As you read this Insights article, please be aware of the potential impact of the various chassis intrusion features included with some computer models and adjust your workflow accordingly. Also keep in mind that similar chassis intrusion features may be referred to differently by different manufactures. Arsenal has tested four types of chassis intrusion features - (1) loud notifications during boot after intrusion, (2) quiet notifications placed in the BIOS/UEFI after intrusion, (3) immediate power off after intrusion, and (4) TPM clearing after intrusion. Perhaps of most concern to digital forensics practitioners is TPM clearing after intrusion, which in the best case will force BitLocker into recovery mode (only accepting a recovery key), but in the worst case (if a recovery key is not a protector but TPM is) could result in the inability to ever access the BitLocker-protected volume again.
You have followed your standard operating procedure and obtained a forensic image from a laptop’s solid state drive (hereafter, “SSD”). After making a working copy of the forensic image you open it in one of your digital forensics tools… but there’s a problem. You can’t see the expected Windows volume or any user data! To try and determine what’s wrong, you launch Arsenal Image Mounter and mount the forensic image:
Forensic Image Mounted in Arsenal Image Mounter
Immediately after mounting the forensic image, the situation begins to make more sense:
BitLocker Recovery Key Dialog
So, the Windows volume was protected by BitLocker. You confirm this by running “manage-bde -status e:” from an administrative command prompt while the forensic image is still mounted in Arsenal Image Mounter:
Status of BitLocker Volume Within Forensic Image
Generally speaking, a BitLocker-protected volume within a forensic image is something that can be dealt with a variety of ways (especially with some cooperation from the computer user or the IT department responsible for it)… but when BitLocker is used in concert with TPM, those ways narrow because the BitLocker volume can only be interacted with on the original computer – unless a BitLocker recovery key is available. So, if a BitLocker volume is protected by “Numerical Password” (a/k/a BitLocker recovery key) and “TPM and PIN” as in the screenshot above, you will need either:
The BitLocker recovery key to unlock/disable/remove the BitLocker volume within the forensic image (Ideal!), or
The BitLocker PIN and a Windows password for an administrative user, so that a BitLocker recovery key can be extracted when the computer the forensic image came from is booted from the restored forensic image (Not so ideal!)
We’ve been asked before if a forensic image, containing a BitLocker volume protected with TPM and PIN, could be launched into a virtual machine with Arsenal Image Mounter on a forensic workstation to somehow provide more options for dealing with BitLocker other than having the recovery key. The short answer is, no. If you launch a forensic image containing a BitLocker volume protected with TPM and PIN into a virtual machine, the very first thing you will be asked for is the BitLocker recovery key:
Forensic Image Containing a BitLocker Volume Protected with TPM and PIN Launched Into a Virtual Machine with AIM
Fortunately in our casework at Arsenal (which is mostly both civil and corporate in nature) we are normally able to proceed with a BitLocker recovery key, provided to us by the IT department responsible for the computer. You may not be so fortunate though. For example – a suspect is ordered to turn over their BitLocker PIN, Windows password, and BitLocker recovery key to you, but they are only able to provide (or you are only able to somehow get) their BitLocker PIN and Windows password(1). After all, it’s unlikely a human would be able to recall a BitLocker recovery key if they happen to be somewhere like jail.
At this point, because you already have a forensic image, you prefer to not interact with the laptop’s SSD unless it is absolutely necessary. You have been able to get a BitLocker PIN and Windows password from your suspect. Your workflow will involve:
Restoring the forensic image to a new SSD (the “clone drive”)(2)
Replacing the laptop’s SSD with the clone drive
Booting the laptop, entering the PIN and Windows password
Extracting the BitLocker recovery key
Removing BitLocker from the forensic image on a forensic workstation
Beginning your analysis from a fully-decrypted forensic image
Let’s see some screenshots and photos of this workflow in action!
(1) There are also possibilities which include the BitLocker recovery key being stored by the user on a removable storage device, or physically printed, or stored within their Microsoft online account.
(2) You might think that restoring the forensic image to a new USB drive would be more convenient than to a new SSD, but unlocking TPM requires booting from the same type of device and maintaining the same boot configuration.
Restoring the forensic image to a new SSD (the “clone drive”)
Restoring Forensic Image in Raw (dd) Format to Clone Drive
Restore to Clone Drive Completed
Replacing the laptop’s original SSD with the clone drive
Laptop with Clone Drive Inserted
Booting the laptop, entering the PIN and Windows password
BitLocker PIN Request After Laptop Booted with Clone Drive
Extracting the BitLocker recovery key
BitLocker Recovery Key Extraction from Administrative Command Prompt
Removing BitLocker from the forensic image on a forensic workstation
Forensic Image Mounted on Forensic Workstation
BitLocker Recovery Key Dialog
Choosing to “Save as fully decrypted image file”
Saving to Fully Decrypted Image File in Progress
Saving to Fully Decrypted Image File Complete
Fully Decrypted Image File Mounted and BitLocker Status
Beginning your analysis from a fully-decrypted forensic image
Fully Decrypted Image File Mounted in Windows File System Driver Bypass Mode
At this point, you are ready to load the fully decrypted image file into digital forensics tools and continue your analysis.
This workflow was designed to address a particular situation brought to us by law enforcement, in which maintaining the tightest possible chain-of-custody and minimizing interaction with the suspect’s SSD were priorities. You may want to consider how your acquisition procedures account for not only live systems and unlocked encryption, but more specifically how they account for unlocked BitLocker volumes and the extraction of recovery keys while you have the chance. I hope you have found this Insights article interesting, and even better, useful!