BitLocker for DFIR – Part III

Mark Spencer

January 23, 2021

You have followed your standard operating procedure and obtained a forensic image from a laptop’s solid state drive (hereafter, “SSD”). After making a working copy of the forensic image you open it in one of your digital forensics tools… but there’s a problem. You can’t see the expected Windows volume or any user data! To try and determine what’s wrong, you launch Arsenal Image Mounter and mount the forensic image:

Forensic Image Mounted in Arsenal Image Mounter

Immediately after mounting the forensic image, the situation begins to make more sense:

BitLocker Recovery Key Dialog

So, the Windows volume was protected by BitLocker. You confirm this by running “manage-bde -status e:” from an administrative command prompt while the forensic image is still mounted in Arsenal Image Mounter:

Status of BitLocker Volume Within Forensic Image

Generally speaking, a BitLocker-protected volume within a forensic image is something that can be dealt with a variety of ways (especially with some cooperation from the computer user or the IT department responsible for it)… but when BitLocker is used in concert with TPM, those ways narrow because the BitLocker volume can only be interacted with on the original computer – unless a BitLocker recovery key is available. So, if a BitLocker volume is protected by “Numerical Password” (a/k/a BitLocker recovery key) and “TPM and PIN” as in the screenshot above, you will need either:

1. The BitLocker recovery key to unlock/disable/remove the BitLocker volume within the forensic image (Ideal!)

or

2. The BitLocker PIN and a Windows password for an administrative user, so that a BitLocker recovery key can be extracted when the computer the forensic image came from is booted from the restored forensic image (Not so ideal!)

We’ve been asked before if a forensic image, containing a BitLocker volume protected with TPM and PIN, could be launched into a virtual machine with Arsenal Image Mounter on a forensic workstation to somehow provide more options for dealing with BitLocker other than having the recovery key. The short answer is, no. If you launch a forensic image containing a BitLocker volume protected with TPM and PIN into a virtual machine, the very first thing you will be asked for is the BitLocker recovery key:

Forensic Image Containing a BitLocker Volume Protected with TPM and PIN Launched Into a Virtual Machine with AIM

Fortunately in our casework at Arsenal (which is mostly both civil and corporate in nature) we are normally able to proceed with a BitLocker recovery key, provided to us by the IT department responsible for the computer. You may not be so fortunate though. For example – a suspect is ordered to turn over their BitLocker PIN, Windows password, and BitLocker recovery key to you, but they are only able to provide (or you are only able to somehow get) their BitLocker PIN and Windows password(1). After all, it’s unlikely a human would be able to recall a BitLocker recovery key if they happen to be somewhere like jail.

At this point, because you already have a forensic image, you prefer to not interact with the laptop’s SSD unless it is absolutely necessary. You have been able to get a BitLocker PIN and Windows password from your suspect. Your workflow will involve:

1. Restoring the forensic image to a new SSD (the “clone drive”)

2. Replacing the laptop’s SSD with the clone drive

3. Booting the laptop, entering the PIN and Windows password

4. Extracting the BitLocker recovery key

5. Removing BitLocker from the forensic image on a forensic workstation

6. Beginning your analysis from a fully-decrypted forensic image

Let’s see some screenshots and photos of this workflow in action!

(1) There are also possibilities which include the BitLocker recovery key being stored by the user on a removable storage device, or physically printed, or stored within their Microsoft online account.

 

Restoring the forensic image to a new SSD (the “clone drive”)

Replacing the laptop’s original SSD with the clone drive

Booting the laptop, entering the PIN and Windows password

Extracting the BitLocker recovery key

BitLocker Recovery Key Extraction from Administrative Command Prompt

Removing BitLocker from the forensic image on a forensic workstation

Beginning your analysis from a fully-decrypted forensic image

Fully Decrypted Image File Mounted in Windows File System Driver Bypass Mode

At this point, you are ready to load the fully decrypted image file into digital forensics tools and continue your analysis.

This workflow was designed to address a particular situation brought to us by law enforcement, in which maintaining the tightest possible chain-of-custody and minimizing interaction with the suspect’s SSD were priorities. You may want to consider how your acquisition procedures account for not only live systems and unlocked encryption, but more specifically how they account for unlocked BitLocker volumes and the extraction of recovery keys while you have the chance.  I hope you have found this Insights article interesting, and even better, useful!

Related Articles

Arsenal Image Mounter and Virtual Machine Inception

Arsenal Image Mounter and Virtual Machine Inception

While we recommend that Hyper-V and AIM be run on “bare metal” (particularly when launching virtual machines), we have recently heard from our customers that they have successfully run both Hyper-V and AIM within VMware.

Arsenal Image Mounter (AIM) Walkthrough

Arsenal Image Mounter (AIM) Walkthrough

This article will briefly summarize the features of AIM’s Free and Professional Modes, explain the requirements for running AIM, and demonstrate how to launch virtual machines and mount Volume Shadow Copies (VSCs) from AIM-mounted disk images.

Introducing Arsenal Image Mounter v3.3.134 and DPAPI Bypass

Introducing Arsenal Image Mounter v3.3.134 and DPAPI Bypass

Three months ago I challenged the Arsenal team by suggesting that we could get more creative about how to access protected content in Windows, especially considering Arsenal Image Mounter was already reliably launching disk images into virtual machines and bypassing every type of Windows authentication.

Arm Yourself!

Join our mailing list to arm yourself with updates about Arsenal tools, training, and research. Our mailing list is double opt-in so you will need to check your email and confirm your subscription before receiving our mailings.

Chelsea, Massachusetts

sales@ArsenalRecon.com

(617) ARSENAL

or (617) 277-3625

Site Map

\

Home

\

Products

\

Pricing

\

Training

\

Testimonials

\

Insights

\

Contact

\

FAQ

Legal

\

Privacy Policy

\

Terms & Conditions

\

Cookie Policy

Follow Us

LinkedIn

Twitter

Facebook

Share This