Difference between pages "BitLocker Disk Encryption" and "Windows Prefetch File Format"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Tools)
 
 
Line 1: Line 1:
'''BitLocker Disk Encryption''' (BDE) is [[Full Volume Encryption]] solution by [[Microsoft]] first included with the Enterprise and Ultimate editions of [[Windows|Windows Vista]]. It is also present in [[Windows|Windows 7]] along with a system for encrypting removable storage media devices, like [[USB]], which is called BitLocker To Go. Unlike previous versions of BitLocker, BitLocker To Go allows the user to protect volumes with a password or smart card.
+
{{expand}}
  
== BitLocker ==
+
A Windows Prefetch file consists of one file header and multiple file sections with different content. Not all content has an obvious forensic value.
BitLocker encrypts data with either 128-bit or 256-bit [[AES]] and optionally using a diffuser algorithm called Elephant. The key used to do the encryption, the Full Volume Encryption Key (FVEK) and/or TWEAK key, is stored in the BitLocker metadata on the protected volume. The FVEK and/or TWEAK keys are encrypted using another key, namely the Volume Master Key (VMK). Several copies of the VMK are also stored in the metadata. Each copy of the VMK is encrypted using another key, also know as key-protector key. Some of the key-protectors are:
+
* TPM (Trusted Platform Module)
+
* Smart card
+
* recovery password
+
* start-up key
+
* clear key; this key-protector provides no protection
+
* user password
+
  
BitLocker has support for partial encrypted volumes.
+
As far as have been possible to ascertain, there is no public description of the format. The description below has been synthesised from examination
 +
of multiple prefetch files.
  
=== BitLocker To Go ===
+
== Characteristics ==
Volumes encrypted with BitLocker To Go will have a hybrid encrypted volume, meaning that part of the volume is unencrypted and contains applications to unlock the volume and the other part of the volume is encrypted. The "discovery drive" volume contains BitLocker To Go Reader to read from encrypted volumes on versions of Microsoft [[Windows]] without BitLocker support.
+
Integer values are stored in little-endian.
  
== How to detect ==
+
Strings are stored as [http://en.wikipedia.org/wiki/UTF-16/UCS-2 UTF-16 little-endian] without a byte-order-mark (BOM).
Volumes encrypted with BitLocker will have a different signature than the standard [[NTFS]] header.  
+
  
A BitLocker encrypted volume starts with the "-FVE-FS-" signature.
+
Timestamps are stored as [http://msdn2.microsoft.com/en-us/library/ms724284.aspx Windows FILETIME] in UTC.
  
A hexdump of the start of the volume should look similar to:
+
== File header ==
<pre>
+
00000000  eb 58 90 2d 46 56 45 2d  46 53 2d 00 02 08 00 00  |.X.-FVE-FS-.....|
+
00000010  00 00 00 00 00 f8 00 00  3f 00 ff 00 00 00 00 00  |........?.......|
+
00000020  00 00 00 00 e0 1f 00 00  00 00 00 00 00 00 00 00  |................|
+
00000030  01 00 06 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+
00000040  80 00 29 00 00 00 00 4e  4f 20 4e 41 4d 45 20 20  |..)....NO NAME  |
+
00000050  20 20 46 41 54 33 32 20  20 20 33 c9 8e d1 bc f4  |  FAT32  3.....|
+
</pre>
+
  
These volumes can also be identified by a GUID:
+
{| class="wikitable"
* for BitLocker: 4967d63b-2e29-4ad8-8399-f6a339e3d00
+
|-
* for BitLocker ToGo: 4967d63b-2e29-4ad8-8399-f6a339e3d01
+
! Field
 +
! Offset
 +
! Length
 +
! Type
 +
! Notes
 +
|-
 +
| H1
 +
| 0x0000
 +
| 4
 +
| DWORD
 +
| Format version (see format version section below)
 +
|-
 +
| H2
 +
| 0x0004
 +
| 4
 +
| DWORD
 +
| Signature 'SCCA' (or in hexadecimal representation 0x53 0x43 0x43 0x4)
 +
|-
 +
| H3
 +
| 0x0008
 +
| 4
 +
| DWORD?
 +
| Unknown - Values observed: 0x0F - Windows XP, 0x11 - Windows 7, Windows 8.1
 +
|-
 +
| H4
 +
| 0x000C
 +
| 4
 +
| DWORD
 +
| Prefetch file size (or length) (sometimes referred to as End of File (EOF)).
 +
|-
 +
| H5
 +
|0x0010
 +
| 60
 +
| USTR
 +
| The name of the (original) executable as a Unicode (UTF-16 litte-endian string), up to 29 characters and terminated by an end-of-string character (U+0000). This name should correspond with the one in the prefetch file filename.
 +
|-
 +
| H6
 +
|0x004C
 +
|4
 +
|DWORD
 +
|The prefetch hash. This hash value should correspond with the one in the prefetch file filename.
 +
|-
 +
| H7
 +
|0x0050
 +
|4
 +
|?
 +
| Unknown (flags)? Values observed: 0 for almost all prefetch files (XP); 1 for NTOSBOOT-B00DFAAD.pf (XP)
 +
|-
 +
|}
  
Which in a hexdump of the start of the volume should look similar to:
+
It's worth noting that the name of a carved prefetch file can be restored using the information in field H5 and H6, and its size can be determined by field H4.
<pre>
+
000000a0  3b d6 67 49 29 2e d8 4a  83 99 f6 a3 39 e3 d0 01  |;.gI)..J....9...|
+
</pre>
+
  
== manage-bde ==
+
=== Format version ===
To view the BitLocker Drive Encryption (BDE) status on a running Windows system:
+
<pre>
+
manage-bde.exe -status
+
</pre>
+
  
To obtain the recovery password for volume C:
+
{| class="wikitable"
<pre>
+
|-
manage-bde.exe -protectors -get C: -Type recoverypassword
+
! Value
</pre>
+
! Windows version
 +
|-
 +
| 17 (0x11)
 +
| Windows XP, Windows 2003
 +
|-
 +
| 23 (0x17)
 +
| Windows Vista, Windows 7
 +
|-
 +
| 26 (0x1a)
 +
| Windows 8.1 (note this could be Windows 8 as well but has not been confirmed)
 +
|-
 +
|}
  
Or just obtain the all “protectors” for volume C:
+
=== File information - version 17 ===
<pre>
+
manage-bde.exe -protectors -get C:
+
</pre>
+
  
== See Also ==
+
The following part of the file header is version dependent. It is sometime considered part of the file header. Below the structure for format version 17.
* [[BitLocker:_how_to_image|BitLocker: How to image]]
+
* [[Defeating Whole Disk Encryption]]
+
  
== External Links ==
+
{| class="wikitable"
 +
|-
 +
! Field
 +
! Offset
 +
! Length
 +
! Type
 +
! Notes
 +
|-
 +
| H8
 +
| 0x0054
 +
| 4
 +
| DWORD
 +
| The offset to section A. The offset is relative from the start of the file.
 +
|-
 +
| H9
 +
| 0x0058
 +
| 4
 +
| DWORD
 +
| The number of entries in section A.
 +
|-
 +
| H10
 +
| 0x005C
 +
| 4
 +
| DWORD
 +
| The offset to section B. The offset is relative from the start of the file.
 +
|-
 +
| H11
 +
| 0x0060
 +
| 4
 +
| DWORD
 +
| The number of entries in section B.
 +
|-
 +
| H12
 +
| 0x0064
 +
| 4
 +
| DWORD
 +
| The offset to section C. The offset is relative from the start of the file.
 +
|-
 +
| H13
 +
| 0x0068
 +
| 4
 +
| DWORD
 +
| Length of section C.
 +
|-
 +
| H14
 +
| 0x006C
 +
| 4
 +
| DWORD
 +
| Offset to section D. The offset is relative from the start of the file.
 +
|-
 +
| H15
 +
| 0x0070
 +
| 4
 +
| DWORD
 +
| The number of entries in section D.
 +
|-
 +
| H16
 +
| 0x0074
 +
| 4
 +
| DWORD
 +
| Length of section D.
 +
|-
 +
| H17
 +
| 0x0078
 +
| 8
 +
| FILETIME
 +
| Latest execution time (or run time) of executable (FILETIME)
 +
|-
 +
| H18
 +
| 0x0080
 +
| 16
 +
| ?
 +
| Unknown ? Possibly structured as 4 DWORD. Observed values: /0x00000000 0x00000000 0x00000000 0x00000000/, /0x47868c00 0x00000000 0x47860c00 0x00000000/ (don't exclude the possibility here that this is remnant data)
 +
|-
 +
| H19
 +
| 0x0090
 +
| 4
 +
| DWORD
 +
| Execution counter (or run count)
 +
|-
 +
| H20
 +
| 0x0094
 +
| 4
 +
| DWORD?
 +
| Unknown ? Observed values: 1, 2, 3, 4, 5, 6 (XP)
 +
|-
 +
|}
  
* [http://en.wikipedia.org/wiki/BitLocker_Drive_Encryption Wikipedia entry on BitLocker]
+
== Section A ==
* [http://www.nvlabs.in/nvbit_bitlocker_white_paper.pdf Accessing Bitlocker volumes from linux], by Nitin Kumar and Vipin Kumar, 2008
+
This section contains an array with 20 byte (version 17) or 32 byte (version 23 and 26) entry records.
* [http://jessekornblum.com/publications/di09.html Implementing BitLocker for Forensic Analysis], ''Digital Investigation'', by Jesse D. Kornblum, 2009
+
* [https://googledrive.com/host/0B3fBvzttpiiSX2VCRk16TnpDd0U/BitLocker%20Drive%20Encryption%20(BDE)%20format.pdf BitLocker Drive Encryption (BDE) format specification], by the [[libbde|libbde project]], March 2011
+
* [http://technet2.microsoft.com/WindowsVista/en/library/c61f2a12-8ae6-4957-b031-97b4d762cf311033.mspx?mfr=true Microsoft's Step by Step Guide]
+
* [http://technet.microsoft.com/en-us/windowsvista/aa906017.aspx Microsoft Technical Overview]
+
* [http://technet.microsoft.com/en-us/magazine/2009.05.win7.aspx An Introduction to Security in Windows 7]
+
* [http://www.microsoft.com/whdc/system/platform/hwsecurity/BitLockerFAQ.mspx Microsoft FAQ]
+
* [http://www.microsoft.com/downloads/details.aspx?FamilyID=131dae03-39ae-48be-a8d6-8b0034c92555&DisplayLang=en Microsoft Description of the Encryption Algorithm]
+
* [http://secude.com/htm/801/en/White_Paper%3A_Cold_Boot_Attacks.htm Cold Boot Attacks, Full Disk Encryption, and BitLocker]
+
* [http://technet.microsoft.com/en-us/library/hh831412.aspx What's New in BitLocker] in Windows 8
+
  
== Tools ==
+
The actual format and usage of these entry records is currently not known.
* [http://technet.microsoft.com/en-us/library/dd875513(v=ws.10).aspx Manage-bde.exe], by [[Microsoft]]
+
 
* [http://www.hsc.fr/ressources/outils/dislocker/ dislocker]
+
== Section B ==
* [[libbde]]
+
This section contains an array with 12 byte (version 17, 23 and 26) entry records.
 +
 
 +
The actual format and usage of these entry records is currently not known.
 +
 
 +
== Section C ==
 +
This section contains an array of UTF-16 little-endian formatted strings with end-of-string characters (U+0000).
 +
 
 +
At the end of the section there seems to be alignment padding that can contain remnant values.
 +
 
 +
== Section D - Volume information (block) ==
 +
 
 +
Section D contains one or more subsections. The number is (most likely) determined by the DWORD at file offset 0x0070. Each subsection refers to directories on an identified volume.
 +
 
 +
In this section, all offsets are assumed to be counted from the start of the D section.
 +
 
 +
=== Volume information - version 17 ===
 +
The following values are version dependent. Below the structure for format version 17.
 +
 
 +
{| class="wikitable"
 +
|-
 +
! Field
 +
! Offset
 +
! Length
 +
! Type
 +
! Notes
 +
|-
 +
| DH1
 +
| +0x0000
 +
| 4
 +
| DWORD
 +
| Offset to volume string (Unicode, terminated by U+0000)
 +
|-
 +
| DH2
 +
| +0x0004
 +
| 4
 +
| DWORD
 +
| Length of volume string (nr of characters, including terminating U+0000)
 +
|-
 +
| DH3
 +
| +0x0008
 +
| 8
 +
| FILETIME
 +
| Volume creation time.
 +
|-
 +
| DH4
 +
| +0x0010
 +
| 4
 +
| DWORD
 +
| Volume serial number of volume indicated by volume string
 +
|-
 +
| DH5
 +
| +0x0014
 +
| 4
 +
| DWORD
 +
| ? Offset to section DHS1
 +
|-
 +
| DH6
 +
| +0x0018
 +
| 4
 +
| DWORD
 +
| ? Length of section DHS1 (in bytes)
 +
|-
 +
| DH7
 +
| +0x001C
 +
| 4
 +
| DWORD
 +
| ? Offset to section DHS2
 +
|-
 +
| DH8
 +
| +0x0020
 +
| 4
 +
| DWORD
 +
| ? Nr of strings in section DHS2
 +
|-
 +
| ?
 +
| +0x0024
 +
| ?
 +
| ?
 +
| ? additional 28 bytes (includes one timestamp?)
 +
|}
 +
 
 +
If all the executables and libraries referenced in the C section are from one single disk volume, there will be only one section in the D section. If multiple volumes are referenced by section C, section D will contain multiple sections.  (A simple way to force this situation is to copy, say, NOTEPAD.EXE to a USB drive, and start it from that volume. The corresponding prefetch file will have one D header referring to, e.g. \DEVICE\HARDDISK1\DP(1)0-0+4 (the USB drive), and one to, e.g. \DEVICE\HARDDISKVOLUME1\ (where the .DLLs and other support files were found).
 +
 
 +
== See Also ==
 +
* [[Prefetch]]
 +
 
 +
== External Links ==
 +
* [https://googledrive.com/host/0B3fBvzttpiiSbl9XZGZzQ05hZkU/Windows%20Prefetch%20File%20(PF)%20format.pdf Windows Prefetch File (PF) format], by the [[libssca|libssca project]]
  
[[Category:Disk encryption]]
+
[[Category:File Formats]]
[[Category:Windows]]
+

Revision as of 02:15, 11 April 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

A Windows Prefetch file consists of one file header and multiple file sections with different content. Not all content has an obvious forensic value.

As far as have been possible to ascertain, there is no public description of the format. The description below has been synthesised from examination of multiple prefetch files.

Characteristics

Integer values are stored in little-endian.

Strings are stored as UTF-16 little-endian without a byte-order-mark (BOM).

Timestamps are stored as Windows FILETIME in UTC.

File header

Field Offset Length Type Notes
H1 0x0000 4 DWORD Format version (see format version section below)
H2 0x0004 4 DWORD Signature 'SCCA' (or in hexadecimal representation 0x53 0x43 0x43 0x4)
H3 0x0008 4 DWORD? Unknown - Values observed: 0x0F - Windows XP, 0x11 - Windows 7, Windows 8.1
H4 0x000C 4 DWORD Prefetch file size (or length) (sometimes referred to as End of File (EOF)).
H5 0x0010 60 USTR The name of the (original) executable as a Unicode (UTF-16 litte-endian string), up to 29 characters and terminated by an end-of-string character (U+0000). This name should correspond with the one in the prefetch file filename.
H6 0x004C 4 DWORD The prefetch hash. This hash value should correspond with the one in the prefetch file filename.
H7 0x0050 4 ? Unknown (flags)? Values observed: 0 for almost all prefetch files (XP); 1 for NTOSBOOT-B00DFAAD.pf (XP)

It's worth noting that the name of a carved prefetch file can be restored using the information in field H5 and H6, and its size can be determined by field H4.

Format version

Value Windows version
17 (0x11) Windows XP, Windows 2003
23 (0x17) Windows Vista, Windows 7
26 (0x1a) Windows 8.1 (note this could be Windows 8 as well but has not been confirmed)

File information - version 17

The following part of the file header is version dependent. It is sometime considered part of the file header. Below the structure for format version 17.

Field Offset Length Type Notes
H8 0x0054 4 DWORD The offset to section A. The offset is relative from the start of the file.
H9 0x0058 4 DWORD The number of entries in section A.
H10 0x005C 4 DWORD The offset to section B. The offset is relative from the start of the file.
H11 0x0060 4 DWORD The number of entries in section B.
H12 0x0064 4 DWORD The offset to section C. The offset is relative from the start of the file.
H13 0x0068 4 DWORD Length of section C.
H14 0x006C 4 DWORD Offset to section D. The offset is relative from the start of the file.
H15 0x0070 4 DWORD The number of entries in section D.
H16 0x0074 4 DWORD Length of section D.
H17 0x0078 8 FILETIME Latest execution time (or run time) of executable (FILETIME)
H18 0x0080 16  ? Unknown ? Possibly structured as 4 DWORD. Observed values: /0x00000000 0x00000000 0x00000000 0x00000000/, /0x47868c00 0x00000000 0x47860c00 0x00000000/ (don't exclude the possibility here that this is remnant data)
H19 0x0090 4 DWORD Execution counter (or run count)
H20 0x0094 4 DWORD? Unknown ? Observed values: 1, 2, 3, 4, 5, 6 (XP)

Section A

This section contains an array with 20 byte (version 17) or 32 byte (version 23 and 26) entry records.

The actual format and usage of these entry records is currently not known.

Section B

This section contains an array with 12 byte (version 17, 23 and 26) entry records.

The actual format and usage of these entry records is currently not known.

Section C

This section contains an array of UTF-16 little-endian formatted strings with end-of-string characters (U+0000).

At the end of the section there seems to be alignment padding that can contain remnant values.

Section D - Volume information (block)

Section D contains one or more subsections. The number is (most likely) determined by the DWORD at file offset 0x0070. Each subsection refers to directories on an identified volume.

In this section, all offsets are assumed to be counted from the start of the D section.

Volume information - version 17

The following values are version dependent. Below the structure for format version 17.

Field Offset Length Type Notes
DH1 +0x0000 4 DWORD Offset to volume string (Unicode, terminated by U+0000)
DH2 +0x0004 4 DWORD Length of volume string (nr of characters, including terminating U+0000)
DH3 +0x0008 8 FILETIME Volume creation time.
DH4 +0x0010 4 DWORD Volume serial number of volume indicated by volume string
DH5 +0x0014 4 DWORD  ? Offset to section DHS1
DH6 +0x0018 4 DWORD  ? Length of section DHS1 (in bytes)
DH7 +0x001C 4 DWORD  ? Offset to section DHS2
DH8 +0x0020 4 DWORD  ? Nr of strings in section DHS2
 ? +0x0024  ?  ?  ? additional 28 bytes (includes one timestamp?)

If all the executables and libraries referenced in the C section are from one single disk volume, there will be only one section in the D section. If multiple volumes are referenced by section C, section D will contain multiple sections. (A simple way to force this situation is to copy, say, NOTEPAD.EXE to a USB drive, and start it from that volume. The corresponding prefetch file will have one D header referring to, e.g. \DEVICE\HARDDISK1\DP(1)0-0+4 (the USB drive), and one to, e.g. \DEVICE\HARDDISKVOLUME1\ (where the .DLLs and other support files were found).

See Also

External Links