Video Transcription

00:00
All right. Welcome to handling bit locker and fire all file vault to encrypted drives with elementary and mount image Pro. That's gonna be a lot of fun.
00:10
All right, So, um,
00:13
it is really commonplace nowadays to run into fully encrypted disks. For one, all all new Macs are shipping with foul ball to encryption turned on by default eso they're all gonna be encrypted on, then. You know, in most business environment, you have lots and lots of windows computers
00:32
and people are starting to take advantage of the bit locker encryption build into those. Either because regulations or their increasing security or they
00:40
huge mobile workforce. And there's also a lot of Microsoft surface is out there that are also ah, gonna be bit Lockard just just by default. A zey come from the factory. Um, so you're gonna you know, you're gonna do this on a professional basis. You're gonna need to be prepared
00:58
in house to to deal with
01:00
with full disk encryption.
01:03
Uh, the questions always gives way. How do I know if it's scripted?
01:06
Ask someone right now. Not everything's a technical solution. We can just go. Hey, is your disk encrypted? Uh, Yeah, we encrypt everything here. Great. Good to know. Um, if the target system is live, you can perform some easy checks on it on a Windows system. We just type in their bit locker at the search bar,
01:26
and we go to manage bit locker.
01:27
Alternatively, you can do open dis management. Look at that. Um, and it will show you whether it's Ah, it's bit locker or not. So if I do this right here on my system, because it seems like a fun time.
01:40
So if I just do that very same thing, I type bit locker in the
01:44
thing there immediately managed bit locker pops up
01:48
and look at that right there. Local disk. CeBIT locker is on. Great. All right, well, that's an easy, easy task. What was the other one I gave it? Said open disk management. Sure. Disk
02:00
managements. Can I get to that for the prompt?
02:02
No, I can't. But that's OK, cause I know where they hide it.
02:07
Control panel
02:08
system. You're down here to administrator tools,
02:13
and now it's computer management. No wonder I I messed that up.
02:16
Um,
02:19
but under disk management, asi I knew I was right there. somewhere. Computer management. If we take a look at our Dr C here, we see that it's NT fs bit locker encrypted. So to really simple ways to show it. And it shows down here in the in the lower pain. Also, that it's a bit locker encrypted volume, so
02:37
simple, easy ways to figure out whether you're
02:39
system is bit locker encrypted, Billy said. First of all, just just asked someone,
02:44
you know, good, I t folks, we'll know whether they're encrypted or not
02:47
and be able to provide that information
02:50
on an apple. It's a little bit different. Um, you go to, ah, the Apple menu system preferences, security and privacy. And then there's a file vault tab at the top of that security and privacy section that will show you whether it is fall vote encrypted.
03:06
That Apple menu is in the top left corner of your screen and the finder.
03:10
I just click a little apple come down. There's also command line options for doing that, but you know who wants to do that? Like online Blue?
03:19
Um, so desiccation not familiar with that, Uh, I said right there in the top left hand corner on the picture of the left. You click a little apple there, you can see system preferences. You click on system preferences going to open up a pain with a bunch of different system preferences. Units like the security and privacy one that we can see here on the right.
03:38
And then, of course, you know your tab over You've got file vault there, and it will tell you that
03:42
Volvo has turned on on this Macintosh hard drive, and the recovery key has been set
03:47
that it's all encrypted up. So nice and simple easy ways to find out.
03:52
Um, I said most newer Macs are gonna all be filed, all encrypted, so it's pretty much a standard.
04:00
All right, um, what about the forensic images themselves? If I had a forensic image of a hard drive, um, you know what? I need to figure out if they're encrypted? Well, one I could just try and mount it. If it doesn't mount. Probably get some sort of air. And yet, But you can also look for the file signatures
04:18
for this. So the signature looking for the beginning of a bit locker encrypted of volume is this Dash
04:25
f ve Dash F s dash on that sends for full volume encryption file system. Right? I'll be right there. Big letters, right at the beginning of your bit locker. Encrypted volume. Boom. You know, I know I've got an encrypted disk on a Mac. It's a little bit different. The signature is, uh,
04:44
n C R D s A or this big hex value here, 65 e 63 70 blob above the ball
04:51
that would be found in the beginning of a file vault encrypted volume to let you know that's there, you know? And you can do that through a hex editor. Ah, you know, you could do that. F t k amateur. Just anything that would show you the raw disk there. You'd be able, Teoh quickly identify whether they're encrypted.
05:06
And of course, you wouldn't be able to see any, you know, asking text sort of content that made any sense. So
05:12
another dead giveaway that you're dealing with some encryption there.
05:16
All right, so one of the things that's important here is you know, when I'm collecting this disk and it's and I found out that it's encrypted, I want to make sure that I get the bit locker recovery key for this. If I'm dealing with Windows system,
05:30
it's on a windows system. I just simply open up. Ah, Windows system coming. Admin command prompt. Gotta be an admin. Kracman prompt
05:38
on at that command. Prompt. I type in manage dash Bt space Dash protectors.
05:46
The first disk there, the suitable volume. So in this case, you know, we're assuming it's the C drive
05:51
space dash. Get that Will go ahead and throw up some some interface there that will have a We're looking for a 48 digit eso. It's, ah, eight sets of six digits. Separated by dash is kind of like my example here. The 1123 We're looking for this big
06:08
string number of 48 digits here, and that's gonna be our bit locker recovery key
06:13
they were gonna use to unlock are encrypted Bill locker volume later on on and, you know, let's let's actually do right here. Oh, I'm gonna share my whole crazy bit locker key with everybody. You guys excited, right?
06:27
Totally. Hacks or me.
06:29
Bummer. Brian only uses the training computer.
06:31
All right, so
06:33
manage.
06:35
Be a
06:38
dash, protect doors.
06:42
C colon big C corn dash, get.
06:46
Look at that 48 digit
06:49
key right there. Numerical password, all that type of stuff.
06:54
And that's our bit locker key.
06:57
Fun, huh? Not hard to do it all. You want to copy that out? That's definitely something that you're gonna want to store in your evidence. Documentation is, you know, any passwords or keys like that s o that down the road, especially, Ah, you know, civil litigation, criminal cases, things like this where, you know, it could be
07:15
years from the time you collect the data to the time you actually end up using it for
07:21
depositions, trials, whatever. It might be really important to make sure that you store those with your evidence documentation so that, you know, somewhere down the road, maybe three or four of investigators or examiners removed from you, they'll still have access that data.
07:38
Um, for a Mac file vault to encrypted, all you need is the admin password. Which is why I got Billy Eyeless. You're doing that
07:46
because this is one of those areas where I'm just back somehow for hold of frustration that I have with Apple for some of the things that they dio That's the easiest thing ever. Just I just need the admin password for the system, and I can go ahead and unlock my follow wall. Teoh encrypted Dis so
08:03
much, much simpler on a Mac.

Up Next

Handling BitLocker and FileVault 2: Evimetry and Mount Image Pro

In this course we will look at forensic collection of fully encrypted Windows and Mac computers with Evimetry.

Instructed By

Instructor Profile Image
Brian Dykstra
CEO and President of Atlantic Data Forensics
Instructor