Time
7 hours 36 minutes
Difficulty
Advanced
CEU/CPE
7

Video Description

This lab-based lesson picks up where the previous lesson left off and continues the instructions on how to obtain the Windows Bitlocker Encryption Keys.

Video Transcription

00:04
So the last thing that we want to talk about in this video is essentially how to
00:10
get our Windows bit locker encryption keys. So
00:16
we're again going to want you pull up a command prompt,
00:22
and then from here, we're going to type in the following commands.
00:28
So if we wanted to see if the system had bit locker on it,
00:33
we would essentially type the command manage
00:39
Dash B D E
00:42
decks D
00:44
status.
00:49
Then it's going to run.
00:56
We have to run. This is an administrator.
01:07
So on your victim machine would want to run that it's an administrator. So little pipe it over again,
01:23
and then it will provide you the status of all of the devices on the system so we can see our operating system.
01:32
Uh, Dr C. It is split decrypted. The protection status. It was turned off.
01:38
Block status is unlocked.
01:40
If we did have a bit locker on our system,
01:47
essentially type another command.
01:49
I'll go ahead and show you that it's not going to return anything, though.
02:21
Detectors
02:22
get.
02:23
So that's what it would look like.
02:27
And we don't have any protectors because we don't have met locker
02:31
on our system.
02:32
However,
02:35
if it did return encryption keys, you would essentially want to copy this.
02:39
And then you would want to
02:43
turn that into a
02:45
text file
02:50
on your
02:54
forensic thumb drive.
03:10
Okay, so that process finally finished. It is a rather large file. But essentially, we could take this.
03:17
We could have actually
03:20
essentially had it right to a text file.
03:23
Well, instead of just copying it, we could create
03:27
new text file
03:30
that.
03:32
No.
03:34
Okay,
03:39
memory.
03:49
We can't take that.
03:52
And that is the hash of our memory files.
03:59
So now we have our consolidated list of evidence that we obtained.
04:03
We got the bit locker and kit encryption keys.
04:08
We have the memory file for the volatile memory. We have our physical image,
04:15
and then we have the hash
04:17
of the, uh
04:19
the volatile memory that we were able to obtain and than anything that we got from red line. So that's a consolidated list of the evidence and artifacts that she would have from your forensic investigation.
04:33
And then from here, we can go into the analysis portion.
04:40
So again, like, uh, all of the tools to capture this data, there are a plethora of analysis tools out there for you to use.
04:50
So just like in case an f g K make their free versions of the
04:59
essentially
05:00
tools to acquire the memory, they do have paid versions essentially of in case and F k that you can use to essentially examine the evidence that you drink.

Up Next

Incident Response and Advanced Forensics

In this course, you will gain an introduction to Incident Response, learn how to develop three important protection plans, perform advanced forensics on the incident, deep dive into insider and malware threats, and commence incident recovery.

Instructed By

Instructor Profile Image
Max Alexander
VP, Cybersecurity Incident Response Planning at JPMorgan
Instructor