BitLocker To Go Identification - BitLocker in Windows 7

6. BitLocker

6.2. BitLocker in Windows 7

6.2.3. BitLocker To Go Identification

lock icon is displayed against the drive in My Computer as seen on

Figure 13

However if, the drive is examined on other platforms the icon is not displayed. This was tested on the Ubuntu 8.04 and Mac OS X 10.5. For alternative system, other means for identification are available. When t

BitLockerToGo.exe, COV 0000.ER

Figure 14 shows the contents of the encrypted drive.

First Look at the Windows 7 Forensics Piotrek Smulikowski

. BitLocker To Go Reader window allows viewing files and exporting to local machine. Screenshot taken from Windows Vista

presents the BitLocker To Go Reader window after authentication. Individual files or folders can be exported to local machine. No write operation can be performed

7 BitLocker.

BitLocker To Go Identification

As with the other types of BitLocker encryption there are several methods to determine that USB stick is encrypted by this particular encryption application. Identification is especially easy when a portable drive is connected to the Windows platform PC since the lock icon is displayed against the drive in My Computer as seen on Figure 13

13. BitLocker To Go encrypted portable drive.

, COV 0000.ER, Read Me.url, language files and multiple PAD XXXX.NG

contents of the encrypted drive.

Piotrek Smulikowski

. BitLocker To Go Reader window allows viewing files and exporting to local machine. Screenshot taken

presents the BitLocker To Go Reader window after authentication. Individual files or folders can be exported to local machine. No write operation can be performed

As with the other types of BitLocker encryption there are several methods to determine that USB stick is encrypted by this particular encryption application. Identification is

ve is connected to the Windows platform PC since the 13.

However if, the drive is examined on other platforms the icon is not displayed. This was tested on the Ubuntu 8.04 and Mac OS X 10.5. For alternative system, other means for

he drive is opened, characteristic files are visible:

PAD XXXX.NGfiles.

First Look at the Windows 7 Forensics

Figure 14. Contents of the BitLocker To Go encrypted portable drive. BitLockerToGo.exe file is clearly visible, Screen shot taken from Windows Vista.

Please note that although drive this particular does not contain any data, it is filled with encrypted data containers PAD XXXX.NG

containing 98% of the volume size.

Alternative identification method is possible which is in

System. By looking at the binary data in Hex editor, examiner can determine whether the volume is encrypted with BitLocker To Go.

FAT32

At first USB drive with FAT32 file system was used for experiments. Although there is no clear evidence of BitLocker in header there is a hint. OEM Name for the file system is set to

MSWIN4.1which correctly identifies file system as FAT type, see Windows OS tend to name the FAT as

be installed on a volume.

Figure 15. FAT32 volume encrypted with BitLocker To Go. MSWIN4.1 OEM Nam

First Look at the Windows 7 Forensics Piotrek Smulikowski

. Contents of the BitLocker To Go encrypted portable drive. BitLockerToGo.exe file is clearly visible, Screen shot taken from Windows Vista.

h drive this particular does not contain any data, it is filled with

PAD XXXX.NGfiles with size 0 bytes and one big file containing 98% of the volume size.

Alternative identification method is possible which is independent from the Operating System. By looking at the binary data in Hex editor, examiner can determine whether the volume is encrypted with BitLocker To Go.

At first USB drive with FAT32 file system was used for experiments. Although there is no lear evidence of BitLocker in header there is a hint. OEM Name for the file system is set to

which correctly identifies file system as FAT type, see Figure 15. However, modern Windows OS tend to name the FAT as ^MSDOS5.0, which could indicate that BitLocker might

. FAT32 volume encrypted with BitLocker To Go. MSWIN4.1 OEM Nam is highlighted in yellow FAT32 file system highlighted in grey

Piotrek Smulikowski

. Contents of the BitLocker To Go encrypted portable drive. BitLockerToGo.exe file is clearly visible,

h drive this particular does not contain any data, it is filled with files with size 0 bytes and one big file COV 0000. ER

dependent from the Operating System. By looking at the binary data in Hex editor, examiner can determine whether the

At first USB drive with FAT32 file system was used for experiments. Although there is no lear evidence of BitLocker in header there is a hint. OEM Name for the file system is set to

. However, modern , which could indicate that BitLocker might

is highlighted in yellow and

First Look at the Windows 7 Forensics

Once the encrypted volume is viewed in Hex, examiner can search for BitLocker signature:

‘-FVE-FS-’. In the experiment, when the search was performed multiple instances of the signature were found and surprisingly

0x88 offset from the signature, Computer name, Drive Letter and Date of the PC were encryption was initiated were found as seen at the

Figure 16. BitLocker signature found on BitLocker To

original Computer Name, Drive Letter and Date were also found

Unfortunately it was not possible to verify whether this was standard for every setup having only access to one Windows 7 Ultimate PC. However if it was the case it could prove that the USB drive was connected to the specific PC and BitLocker To Go was enabled from that PC at the particular time. It could also aid examiner in searching the Recovery Key for the portable drive by pointing him/her to the recorded PC

NTFS

Although the NTFS is not a recommended file system for USB flash drives, some might use BitLocker To Go to encrypt portable USB hard drives where it is a default system. The file system was tested in order to verify what kind evidence can be extracted and if findings from the FAT32 are applicable to the NTFS formatted drive.

Figure 17. Header of NTFS drive encrypted with BitLocker To Go viewed in Hex editor. The BitLocker sing FVE-FS-is at 0x03 offset - highlighted in yellow. Interestingly it is marked as

First Look at the Windows 7 Forensics Piotrek Smulikowski

Once the encrypted volume is viewed in Hex, examiner can search for BitLocker signature:

’. In the experiment, when the search was performed multiple instances of the signature were found and surprisingly the other information was detected as well. At the 0x88 offset from the signature, Computer name, Drive Letter and Date of the PC were encryption was initiated were found as seen at the Figure 16.

. BitLocker signature found on BitLocker To Go encrypted volume - highlighted in yellow. Additionally original Computer Name, Drive Letter and Date were also found - highlighted in grey.

Unfortunately it was not possible to verify whether this was standard for every setup Windows 7 Ultimate PC. However if it was the case it could prove that the USB drive was connected to the specific PC and BitLocker To Go was enabled from that PC at the particular time. It could also aid examiner in searching the Recovery Key for

ble drive by pointing him/her to the recorded PC

Although the NTFS is not a recommended file system for USB flash drives, some might use BitLocker To Go to encrypt portable USB hard drives where it is a default system. The file

der to verify what kind evidence can be extracted and if findings from the FAT32 are applicable to the NTFS formatted drive.

encrypted with BitLocker To Go viewed in Hex editor. The BitLocker sing highlighted in yellow. Interestingly it is marked as FAT32 file system highlighted in

grey.

Piotrek Smulikowski

Once the encrypted volume is viewed in Hex, examiner can search for BitLocker signature:

’. In the experiment, when the search was performed multiple instances of the the other information was detected as well. At the 0x88 offset from the signature, Computer name, Drive Letter and Date of the PC were

highlighted in yellow. Additionally highlighted in grey.

Although the NTFS is not a recommended file system for USB flash drives, some might use BitLocker To Go to encrypt portable USB hard drives where it is a default system. The file

der to verify what kind evidence can be extracted and if findings

encrypted with BitLocker To Go viewed in Hex editor. The BitLocker singature -file system highlighted in

First Look at the Windows 7 Forensics

Figure 17 presents the header of the NTFS drive which was encrypted with BitLocker To Go. The BitLocker signature can be seen in yellow but surprisingly it is showing as the FAT32 (in grey) volume. When compared the

differences found in the structure of headers, though they follow similar fashion. Encrypted NTFS volume has BitLocker signature as the OEM Name but is inappropriately marked as FAT32, whereas encrypted FAT32 volume has MSWIN4.1 as OEM Name and the file system is properly recognized but there is no clear indication that the volume is encrypted.

Both encrypted file systems share an interesting characteristic of recording the Computers Name, Drive Letter and Date of the encryption. NTFS drive was also searched for the BitLocker signature ^-FVE-FS-and after some of the instances of the signature the details of encryption were found as displayed on

Figure 18. BitLocker signature found on encrypted NTFS volume letter and Date were also found

Additionally the encrypted NTFS volume was not recognised on a Windows Vista OS, it prompted to format a drive. When the USB stick was connected to the Ubuntu 8.04 computer it was not mounted neither. The

(CARRIER, Brian) also failed to determine the NTFS, although it handled encrypted volume of FAT32 correctly. In contrast the aforementioned tools

NTFS.

In document First Look at the Windows 7 Forensics (Page 41-44)