] and optionally diffused using an algorithm called Elephant. The key used to do the encryption, the Full Volume Encryption Key (FVEK) and/or TWEAK key, is stored in the BitLocker metadata on the protected volume. The FVEK and/or TWEAK keys are encrypted using another key, namely the Volume Master Key (VMK). Several copies of the VMK are also stored in the metadata. Each copy of the VMK is encrypted using another key, also know as key-protector key. Some of the key-protectors are:
+
== External Links ==
* TPM (Trusted Platform Module)
+
* [http://www.ISC-Unlimited.com/ ISC Unlimited (no longer maintained)]
* Smart card
+
* [http://www.InterpretingTech.com/ Interpreting Technology]
* recovery password
+
* [http://www.skagitcounty.net/Common/asp/default.asp?d=Sheriff&c=General&p=main.htm Skagit County Sheriff's Department]
* start-up key
+
* [http://www.LinkedIn.com/in/AdrianSantangelo/ LinkedIn Profile]
* clear key; this key-protector provides no protection
+
* [http://www.facebook.com/InterpretingTech Business Facebook Page]
* user password
+
* [http://www.facebook.com/Adrian.Santangelo Personal Facebook Page]
 +
* [http://adriansantangelo.brandyourself.com/ BrandYourself Profile]
  
BitLocker has support for partial encrypted volumes.
+
[[Category:People]]
 
+
== BitLocker To Go ==
+
Volumes encrypted with BitLocker To Go will have a hybrid encrypted volume, meaning that part of the volume is unencrypted and contains applications to unlock the volume and the other part of the volume is encrypted. The "discovery drive" volume contains BitLocker To Go Reader to read from encrypted volumes on versions of Microsoft [[Windows]] without BitLocker support.
+
 
+
== manage-bde ==
+
To view the BitLocker Drive Encryption (BDE) status on a running Windows system:
+
<pre>
+
manage-bde.exe -status
+
</pre>
+
 
+
To obtain the recovery password for volume C:
+
<pre>
+
manage-bde.exe -protectors -get C: -Type recoverypassword
+
</pre>
+
 
+
Or just obtain the all “protectors” for volume C:
+
<pre>
+
manage-bde.exe -protectors -get C:
+
</pre>
+
 
+
== See Also ==
+
* [[BitLocker:_how_to_image|BitLocker: How to image]]
+
* [[Defeating Whole Disk Encryption]]
+
 
+
== External Links ==
+
 
+
* [http://en.wikipedia.org/wiki/BitLocker_Drive_Encryption Wikipedia entry on BitLocker]
+
* [http://www.nvlabs.in/archives/1-NVbit-Accessing-Bitlocker-volumes-from-linux.html NVbit : Accessing Bitlocker volumes from linux], 2008
+
* Jesse D. Kornblum, [http://jessekornblum.com/publications/di09.html Implementing BitLocker for Forensic Analysis], ''Digital Investigation'', 2009
+
* [https://googledrive.com/host/0B3fBvzttpiiSX2VCRk16TnpDd0U/BitLocker%20Drive%20Encryption%20(BDE)%20format.pdf BitLocker Drive Encryption (BDE) format specification], by the [[libbde|libbde project]], March 2011
+
* [http://technet2.microsoft.com/WindowsVista/en/library/c61f2a12-8ae6-4957-b031-97b4d762cf311033.mspx?mfr=true Microsoft's Step by Step Guide]
+
* [http://technet.microsoft.com/en-us/windowsvista/aa906017.aspx Microsoft Technical Overview]
+
* [http://technet.microsoft.com/en-us/magazine/2009.05.win7.aspx An Introduction to Security in Windows 7]
+
* [http://www.microsoft.com/whdc/system/platform/hwsecurity/BitLockerFAQ.mspx Microsoft FAQ]
+
* [http://www.microsoft.com/downloads/details.aspx?FamilyID=131dae03-39ae-48be-a8d6-8b0034c92555&DisplayLang=en Microsoft Description of the Encryption Algorithm]
+
* [http://secude.com/htm/801/en/White_Paper%3A_Cold_Boot_Attacks.htm Cold Boot Attacks, Full Disk Encryption, and BitLocker]
+
* [http://technet.microsoft.com/en-us/library/hh831412.aspx What's New in BitLocker] in Windows 8
+
 
+
== Tools ==
+
* [http://www.hsc.fr/ressources/outils/dislocker/ dislocker]
+
* [[libbde]]
+
 
+
[[Category:Disk encryption]]
+
[[Category:Windows]]
+

Latest revision as of 23:38, 13 September 2013

Adrian Santangelo
Adrian Santangelo has over a decade of computer forensic experience which started with deep roots in information and network security. He has been a self-employed computer security and forensic consultant all his adult life. After starting ISC Unlimited as a computer security consulting firm in 1996, he quickly branched out to digital forensics and cyber sleuthing. He has been an active participant in many online forums and mailing list discussions, with plenty of information readily available about him with a simple Google search. (Much of his online security history has been done under an alias.)

He currently owns and operates Interpreting Technology, an information technology consulting firm. In Feb 2012, he was sworn in as a Skagit County Sheriff's Deputy, commissioned for computer crime and forensics. (He is currently a computer crime and forensic consultant to both law enforcement and attorneys.) His current career goal is to branch out as either a law enforcement team leader for digital forensics, focusing on northwest Washington state, or to continue to be a professional forensics consultant to the public and private sector. He is well known locally for his network security and computer repair talents. Currently held (or close to acquiring) certifications include: MCP, MNE, A+, Security+, Network+, MCSE, CCNA, CEH, CISSP, CFCE, CCE, and CHFI.

On this wiki, Adrian Santangelo is known as User:Adrian Santangelo.

External Links