Time
7 hours 26 minutes
Difficulty
Advanced
CEU/CPE
7

Video Description

This lab-based lesson covers obtaining the Windows Bitlocker Encryption Keys which allows an investigator to get a hard drive image as these keys are necessary to unlock the system. An investigator can obtain two types of images: physical and logical. Using the FTK Imager, participants receive step by step instructions in how to obtain images.

Video Transcription

00:04
So one of the last things that we want to talk about
00:09
is getting the windows
00:12
are the bit locker encryption keys.
00:15
And that's going to be important because if you're not able to get a logical image
00:21
of your hard drive system
00:24
and you have to get
00:26
a physical image if the system is encrypted with Debt Locker, you're not going to be able to essentially do anything with that hard drive image unless you have the keys to unlock it.
00:40
So there's a couple of components to that statement.
00:43
First is a logical image, and the other is a physical image.
00:48
So if we wanted to collect a logical image of the system, we can go into our
00:56
portable F T K imager program that we have. You could also use in case image or if you wanted to. I'm just pretty familiar with the F K K imager.
01:07
And then, uh,
01:10
we can essentially run F T K imager
01:12
from marked up.
01:15
It'll take a minute for it flowed,
01:19
All right, so now that this is loaded and running,
01:23
what we would want to do to capture that logical and engines we would go to file
01:30
and they would, we would want to create a disk image. And it is going to be an image of our physical drive that we have attached to the system.
01:41
Uh,
01:42
our physical Dr Zero,
01:45
we would click finish, we would go through the same process that we initially went through with collecting
01:51
the, uh, the data from the removal drive. However, we would be collecting the data as it set on the system right now unencrypted.
02:04
And that would give us the ability to go in and look at that data.
02:07
Um,
02:08
should we not get the locker encryption keys
02:13
so
02:15
kind of this long, circuitous route.
02:16
If you know that you can't get the bit locker encryption keys are our have a system up and running and you're not sure of what type of encryption that it has. Our may be connected to something else. Um,
02:32
like maybe if you have true Kripke running or if you're connected to some type of
02:37
remote fire file sharing service, you may want to go ahead and get that logical image. Otherwise, you could go ahead and get the physical image of the system which would be with the system turned off and then you could go and use Ah, bootable from
02:54
Lennox Thumb Drive such a CZ
02:58
Callie Lennox to go ahead and
03:00
image the system the drive of that system while it's at rest. Or you could essentially remove the hard drive from that system and then image the hard drive outside of the system to get that physical image.
03:17
But
03:20
either option that you choose it just needs to suit. The purpose is that that you're looking for for your investigation. If it's perfectly acceptable for you to use a logical indigent, that's all you could get. Then, by all means, go ahead and use that type
03:38
of image. But if you're if you're looking to do them or forensics side of the house and you have thio, maybe testify in court in reference to some of the forensics processes that you do, you obviously want to use the best evidence possible on its most
03:58
unalterable state. Which would be that
04:01
that
04:02
image of the death box
04:06
so going on for me,
04:09
we've done a lot of things in this video, so let's just kind of take a moment to consolidate what it is that we have accomplished
04:18
so Thus far,
04:20
we've talked about
04:23
essentially going through that preparation phase. And what we've done is we've taken our removable media
04:30
and we have wiped and sanitize that media. Any data was on it.
04:38
So we used the in case,
04:41
um,
04:42
imager to go in and wipe that data.
04:47
And then we essentially had to go back in and re form our Dr.
04:53
Once we were able to format that device, it was then ready to use on our victim's system.
05:00
We could insert that device into the victim machine, and then we could then go about collecting that volatile memory.
05:08
And then we could go about collecting
05:12
images from that system. What we also talked about was we began to image
05:18
a thumb drive that was potentially found at the scene of your incident.
05:24
So we did a couple types of imaging. We also took the hash files of the memory that we were able to image, and we consolidated all of those processes that we did
05:39
onto our forensic thumb drive.
05:42
So here we have
05:43
the
05:45
image of our sand disk titanium. Dr.
05:48
And we have our volatile memory image

Up Next

Incident Response and Advanced Forensics

In this course, you will gain an introduction to Incident Response, learn how to develop three important protection plans, perform advanced forensics on the incident, deep dive into insider and malware threats, and commence incident recovery.

Instructed By

Instructor Profile Image
Max Alexander
VP, Cybersecurity Incident Response Planning at JPMorgan
Instructor