BitLocker is a disk encryption facility that is available since Microsoft Windows 8 that can be used to protect data held on system and removable drives connected to the computer.
BitLocker is available within machines running Windows Vista Ultimate and Enterprise, Windows 7 Ultimate and Enterprise, Windows 8.1 Professional and Enterprise and Windows 10 Professional.
BitLocker System Requirements
In order to use Bitlocker, your Windows computer will need a hard drive with at least 2 volumes as well as a Trusted Platform Module (TPM) which is a chip that runs authentication checks against the system to prevent it being booted within a different or altered computer.
Bitlocker has 5 different modes that relate to the boot process of the system. Either of these configurations can be selected within the Bitlocker Drive Encryption control panel when the encryption is enabled.
TPM only is the least secure and the encryption key is stored within the TPM chip that is automatically accessed when the chip has confirmed that the system has not altered.
Startup Key only is when the Bitlocker startup key is stored to a USB memory stick that is required to be inserted within the system before it will start. This configuration does not require that the system has a TPM chip, only that the USB memory stick is present.
The TPM and Startup PIN configuration is when the Bitlocker key is stored to the TPM chip and a PIN is required to be input before the system can access the volume and begin the boot process.
The TPM and Startup Key configuration stores the Bitlocker key on the TPM chip and also requires the user to insert a USB memory stick that contains the startup key before the system is able to access the Bitlocker volume and begin the boot process.
The TPM, startup key and startup PIN configuration stores the Bitlocker key on the TPM chip and also requires the user to input the PIN and insert a USB memory stick containing the startup key before the system can access the Bitlocker volume and commence the startup process.
Why Use BitLocker?
Bitlocker is a closed source program and user’s cannot determine whether there is a backdoor built into it, however, Microsoft states that there are no backdoor’s and, therefore, whilst it may not be able to protect against the intelligence services, it can defend against normal thieves and any other type of unauthorised access.
Setting Up BitLocker
The installation Bitlocker on a Windows 10 machine should involve the following steps.
Type ‘Bitlocker’ and open the Bitlocker Device Encryption application.
Click ‘Turn on Bitlocker’ on the device or drive to be encrypted.
The application will now check that Bitlocker can be used on the system and that it can be supported. If the system contains no TPM then the following message is displayed at this point:
If the system can support Bitlocker encryption then Windows will ensure that the TPM is switched on, if it is off then the system will need to be shut down. Upon restart, the system may identify a change and the user is then required to press the F10 key.
As long as Bitlocker is compatible with the system then a green ‘tick’ will be displayed next to ‘Turn on the TPM Security Hardware’.
A password or key is then requested to be input which is the one that will be required each time the device is to be accessed or the system started (depending upon whether the device being encrypted is removable or the system drive).
The key can be stored to a USB device that can then be inserted into the computer in order to allow decryption of the data.
The recovery key is then required to be saved so that it can be used to recover the system/drive in the event of failure. The key can be stored to a Microsoft account, to a file, printed or to a USB memory stick. Then click next.
You can then decide whether you encrypt the disk space used so far or encrypt the entire drive. If the option to encrypt disk space used so far is used then any new files will be included, however, if the drive already contains user created files then it is likely that the encryption of the entire drive would be preferable.
Windows 10 Build 1511
When using Windows 10 build 1511 or later, the encryption mode can then be chosen, being either ‘new’ or ‘compatible’.
If it is a system drive that is being encrypted then ‘new’ can be chosen as it will not be opened with another device, however, if the device being encrypted is removable and another device, potentially running an older version of Windows, may be used to open it, then the ‘compatible’ option should be taken.
Select ‘Run Bitlocker System Check’ and then click continue so that the next time the computer is started the encryption will begin. Restart the computer and enter the password created earlier and then the encryption of the drive will take place, the amount of time required will depend upon the size of the drive and the amount of data present.
Bitlocker without a TPM
If the Bitlocker program identifies that “This device can’t use a Trusted Platform Module. Your administrator must be set the Allow BitLocker without a compatible TPM option in the Require addition authentication at startup policy for OS volumes” during the configuration of the Bitlocker encryption then further steps are required.
If you press the Windows key & R, the ‘run’ window opens and then type gpedit.msc as below
This will produce the following window:
Select Computer Configuration\Administrative Templates\Windows Components\Bitlocker Drive Encryption\Operating System Drives and select the ‘Require Additional Authentication on Startup’ option. Then select ‘Allow Bitlocker without a compatible TPM (requires a password or a startup key on a USB flash drive)’ and select ‘Apply’ and then ‘OK’ to save those changes.
How Can Bitlocker Be Overcome Using Forensics
A limited number of techniques exist that allow a digital forensic expert to overcome BitLocker protection including by attempting to capture a memory dump whilst the computer is mounted.
Windows 10 November Update
Microsoft maintained compatibility between versions of Bitlocker from Windows Vista, however, build 1511 of Windows 10 saw the introductions of support for XTS-AES encryption which supports 128-bit and 256-bit XTS-AES keys and it is not backward compatible with previous or existing systems running earlier versions of Windows.
The option is provided to the user when encrypting removable drives with Bitlocker to go.
The new version of Bitlocker also prevents other types of attacks from being conducted, such as using FireWire to capture a live RAM dump, as those ports are switched off by default until the device is unlocked.
It is possible to decrypt a Bitlocker volume using the following techniques:
Recovering the BitLocker Password
It is possible to use forensic tools to use enumerating tools in an attempt to recover the correct key, however, Bitlocker was was designed to sustain such attacks and it is a slow process and is unfeasible for all but simple passwords.
If the startup key or PIN that is required to start up the system is lost then the recovery key created during the setup process can be used to unlock it. If that key is also lost then a designated Data Recovery Agent can recover the drive within an organisation who would use a digital certificate present on a key card to unlock the drive.
Decryption Key Extraction
The extraction of the decryption key from the computer RAM is possible and to do so a RAM dump is required using a forensic tool and then use another forensic tool to load the RAM dump and then locate the Bitlocker decryption key and use that key to mount the encrypted volume.
Sleep Mode – Bitlocker
If the computer is within sleep mode then the Bitlocker key will be stored within the RAM of the device. However, the 1511 update sees this option being removed.
Bitlocker to Go
Bitlocker to Go allows the user to encrypt a USB memory stick, flash drive or external hard drive and does not use a TPM chip to function.
The Bitlocker control panel is used on the PC with the external drive connected to it and the software will identify that drive and enable it to be opened using the password/key chosen when the drive was encrypted.
About Athena Forensics
For information on our digital forensic services or if you require any advice or assistance please contact a member of our team on 0330 123 4448 or via email on firstname.lastname@example.org, further details are available on our contact us page.
Our client’s confidentiality is of the utmost importance. All correspondence is treated with discretion, from initial contact to the conclusion of any computer forensics investigation.
Our digital forensics experts are fully aware of the significance and importance of the information that they encounter and we have been accredited to ISO 9001 for 10 years.
Our forensic experts are all security cleared and we offer non-disclosure agreements if required. Our premises along with our security procedures have been inspected and approved by law enforcement agencies.
Athena Forensics do not disclose personal information to other companies or suppliers.