BitLocker for DFIR – Part II

Mark Spencer

October 30, 2019

 

In “BitLocker for DFIR – Part I” we provided a quick summary of BitLocker, details regarding the various “states” of BitLocker volumes that we see most often in our casework, and some thoughts on things that are particularly relevant to digital forensics and incident response practitioners. We will now discuss launching virtual machines from BitLockered disk images.

There are three distinct ways in which we use Arsenal Image Mounter to launch virtual machines from BitLockered disk images:

A “Locked Launch” is exactly what it sounds like – after mounting a BitLockered disk image with Arsenal Image Mounter, the next action taken is launching the AIM-mounted disk (containing one or more locked BitLocker volumes) into a virtual machine. Launching a virtual machine in this way will result in being challenged by the BitLocker pre-boot environment, because the Windows volume has remained encrypted. We do not normally launch virtual machines this way, because AIM Virtual Machines Tools will not be injected and we would be on our own in terms of (for example) logging into Windows accounts. Here is the Locked Launch workflow:

  1. Use AIM to mount disk image containing BitLocker volume(s) in write-temporary mode
  2. Do not unlock or fully decrypt BitLocker
  3. Use AIM’s Launch VM feature to launch a virtual machine

BitLockered Disk Image Mounted by AIM

Locked Launch into Virtual Machine

An “Unlocked Launch” is the fastest way to launch a virtual machine (with AIM Virtual Machine Tools injected) from a BitLockered disk image, but performance within the virtual machine will suffer (compared to performance after a “Fully Decrypted Launch”) because of normal on-the-fly BitLocker decryption. Here is the Unlocked Launch workflow:

  1. Use AIM to mount disk image containing BitLocker volume(s) in write-temporary mode
  2. Use Windows on your forensic workstation to unlock the BitLocker volume(s)
  3. Use AIM’s Launch VM feature to launch a virtual machine (AIM will disable BitLocker)
  4. Run AIM Virtual Machine Tools (Ease of Access icon) and use password bypass, etc.

AIM Offering to Disable BitLocker Volume

AIM Virtual Machine Tools After Unlocked Launch

A “Fully Decrypted Launch” is the slowest way to launch a virtual machine (with AIM Virtual Machine Tools injected) from a BitLockered disk image due to the wait for full decryption, but it will result in the highest performance within the virtual machine because normal on-the-fly BitLocker decryption will no longer be necessary. Here is the Fully Decrypted Launch workflow:

  1. Use AIM to mount disk image containing BitLocker volume(s) in write-temporary mode
  2. Use Windows on your forensic workstation to unlock BitLocker volume(s)
  3. Use Windows on your forensic workstation to fully decrypt BitLocker volume(s)*
  4. Use AIM’s Launch VM feature to launch a virtual machine
  5. Run AIM Virtual Machine Tools (Ease of Access icon) and use password bypass, etc.

* Full decryption can be accomplished by using “manage-bde -off (Volume Letter):” at an administrative command prompt. You may want to use “manage-bde -status (Volume Letter):” occasionally to check on decryption status.

 

Full Decryption of BitLocker Volume & Status Check

Windows Desktop after Fully Decrypted Launch

Of course it is much better to store disk images on a fast solid state drive rather than a hard disk drive, particularly when dealing with disk images containing Full Volume Encryption (FVE) technologies like BitLocker. Here are some statistics compiled by Arsenal’s Emina Doherty while launching BitLockered disk images into virtual machines:

 

Drive Type Unlocked VM Launch Full Decryption Fully Decrypted VM Launch
SSD 2-3 minutes 10-15 minutes 1 minute
HDD 4-6 minutes 40-45 minutes 3-4 minutes

 

Emina has created an instructional video covering some of the concepts in this article. You can watch it here:

 

Launching BitLockered Disk Images into Virtual Machines from Arsenal Recon on Vimeo

 

Topics we are considering for upcoming BitLocker for DFIR Insights articles include things to be aware of when dealing with clients who use BitLocker, key recovery, and case studies. What would you like to see in the next part?

0 Comments

Related Articles

BitLocker for DFIR – Part I

BitLocker for DFIR – Part I

BitLocker is a Full Volume Encryption (FVE) technology introduced by Microsoft in the Ultimate and Enterprise versions of Windows Vista. BitLocker has come a very long way since Vista, becoming quite flexible (some of our colleagues might prefer the word complicated) and secure if used properly.

The Office Document Cache and Introducing ODC Recon – Part I

The Office Document Cache and Introducing ODC Recon – Part I

Microsoft’s “Office Document Cache” (hereafter, ODC) is complex, infuriating, and misunderstood. For years there have been digital forensics practitioners who knew how valuable information within ODCs was (especially within FSD files), but they were essentially left with scraps after throwing existing tools and techniques against them. After many of the proverbial late nights and early mornings, Arsenal has now drastically improved the situation for our colleagues in digital forensics.

Digging Deeper into Gmail URLs & Introducing Gmail URL Decoder

Digging Deeper into Gmail URLs & Introducing Gmail URL Decoder

Just a month after we published the Insights post “Digging into Gmail URLs”, Google made the use of their new Gmail interface mandatory. The old Gmail interface (let’s call it the “legacy” interface) had been in use for years, so even though it is no longer available online we expect to be dealing with it within our electronic evidence for years to come. The new Gmail interface includes not only considerable visual changes, but changes in URLs which impacted the Gmail URL decoding we discussed in our previous Insights pos

Stay Up to Date With The Latest News & Updates

Join Our Newsletter

Signup for the latest news on Registry, Hibernation Files, and other Digital Investigations related news.

Follow Us

22 Willow Street Chelsea, MA 02150

sales@ArsenalRecon.com

(617) ARSENAL

or (617) 277-3625

Site Map

\

Home

\

Products

\

Pricing

\

Training

\

Testimonials

\

Insights

\

Contact

\

FAQ

Legal

\

Privacy Policy

\

Terms & Conditions

\

Cookie Policy

Follow Us

LinkedIn

Twitter

Facebook