Time
8 hours 6 minutes
Difficulty
Intermediate
CEU/CPE
4

Video Description

This lab-based lesson picks up where the previous lesson left off and continues the instructions on how to obtain the Windows Bitlocker Encryption Keys.

Video Transcription

00:04
So the last thing that we want to talk about in this video is essentially how to
00:10
get our Windows bit locker encryption keys. So
00:16
we're again going to want you pull up a command prompt,
00:22
and then from here, we're going to type in the following commands.
00:28
So if we wanted to see if the system had bit locker on it,
00:33
we would essentially type the command manage
00:39
Dash B D E
00:42
decks D
00:44
status.
00:49
Then it's going to run.
00:56
We have to run. This is an administrator.
01:07
So on your victim machine would want to run that it's an administrator. So little pipe it over again,
01:23
and then it will provide you the status of all of the devices on the system so we can see our operating system.
01:32
Uh, Dr C. It is split decrypted. The protection status. It was turned off.
01:38
Block status is unlocked.
01:40
If we did have a bit locker on our system,
01:47
essentially type another command.
01:49
I'll go ahead and show you that it's not going to return anything, though.
02:21
Detectors
02:22
get.
02:23
So that's what it would look like.
02:27
And we don't have any protectors because we don't have met locker
02:31
on our system.
02:32
However,
02:35
if it did return encryption keys, you would essentially want to copy this.
02:39
And then you would want to
02:43
turn that into a
02:45
text file
02:50
on your
02:54
forensic thumb drive.
03:10
Okay, so that process finally finished. It is a rather large file. But essentially, we could take this.
03:17
We could have actually
03:20
essentially had it right to a text file.
03:23
Well, instead of just copying it, we could create
03:27
new text file
03:30
that.
03:32
No.
03:34
Okay,
03:39
memory.
03:49
We can't take that.
03:52
And that is the hash of our memory files.
03:59
So now we have our consolidated list of evidence that we obtained.
04:03
We got the bit locker and kit encryption keys.
04:08
We have the memory file for the volatile memory. We have our physical image,
04:15
and then we have the hash
04:17
of the, uh
04:19
the volatile memory that we were able to obtain and than anything that we got from red line. So that's a consolidated list of the evidence and artifacts that she would have from your forensic investigation.
04:33
And then from here, we can go into the analysis portion.
04:40
So again, like, uh, all of the tools to capture this data, there are a plethora of analysis tools out there for you to use.
04:50
So just like in case an f g K make their free versions of the
04:59
essentially
05:00
tools to acquire the memory, they do have paid versions essentially of in case and F k that you can use to essentially examine the evidence that you drink.

Up Next

Incident Response & Advanced Forensics

Incident response is an organized approach to addressing and managing the aftermath of a security breach or attack. Why do I need this certification? As a part of the Incident Response process, ...

Instructed By

Instructor Profile Image
Max Alexander
VP, Cybersecurity Incident Response Planning at JPMorgan
Instructor