/ Insights

BitLocker for DFIR – Part II

October 30th, 2019
Mark Spencer

In “BitLocker for DFIR – Part I” we provided a quick summary of BitLocker, details regarding the various “states” of BitLocker volumes that we see most often in our casework, and some thoughts on things that are particularly relevant to digital forensics and incident response practitioners. We will now discuss launching virtual machines from BitLockered disk images.

There are three distinct ways in which we use Arsenal Image Mounter to launch virtual machines from BitLockered disk images:

A “Locked Launch” is exactly what it sounds like – after mounting a BitLockered disk image with Arsenal Image Mounter, the next action taken is launching the AIM-mounted disk (containing one or more locked BitLocker volumes) into a virtual machine. Launching a virtual machine in this way will result in being challenged by the BitLocker pre-boot environment, because the Windows volume has remained encrypted. We do not normally launch virtual machines this way, because AIM Virtual Machines Tools will not be injected and we would be on our own in terms of (for example) logging into Windows accounts. Here is the Locked Launch workflow:

  1. Use AIM to mount disk image containing BitLocker volume(s) in write-temporary mode

  2. Do not unlock or fully decrypt BitLocker

  3. Use AIM’s Launch VM feature to launch a virtual machine

BitLockered Disk Image Mounted by AIM

Locked Launch into Virtual Machine

An “Unlocked Launch” is the fastest way to launch a virtual machine (with AIM Virtual Machine Tools injected) from a BitLockered disk image, but performance within the virtual machine will suffer (compared to performance after a “Fully Decrypted Launch”) because of normal on-the-fly BitLocker decryption. Here is the Unlocked Launch workflow:

  1. Use AIM to mount disk image containing BitLocker volume(s) in write-temporary mode

  2. Use Windows on your forensic workstation to unlock the BitLocker volume(s)

  3. Use AIM’s Launch VM feature to launch a virtual machine (AIM will disable BitLocker)

  4. Run AIM Virtual Machine Tools (Ease of Access icon) and use password bypass, etc.

AIM Offering to Disable BitLocker Volume

AIM Virtual Machine Tools After Unlocked Launch

A “Fully Decrypted Launch” is the slowest way to launch a virtual machine (with AIM Virtual Machine Tools injected) from a BitLockered disk image due to the wait for full decryption, but it will result in the highest performance within the virtual machine because normal on-the-fly BitLocker decryption will no longer be necessary. Here is the Fully Decrypted Launch workflow:

  1. Use AIM to mount disk image containing BitLocker volume(s) in write-temporary mode

  2. Use Windows on your forensic workstation to unlock BitLocker volume(s)

  3. Use Windows on your forensic workstation to fully decrypt BitLocker volume(s)*

  4. Use AIM’s Launch VM feature to launch a virtual machine

  5. Run AIM Virtual Machine Tools (Ease of Access icon) and use password bypass, etc.

* Full decryption can be accomplished by using “manage-bde -off (Volume Letter):” at an administrative command prompt. You may want to use “manage-bde -status (Volume Letter):” occasionally to check on decryption status.

Full Decryption of BitLocker Volume & Status Check

Windows Desktop after Fully Decrypted Launch

Of course it is much better to store disk images on a fast solid state drive rather than a hard disk drive, particularly when dealing with disk images containing Full Volume Encryption (FVE) technologies like BitLocker. Here are some statistics compiled by Arsenal’s Emina Doherty while launching BitLockered disk images into virtual machines:

Drive Type

Unlocked VM Launch

Full Decryption

SSD

2-3 minutes

10-15 minutes

HDD

4-6 minutes

40-45 minutes

Emina has created an instructional video covering some of the concepts in this article. You can watch it here:

Topics we are considering for upcoming BitLocker for DFIR Insights articles include things to be aware of when dealing with clients who use BitLocker, key recovery, and case studies. What would you like to see in the next part?

Share:

Join the List

Arm yourself with updates about Arsenal tools, training, and research. Our mailing list is double opt-in so you will need to check your email and confirm your subscription before receiving our mailings.