Overview
With the latest release of the Microsoft operating system (OS) Windows Vista, Microsoft introduced BitLocker encryption. The main purpose of BitLocker is to protect sensitive data in the event a PC or notebook computer is lost or stolen. There are countless news stories detailing the risk of identity theft affecting literally millions of people when a corporate or government notebook computer is lost or stolen. This was the reason for the introduction of BitLocker within the new Windows Vista OS. For all practical purposes, when properly implemented, BitLocker provides an unbreakable encryption of all data on the volume.
BitLocker performs a sector by sector encryption of the entire volume. This is an important fact to remember and will be discussed in more detail below. Decryption of data is performed on the fly, that is, when the system is operated by an authorized user, the data is only decrypted as it is read into memory. The data stored on the encrypted volume remains encrypted at all times. The constant encryption/decryption process occurs in the background and the system performance does not appear to be impacted by the process.
How BitLocker is implemented and the modifications that must be made to the “traditional” forensic practices will be discussed in this article.
Three methods of implementation of BitLocker
BitLocker is currently included in two versions of Windows Vista, the Business and Ultimate editions. This is in line with the marketing of BitLocker to corporate and government clients who are most likely to suffer more exposure in the case of equipment theft.
BitLocker is dependent first and foremost on the Trusted Platform Module (TPM) chip on the motherboard. The TPM performs basic cryptographic functions such as hashing, random number generation and creation of key sets. In regard to BitLocker, its most important function is to authenticate the machine with the hard drive prior to booting. This directly impacts the “traditional” forensic model of shutting a system down and imaging the drive independently. In fact, some notebook computer manufactures use this same capability to completely lock a hard drive if it is removed from its host system.
When Vista is installed with BitLocker enabled, two NTFS volumes are created on the drive. The first volume called the System Volume (SV) is unencrypted. The SV contains the BitLocker code and utilities; because it is unencrypted, the data on this volume is fully accessible. The second volume, the Operating System Volume (OSV) is fully encrypted; it contains the operating system and user data. During the boot process, hash values for the SV are compared to those stored in the TPM. If these values match, the system recognizes the SV is unchanged and the system continues the boot process. If changes to the SV are detected or the hard drive has been moved to an different computer, the system remains locked and boots to Recovery Mode.
In the simplest use of BitLocker, the authentication of the SV is all that is used and the computer boots directly into the Vista desktop.
A second level authentication within Vista and BitLocker involve the creation and use of a USB security key, a user PIN, or a combination of both the USB key and PIN. When implemented with a USB key, an encrypted security key is stored on a bootable dongle or thumb drive. The USB key must be inserted prior to booting the computer; otherwise Vista will report the error and go into a recovery mode. Upon recognition of the USB key during boot, Vista continues to load the OS normally and following the successful boot, the user is prompted to remove the USB key, although this is not necessary that it be removed for the system to continue to operate.
Another implementation involves the use of the USB key in addition to a user created PIN from 4 to 40 characters in length. If this method is used, the OS will load once the USB key is recognized but the system will remain locked until a valid PIN is entered. Once the user has correctly entered the PIN, the system responds normally and will remain unlocked until the screen saver is activated or the system goes into hibernate mode. If this occurs, the user will be prompted to re-enter his PIN before the system will respond.
Why is this important for E-Discovery Professionals?
The implementation of BitLocker creates unique challenges to forensic imaging. First, since there is no third-party software based method to decrypt a BitLocker encrypted drive, the standard practice of shut down and imaging is not possible. The forensic engineer must begin the process of forensic imaging with the system in a live state in order to capture specific encryption keys that will be used in the eventual decryption of the drive. While this means there is a period of time where there will be changes to the data occurring on the drive after the forensic engineer has taken possession of the system, careful documentation of the steps taken during this period can reduce concerns about data integrity. If the client is familiar with “normal” forensic practices, it will be necessary to be able to explain differences present when imaging in a BitLocker environment.
When discussing imaging requirements with a client, first and foremost it will be important to determine if Windows Vista is being used and whether it is the Business or Ultimate editions that incorporate BitLocker. If this is the case, we must then know whether a USB key is used alone or in conjunction with a user selected PIN. In either case, both of these items must be available if the forensic engineer is to image a system that is sent directly to eMag, or if we will be accessing a system that is shut off at the client’s location.
The client should also be aware of the necessity or acquiring not only the system to be imaged, but all USB thumb drives and other external flash media in the custodian’s possession. The USB drive created for BitLocker will often contain not only the encrypted key read by the system at boot-up, but also a plain text file containing the recovery key. If the custodian or client is reluctant to release these items, they can be copied or imaged onsite using normal forensic processes.
In the event that the user of the system may be reluctant or refuse to provide his USB key or PIN to allow access to the computer, it is essential that the forensic engineer be able to approach the system in a live, unlocked state. This will require a higher level of coordination and pre-planning with the client. To gain access to the system in this case, the system must be logged on to an authenticated user and not allowed to go into a screensaver or hibernate mode. While there are several methods to achieve this, the specifics will not be discussed here in the interest of brevity.
If the forensic engineer is able to gain access to the system in an active state, it is possible to create additional USB keys via the system control panel. Additionally if the active account has Administrator rights it is possible to determine the recovery key through the use of command lines scripts. Once these keys have been created or documented, the system can be shut down and the drive can be removed for imaging.
To complete an image, the forensic engineer must use an examination system using Windows Vista with BitLocker enabled. The encrypted custodian drive is mounted as a foreign volume via a write block device. The BitLocker utility program is accessed on the examination system and will recognize the presence of the BitLocker encrypted volume of the custodian drive. The examiner then selects “Unlock Volume” and BitLocker prompts for either the USB key or the recovery key. Once either of these keys is provided, the forensic engineer will have full access to the drive.
At this point, the engineer has two options, they can fully decrypt the entire custodian volume; or they can complete an image of the drive. The first choice involves decrypting and rewriting the entire encrypted volume. While the content of the data is not changed, the fact remains that the data on the evidence drive is being changed during this process. Again, this process and the reasons for choosing this course of action should be carefully documented by both the forensic engineer and the client.
In the second option, a logical image of the drive is created. This may be an area of initial confusion as we are used to the concept of a logical image being unable to incorporate unallocated or deleted data. However, as mentioned in the overview, BitLocker performs a sector-by-sector encryption of the volume. As such, it does not differentiate whether the data area on the drive holds allocated or unallocated space. During the logical image process, every sector of the custodian drive is decrypted by BitLocker as it is imaged. Once the image is completed, the image can be moved and opened within EnCase or any other forensic program for examination.
Summary
While BitLocker encryption does present unique challenges for forensic acquisition, it is possible to accomplish this process with careful pre-planning. The pre-planning process must include a thorough understanding of what OS is in place; in the case of Vista, whether BitLocker is implemented and by which method; and finally what level of cooperation can be expected from the custodian. Contact eMag today if you’d like to learn more.
Recent Comments