As technology evolves so do challenges faced by the digital forensic examiner. An increasingly frequent obstacle appearing now is the BitLocker encryption in conjunction with the Trusted Platform ...Module (TPM). The roll out of Windows 11 made having an initialised TPM (2.0) a mandatory prerequisite before being able to install Windows 11. Tackling the TPM is going to be one of the major issues encountered by the digital forensic computer examiner in the future as Windows 10 support ends in 2025 (Microsoft, 2024). This paper describes a method for accessing the BitLocker protected partition of a windows computer in a short time using minimal equipment in a forensically sound manner. As a result BitLocker encrypted partitions of physical images can be decrypted using recovery keys obtained via compliance or brute force of the users password or pin.
Starting from Windows 11, the Trusted Platform Module (TPM) 2.0 has become a computer requirement, providing hardware-based security capabilities. This poses a challenge to digital forensics experts, ...as the number of BitLocker-encrypted evidence protected by TPM tends to increase. This paper presents a forensic method for obtaining the BitLocker Volume Master Key (VMK) from TPM-protected evidence using Intel DCI technology and reverse engineering techniques. It shows how to enable Intel DCI in the firmware, reverse the Windows Boot Manager UEFI application, and debug the target computer using a USB 3 A–A cable to retrieve the VMK from memory. We have effectively applied the presented method on a computer with a 7th-generation Intel processor containing a BitLocker-encrypted volume with TPM protection and Windows 11 Pro. As a result, we were able to fully decrypt the BitLocker volume with the VMK and gain data access. We consider, however, that the success of the presented method depends on the ability to enable Intel DCI in the target computer, which may not be feasible in every system.
We have analyzed the hardware full-disk encryption of several solid state drives (SSDs) by reverse engineering their firmware. These drives were produced by three manufacturers between 2014 and 2018, ...and are both internal models using the SATA and NVMe interfaces (in a M.2 or 2.5" traditional form factor) and external models using the USB interface. In theory, the security guarantees offered by hardware encryption are similar to or better than software implementations. In reality, we found that many models using hardware encryption have critical security weaknesses due to specification, design, and implementation issues. For many models, these security weaknesses allow for complete recovery of the data without knowledge of any secret (such as the password). BitLocker, the encryption software built into Microsoft Windows will rely exclusively on hardware full-disk encryption if the SSD advertises support for it. Thus, for these drives, data protected by BitLocker is also compromised. We conclude that, given the state of affairs affecting roughly 60% of the market, currently one should not rely solely on hardware encryption offered by SSDs and users should take additional measures to protect their data.
BitLocker Full-Disk Encryption Lewis, Stephen G.; Palumbo, Timothy
Proceedings of the 2018 ACM SIGUCCS Annual Conference,
09/2018
Conference Proceeding
Microsoft BitLocker full-disk encryption has been widely implemented at Lehigh University since 2014 on both laptop and desktop computers. This retrospective review will summarize BitLocker's ...selection factors, initial testing, mass deployment, and important lessons learned. Additionally, this review will also discuss the university's transition to Windows 10 and how it positively impacted the use of BitLocker.
Windows To Go Lewis, Stephen G.
Proceedings of the 2015 ACM SIGUCCS Annual Conference,
11/2015
Conference Proceeding
Windows To Go (WTG) is an oft-overlooked feature first included with Windows 8 Enterprise Edition. WTG allows for the effortless creation of portable USB-based Windows 8 (and later) operating system ...instances. WTG is not a stripped-down version of Windows; it is a full Windows operating system, indistinguishable from a conventional installation. Unlike traditional portable operating systems such as Windows PE, WTG offers a fully-functional yet persistent environment. WTG instances can be joined to an Active Directory domain, be managed using Group Policy, accommodate the installation of most software, and retain individual user profiles.
The use of WTG has value for both PC support technicians and end-users. WTG provides these capabilities, and more, with USB 3.0 support, UEFI boot compatibility, and BitLocker disk encryption.
This paper recounts the events that led up to Lehigh University embracing WTG, and also describes how WTG increases the efficiency and effectiveness of PC support technicians.
This paper documents the BitLocker Drive Encryption system included with some versions of Microsoft's Windows Vista. In particular it describes the key management system, the algorithms and modes ...used, and the metadata format. Particular attention is given to methods forensic examiners can use to access protected data. There are some unanswered questions about how the cryptosystem operates, including an undocumented key management decision. This decision could allow, in a particular usage scenario, unauthorized access to a protected volume.
Research on Trusted Computing Implementations in Windows Shu-xia Wang; Yin-chuan Wang; Wei-zhen Tian
2010 International Conference of Information Science and Management Engineering,
2010-Aug., Letnik:
1
Conference Proceeding
The main theme of this paper is to analyze Microsoft's implementations of Trusted Computing in Windows NGSCB. First of all, set in the two most important components of trusted computing system, which ...is secure computer platform and secure & trusted system. And then, Set forth the implementation of secure computer platform from TPM and trusted boot sequence. Then, analyzed the NGSCB implementation in Windows with the definition of Trusted Operating System, and pointed out Microsoft's efforts in implementing TSS. Finally, analyzed trusted application Bitlocker in the context of trusted computing initiatives, and proved that it can provide protection against attacks in many situations.
The release of trusted computing (TC) technology and its features, such as full disk encryption, has had several implications on the digital forensic investigation process. Today, it is clear from ...the number of proposed works that trusted computing forensics is a non-trivial topic. This paper presents the state of the art in trusted computing forensics. It starts by establishing the context of the research area by introducing the concept of trusted computing. Then, it reviews the existing trusted computing forensic researches related to all of the branches of digital forensics and investigation steps. Finally, this paper discusses the current open issues and future research directions in the field of trusted computing forensics. To the best of our knowledge, this paper is the first research to investigate the state of trusted computing forensics using a classification way based on the digital forensic types and investigation steps.
Windows Vista and digital investigations Hargreaves, Christopher; Chivers, Howard; Titheridge, Dave
Digital investigation,
09/2008, Letnik:
5, Številka:
1
Journal Article
Several of the new features of Windows Vista may create challenges for digital investigators. However, some also provide opportunities and create interesting new evidential artefacts which can be ...recovered and analysed. This paper examines several of these new features and describes methods for recovering shadow copies of files from Restore Points, identifying BitLocker on a system, the importance of recovery keys in dealing with BitLocker encrypted volumes and also the problems that User Account Control could cause for live investigations.
Innovations in digital storage technologies pose challenges to cyber crime investigators. BitLocker Drive Encryption is such a new technology that is available in Windows 2008 and in ultimate and ...enterprise editions of Windows Vista and Windows 7. This technology protects a computer owner from confidential and personal data theft in instances of loss of machine or outside attacks through network. Since BitLocker Drive Encryption performs full encryption of digital storage media drives, it seems to be a real challenge for a cyber crime investigator to break the encryption. Although BitLocker provides a multi factor authentication by means of Trusted Platform Module (TPM), PIN number and USB, normally a computer user opt only a `USB-only' mode. In this paper, authors describe different ways to recover fixed or removable storage media drives, bitlocked in USB-only mode. This paper describes a step-by-step algorithm to disclose the BitLocker Recovery information that can be used to unseal bitlocked drives. The paper addresses the recovery of Bitlocked Drives both in Live and Offline Forensics.
PDF
