Handling BitLocker and FileVault 2: Evimetry and Mount Image Pro Alt: Mounting and Imaging an Encrypted Device

Why is full disk encryption becoming more popular?

Encryption works to protect businesses and individuals from data breaches by protecting information and systems using cryptographic methods. The encryption of individual files or folders has been common practice for years. With the introduction of modern computing processors, full disk encryption (FDE) has increased in popularity for the convenience of use and universal protection¹ . Evidence of this is Apple's implementation of FileVault 2 by default since 2014² .

FDE can provide universal protection to an end-user device in the case it is lost or stolen, successfully augmenting physical protection for low criticality assets³ . If an end-user computing device is lost or stolen, any data accidentally stored on the machine is inaccessible without access to the encryption keys. Providing additional protection and compliance to end-users with little operational or financial impact means that many businesses are deploying FDE to their laptop and desktop fleet.

What does this mean for digital forensics?

For digital forensic investigators and analysts, however, FDE introduces a new set of problems concerning capturing dead boot and mounting encrypted images. An encrypted disk requires the correct tools and expertise to capture, mount, and decrypt the image to allow an analyst to use it. Given the increasing ubiquity of FDE, analysts should ensure they can recognize encrypted volumes and handle them correctly.

Overview of Handling BitLocker and FileVault 2: Evimetry and Mount Image Pro

In Handling BitLocker and FileVault 2: Evimetry and Mount Image Pro, Brian Dykstra shows how to capture and mount forensic images encrypted with Bitlocker and FileVault 2. This course is for DFIR, IR, and IT professionals who already have digital forensics experience. Across three modules, Dykstra provides a refresher on basic forensic methodology, an overview of the tools used in the course, and capturing and mounting BitLocker/FileVault 2 encrypted images.

The tools used in this course are Evimetry and Mount Image Pro. If you've never used Evimetry before, you might want to try Dykstra's course Basic Evimetry Deadboot Forensic Acquisition: Wired & Local.

Modules covered in Handling BitLocker and FileVault 2: Evimetry and Mount Image Pro

Module 1 covers how to recognize a live encrypted system, and the signatures you can look for in an encrypted image. The module begins with a brief reminder to maintain notes on evidence and chain-of-custody. If you want to learn more about evidence handling, try Evidence Handling: Do it the Right Way. Getting to the crux of this course, Dykstra demonstrates how to retrieve the recovery key of a live BitLocker'd Windows system.

Module 2 is where the meat of this course is. In this module, Dykstra gives a brief rundown of capturing a sound forensic image of a Mac using Evimetry. Through the next section, Dykstra shows how to mount and decrypt the Evimetry image using Mount Image Pro. Dykstra shows how to decrypt FileVault 2 and BitLocker'd image using the keys retrieved in Module 1. Module 3 wraps the course up with a summary.

Final Thoughts

The course is quick, informative, and free. It is an excellent quick-reference resource for DFIR, IR, and IT professionals to refer back. As always, Dykstra is eloquent and can clearly explain complex topics to experienced audiences.

This course goes best with an afternoon scone and cup of tea, and a lab available to practice the skills you've just learned.

Want to get some hands-on experience, but don't have the equipment to set up a lab? Try the Computer Forensics and Investigations practice labs.

References

1. Fruhwirth, C.: New Methods in Hard Disk Encryption. Master's thesis, Vienna University of Technology (2005) Available: https://clemens.endorphin.org/nmihde/nmihde-A4-ds.pdf
2. Hern, A. "Apple defies FBI and offers encryption by default on new operating system," The Guardian., Oct, 2014. Available: https://www.theguardian.com/technology/2014/oct/17/apple-defies-fbi-encryption-mac-osx
3. Williams, B. & Chuvakin, A. "Chapter 7 - Protecting cardholder data", in PCI Compliance, 4th ed. , Elsevier Inc., 2015, ch. 7, pp. 113 - 140, Available: https://www.sciencedirect.com/science/article/pii/B9780128015797000078#ab0010 DOI: 10.1016/B978-0-12-801579-7.00007-8