/ Insights

BitLocker for DFIR – Part I

March 11th, 2023
Mark Spencer

This article was originally published on October 25th, 2019 and then updated on April 13, 2020 and March 11, 2023.

BitLocker is a Full Volume Encryption (FVE) technology introduced by Microsoft in the Ultimate and Enterprise versions of Windows Vista. BitLocker has come a very long way since Vista, becoming quite flexible (some of our colleagues might prefer the word complicated) and secure if used properly.

We deal with BitLocker frequently in our casework at Arsenal… so frequently that we added BitLocker-specific functionality to Arsenal Image Mounter to make our lives easier. There was a time back in 2019 when we were fielding a significant number of BitLocker-related support inquiries and noticed some of the same questions posed on discussion forums, so we decided to work on an Insights article explaining BitLocker issues we think are most relevant to digital forensics and incident response practitioners.

I do not intend to discuss all the functionality of BitLocker in this Insights article, nor will I discuss all the various “states” of BitLocker volumes. I intend instead to focus on the states of BitLocker volumes which we find most often in our casework, in the hope that this information will not only be interesting to you but useful as well. 

So, what are these “BitLocker states” as Arsenal refers to them?

  • Locked

  • Unlocked

  • Fully Decrypted (Off)

  • Disabled (Protectors Suspended)

  • Disabled (Protectors Removed)

Let’s go through these states carefully, in terms of how each appears on a raw disk, to Windows, to BitLocker-aware DFIR tools, to BitLocker-unaware DFIR tools, and to manage-bde. Assumptions being made regarding DFIR-aware and unaware tools are that the tools are mounting complete disks rather than volumes, and that each BitLocker state in question was in play prior to launching the tools. I will also provide the manage-bde command to enter each state and a screenshot demonstrating the output of “manage-bde -status” in Arsenal Image Mounter. We have found Arsenal Image Mounter to be indispensable when working with BitLocker volumes (in both our casework and software development) as we can mount a disk image in write-temporary mode, move between various BitLocker states, and launch virtual machines from various BitLocker states – all in a single session.

BitLocker State: Locked

State: Locked

  • Appears on raw disk: Encrypted

  • Appears to Windows: Encrypted

  • Appears to BitLocker-aware DFIR tools: Encrypted (Decryption may be possible if protectors are available)

  • Appears to BitLocker-unaware DFIR tools: Encrypted

  • Status per manage-bde: Conversion Status=Unknown, Lock Status=Locked, Key Protectors=Password, etc.


BitLocker State: Unlocked

State: Unlocked

  • Appears on raw disk: Encrypted

  • Appears to Windows: Decrypted

  • Appears to BitLocker-aware DFIR tools: Encrypted (Decryption may be possible if protectors are available)

  • Appears to BitLocker-unaware DFIR tools: Encrypted

  • Status per manage-bde: Conversion Status=Fully Encrypted, Lock Status=Unlocked, Key Protectors=Password, etc.

Manage-bde command to enter state with recovery key: manage-bde -unlock (Volume Letter:) -RecoveryPassword (Recovery Key)


BitLocker State: Fully Decrypted

State: Fully Decrypted (Off)

  • Appears on raw disk: Decrypted

  • Appears to Windows: Decrypted

  • Appears to BitLocker-aware DFIR tools: Decrypted (No protectors required)

  • Appears to BitLocker-unaware DFIR tools: Decrypted

  • Status per manage-bde: Conversion Status=Fully Decrypted, Lock Status=Unlocked, Key

  • Protectors=None Found

Manage-bde command to enter state when BitLocker-protected volume is already unlocked: manage-bde -off (Volume Letter:)


BitLocker State: Disabled (Protectors Suspended)

State: Disabled (Protectors Suspended)

  • Appears on raw disk: Encrypted

  • Appears to Windows: Decrypted

  • Appears to BitLocker-aware DFIR tools: Decrypted (No protectors required)

  • Appears to BitLocker-unaware DFIR tools: Encrypted

  • Status per manage-bde: Conversion Status=Fully Encrypted, Lock Status=Unlocked, Key Protectors=Password, etc.

Manage-bde command to enter state when BitLocker-protected volume is already unlocked: manage-bde -protectors -disable (Volume Letter:)


BitLocker State: Disabled (Protectors Removed)

State: Disabled (Protectors Removed)

  • Appears on raw disk: Encrypted

  • Appears to Windows: Decrypted

  • Appears to BitLocker-aware DFIR tools: Decrypted (No protectors required)

  • Appears to BitLocker-unaware DFIR tools: Encrypted

  • Status per manage-bde: Conversion Status=Fully Encrypted, Lock Status=Unlocked, Key Protectors=None Found

Manage-bde command to enter state when BitLocker-protected volume is already unlocked: manage-bde -protectors -delete (Volume Letter:)


Some things to note:

  • Some hardware vendors ship computers in the “Disabled (Protectors Removed)” BitLocker state, which can be confusing as a user would have no idea that the data is actually encrypted (because Windows decrypts it on-the-fly without requiring a password) but when a DFIR practitioner or BitLocker-unaware DFIR tool looks at the raw disk they will see encrypted data. Some DFIR practitioners refer to both the “Disabled (Protectors Suspended)” and “Disabled (Protectors Removed)” BitLocker states as “Clear Key Mode.”

  • If you are using Windows to interact with BitLocker volumes, it’s normally best to use the latest build of Windows 10 or 11… otherwise, you may find that you are attempting to interact with a more modern BitLocker volume than your Windows supports. For example, if you are running Windows 7 on your forensic workstation and attempting to unlock BitLocker volumes created on Windows 10 or 11, you should expect failure.

  • The manage-bde -status output for a volume that has never been BitLocker protected will look the same as the “Fully Decrypted (Off)” state.

  • There are various ways to determine whether a volume has ever been BitLocker protected. For example, you could review the BitLocker management log (Microsoft-Windows-BitLocker%4BitLocker Management.evtx – keep in mind Windows.old and VSCs!) for event ID 770 (BitLocker decryption was started for volume (X):.) or review file system metadata (keep in mind what I mentioned earlier as well as the UsnJrnl and LogFile metafiles) for the presence of “FVE2…” filenames within the System Volume Information folder. There are more ways to not only identify whether a volume has ever been BitLocker protected, but to identify other interesting and related things as well… so we will expand on this soon.

  • As TPM has become quite common (and is theoretically required to run Windows 11), you may have noticed that you are encountering more BitLocker volumes protected by TPM. A BitLocker volume protected by TPM must be unlocked on the system containing the TPM that created it and system boot integrity must be maintained... unless one of the protectors is a recovery key (Numerical Password) and you have the recovery key. This can create challenging situations for digital forensics practitioners, especially when various protectors are known except the recovery key. BitLocker for DFIR - Part III describes a solution we used in our own casework to one of these challenging situations. Here are a couple examples of what BitLocker volumes protected by TPM will look like after mounting their disk images and running manage-bde -status:


Now that you are more familiar with BitLocker, let's take a look at how Arsenal Image Mounter can help you more efficiently move between BitLocker states and create fully-decrypted disk images when the appropriate protectors are available. The screenshots below depict the features available from AIM's BitLocker dropdown menu, BitLocker status information from a locked volume, BitLocker status information from an unlocked volume (notice the recovery key!), and a fully-decrypted disk image being saved from what was a disk image containing a BitLocker-protected volume.


Please consider what you have seen in this Insights article to be the start of a BitLocker journey. There is more to come! BitLocker for DFIR - Part II covers launching virtual machines from disk images containing one or more BitLocker-protected volumes… or using simpler terminology, launching virtual machines from BitLockered disk images.

Here is a teaser image, demonstrating functionality from Arsenal Image Mounter which makes booting virtual machines from BitLockered disk images more efficient:

Launch VM with BitLocker Assistance

Thank you for reading, and good hunting!

Share:

Join the List

Arm yourself with updates about Arsenal tools, training, and research. Our mailing list is double opt-in so you will need to check your email and confirm your subscription before receiving our mailings.