Part 14 - Obtaining the Windows Bitlocker Encryption Keys

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Advanced
CEU/CPE
7
Video Transcription
00:03
>> One of the last things that we want to talk about
00:03
is getting the windows
00:03
>> or the BitLocker encryption keys.
00:03
>> That's going to be important
00:03
because if you're not able to get
00:03
a logical image of your hard drive system,
00:03
and you have to get a physical image,
00:03
if the system is encrypted with BitLocker,
00:03
you're not going to be able
00:03
to essentially do anything with
00:03
that hard-drive image unless
00:03
you have the keys to unlock it.
00:03
There's a couple of components to that statement.
00:03
First is a logical image
00:03
and the other is a physical image.
00:03
If we wanted to collect a logical image of the system,
00:03
we can go into
00:03
our portable FTK Imager program that we have.
00:03
You could also use in case imager if you wanted to.
00:03
I'm just pretty familiar with the FTK Imager.
00:03
We can essentially run FTK Imager from our thumb drive.
00:03
It will take it a minute for it to load.
00:03
Now that this is loaded and running,
00:03
what we'd want to do to capture
00:03
>> that logical image is we would go to File
00:03
>> and we would want to create a disk image.
00:03
>> It is going to be an image of our physical drive
00:03
>> that we have attached to the system,
00:03
>> our Physical Drive 0.
00:03
We would click finish
00:03
>> and we would go through the same process
00:03
>> that we initially went through with collecting
00:03
>> the data from the removable drive.
00:03
However, we would be collecting the data as it
00:03
sat on the system right now, unencrypted.
00:03
That would give us the ability to go in
00:03
>> and look at that data should we
00:03
>> not get the BitLocker encryption keys.
00:03
This long circuitous route,
00:03
if know that you can't get
00:03
the BitLocker encryption keys
00:03
>> or have a system up and running
00:03
>> and you're not sure of what type of encryption that
00:03
>> it has or it maybe connected to something else.
00:03
Maybe if you'd have true crypt running
00:03
>> or if you're connected to some type
00:03
>> of remote file-sharing service,
00:03
you may want to go ahead and get that logical image.
00:03
Otherwise, you can go ahead
00:03
>> and get the physical image of the system,
00:03
>> which would be with the system turned off.
00:03
Then you could go
00:03
>> and use a bootable Linux thumb drive
00:03
>> such as Kali Linux to go ahead
00:03
>> and image the drive of that system while it's at rest.
00:03
>> Or you could essentially remove
00:03
>> the hard drive from that system
00:03
>> and then image the hard-drive outside
00:03
>> of the system to get that physical image.
00:03
But either option that you choose,
00:03
it just needs to suit the purposes
00:03
that you're looking for, for your investigation.
00:03
If it's perfectly acceptable for you to use
00:03
a logical image or that's all you can get,
00:03
then by all means,
00:03
go ahead and use that type of image.
00:03
But if you're looking to do
00:03
the more forensics side of the house
00:03
>> and you have to maybe testify in court in reference
00:03
>> to some of the forensics processes that you do,
00:03
>> you would obviously want to use the best evidence
00:03
possible in it's most unalterable state,
00:03
which would be that image of the dead box.
00:03
Going on.
00:03
>> We've done a lot of things in this video
00:03
>> so let's just take a moment to consolidate
00:03
>> what it is that we have accomplished.
00:03
Thus far, we've talked about
00:03
>> essentially going through that preparation phase.
00:03
>> What we've done is we've taken our removable media
00:03
>> and we have wiped and sanitized
00:03
>> that media of any data that was on it.
00:03
We used the EnCase Imager to go in
00:03
>> and wipe that data
00:03
>> and then we essentially had to go back in
00:03
>> and reformat our drive.
00:03
>> Once we were able to format that device,
00:03
it was then ready to use on our victim system.
00:03
We could insert that device into the victim machine,
00:03
and then we could then go about
00:03
collecting that volatile memory,
00:03
then we could go about
00:03
collecting images from that system.
00:03
What we also talked about was we began to image
00:03
a thumb drive that was potentially
00:03
found at the scene of your incident.
00:03
We did a couple of types imaging.
00:03
We also took the hash files of the memory
00:03
>> that we were able to image,
00:03
>> and we consolidated all of those processes
00:03
>> that we did onto our forensic thumb drive.
00:03
>> Here we have the image of our SanDisk titanium drive,
00:03
and we have our volatile memory image.
Up Next