BitLocker for DFIR – Part I

Mark Spencer

October 25, 2019

 

BitLocker is a Full Volume Encryption (FVE) technology introduced by Microsoft in the Ultimate and Enterprise versions of Windows Vista. BitLocker has come a very long way since Vista, becoming quite flexible (some of our colleagues might prefer the word complicated) and secure if used properly.

We deal with BitLocker frequently in our casework at Arsenal… so frequently that we added BitLocker-specific functionality to Arsenal Image Mounter to make our lives easier. Over the last few months we have fielded a significant number of BitLocker-related support inquiries, and noticed some of the same questions posed on discussion forums, so we decided to work on an Insights article explaining BitLocker issues we think are most relevant to digital forensics and incident response practitioners.

I do not intend to discuss all the functionality of BitLocker in this Insights article, nor will I discuss all the various “states” of BitLocker volumes. I intend instead to focus on the states of BitLocker volumes which we find most often in our casework, in the hope that this information will not only be interesting to you but useful as well. 

So, what are these “BitLocker states” as Arsenal refers to them?

Let’s go through these states carefully, in terms of how each appears on a raw disk, to Windows, to BitLocker-aware DFIR tools, to BitLocker-unaware DFIR tools, and to manage-bde. Assumptions being made regarding DFIR-aware and unaware tools are that the tools are mounting complete disks rather than volumes, and that each BitLocker state in question was in play prior to launching the tools. I will also provide the manage-bde command to enter each state and a screenshot demonstrating the output of “manage-bde -status” in Arsenal Image Mounter. We have found Arsenal Image Mounter to be indispensable when working with BitLocker volumes (in both our casework and software development) as we can mount a disk image in write-temporary mode, move between various BitLocker states, and launch virtual machines from various BitLocker states – all in a single session.

State: Locked

Appears on raw disk: Encrypted
Appears to Windows: Encrypted
Appears to BitLocker-aware DFIR tools: Encrypted (Decryption possible with password)
Appears to BitLocker-unaware DFIR tools: Encrypted
Status per manage-bde: Conversion Status=Unknown, Lock Status=Locked, Key Protectors=Password, etc.

Manage-bde command to enter state: manage-bde -on (Volume Letter:) -recoverypassword

State: Unlocked

Appears on raw disk: Encrypted
Appears to Windows: Decrypted
Appears to BitLocker-aware DFIR tools: Encrypted (Decryption possible with password)
Appears to BitLocker-unaware DFIR tools: Encrypted
Status per manage-bde: Conversion Status=Fully Encrypted, Lock Status=Unlocked, Key Protectors=Password, etc.

Manage-bde command to enter state: manage-bde -unlock (Volume Letter:) -RecoveryPassword (Recovery Key)

State: Fully Decrypted (Off)

Appears on raw disk: Decrypted
Appears to Windows: Decrypted
Appears to BitLocker-aware DFIR tools: Decrypted (No password required)
Appears to BitLocker-unaware DFIR tools: Decrypted
Status per manage-bde: Conversion Status=Fully Decrypted, Lock Status=Unlocked, Key Protectors=None Found

Manage-bde command to enter state: manage-bde -off (Volume Letter:)

State: Disabled (Protectors Suspended)

Appears on raw disk: Encrypted
Appears to Windows: Decrypted
Appears to BitLocker-aware DFIR tools: Decrypted (No password required)
Appears to BitLocker-unaware DFIR tools: Encrypted
Status per manage-bde: Conversion Status=Fully Encrypted, Lock Status=Unlocked, Key Protectors=Password, etc.

Manage-bde command to enter state: manage-bde -protectors -disable (Volume Letter:)

State: Disabled (Protectors Removed)

Appears on raw disk: Encrypted
Appears to Windows: Decrypted
Appears to BitLocker-aware DFIR tools: Decrypted (No password required)
Appears to BitLocker-unaware DFIR tools: Encrypted
Status per manage-bde: Conversion Status=Fully Encrypted, Lock Status=Unlocked, Key Protectors=None Found

Manage-bde command to enter state: manage-bde -protectors -delete (Volume Letter:)

A couple things to note:

  • Some hardware vendors ship computers in the “Disabled (Protectors Removed)” BitLocker state, which can be confusing as a user would have no idea that the data is actually encrypted (because Windows decrypts it on-the-fly without requiring a password) but when a DFIR practitioner or BitLocker-unaware DFIR tool looks at the raw disk they will see encrypted data. Some DFIR practitioners refer to both the “Disabled (Protectors Suspended)” and “Disabled (Protectors Removed)” BitLocker states as “Clear Key Mode.”
  • If you are using Windows to interact with BitLocker volumes, it’s normally best to use the latest build of Windows 10… otherwise, you may find that you are attempting to interact with a more modern BitLocker volume than your Windows supports. For example, if you are running Windows 7 on your forensic workstation and attempting to unlock BitLocker volumes created on Windows 10, you should expect failure.

Please consider what you have seen in this Insights article to be the start of a BitLocker journey. There is more to come! Part II will cover launching virtual machines from disk images containing one or more BitLocker-encrypted volumes… or using simpler terminology, launching virtual machines from BitLockered disk images.

Here is a teaser image, demonstrating functionality from Arsenal Image Mounter which makes booting virtual machines from BitLockered disk images more efficient: 

 

Thank you for reading, and good hunting!

0 Comments

Related Articles

BitLocker for DFIR – Part II

BitLocker for DFIR – Part II

In “BitLocker for DFIR – Part I” we provided a quick summary of BitLocker, details regarding the various “states” of BitLocker volumes that we see most often in our casework, and some thoughts on things that are particularly relevant to digital forensics and incident response practitioners. We will now discuss launching virtual machines from BitLockered disk images.

The Office Document Cache and Introducing ODC Recon – Part I

The Office Document Cache and Introducing ODC Recon – Part I

Microsoft’s “Office Document Cache” (hereafter, ODC) is complex, infuriating, and misunderstood. For years there have been digital forensics practitioners who knew how valuable information within ODCs was (especially within FSD files), but they were essentially left with scraps after throwing existing tools and techniques against them. After many of the proverbial late nights and early mornings, Arsenal has now drastically improved the situation for our colleagues in digital forensics.

Digging Deeper into Gmail URLs & Introducing Gmail URL Decoder

Digging Deeper into Gmail URLs & Introducing Gmail URL Decoder

Just a month after we published the Insights post “Digging into Gmail URLs”, Google made the use of their new Gmail interface mandatory. The old Gmail interface (let’s call it the “legacy” interface) had been in use for years, so even though it is no longer available online we expect to be dealing with it within our electronic evidence for years to come. The new Gmail interface includes not only considerable visual changes, but changes in URLs which impacted the Gmail URL decoding we discussed in our previous Insights pos

Stay Up to Date With The Latest News & Updates

Join Our Newsletter

Signup for the latest news on Registry, Hibernation Files, and other Digital Investigations related news.

Follow Us

22 Willow Street Chelsea, MA 02150

sales@ArsenalRecon.com

(617) ARSENAL

or (617) 277-3625

Site Map

\

Home

\

Products

\

Pricing

\

Training

\

Testimonials

\

Insights

\

Contact

\

FAQ

Legal

\

Privacy Policy

\

Terms & Conditions

\

Cookie Policy

Follow Us

LinkedIn

Twitter

Facebook