Part 15 - Obtaining the Windows Bitlocker Encryption Keys (continued)
Video Activity
This lab-based lesson picks up where the previous lesson left off and continues the instructions on how to obtain the Windows Bitlocker Encryption Keys.
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Description
This lab-based lesson picks up where the previous lesson left off and continues the instructions on how to obtain the Windows Bitlocker Encryption Keys.
Video Transcription
00:03
>> The last thing that we wanted to
00:03
talk about in this video is essentially how
00:03
to get our Windows BitLocker encryption keys.
00:03
We're again going to want to pull up
00:03
>> the command prompt.
00:03
>> Then from here, we're going to type
00:03
in the following commands.
00:03
If we wanted to see if the system had BitLocker on it,
00:03
we would essentially type the command
00:03
manage-bde.exe status,
00:03
and then it's going to run.
00:03
We have to run this as an administrator.
00:03
[NOISE]
00:03
On your victim machine
00:03
we would want to run that as an administrator,
00:03
so again, we'll type it over again,
00:03
and then it will provide you the status
00:03
of all of the devices on the system.
00:03
We can see our operating system Drive C,
00:03
it is fully decrypted,
00:03
the protection status, it is turned off.
00:03
Lock status is unlocked.
00:03
If we did have BitLocker on our system,
00:03
we would essentially type another command.
00:03
I'll go ahead and show you that,
00:03
it's not going to return anything though.
00:03
That's what it would look like,
00:03
and we don't have any protectors because we
00:03
don't have BitLocker on our system.
00:03
However, if it did return encryption keys,
00:03
you would essentially want to copy this and
00:03
then you would want to turn that into
00:03
a text file on
00:03
your forensic thumb drive.
00:03
That process is finally finished,
00:03
it is a rather large file.
00:03
But essentially we could take this,
00:03
we could have actually centrally
00:03
had it write to a text file as well,
00:03
instead of just copying.
00:03
But we can create a new text file,
00:03
and that is the
00:03
[inaudible] memory hash.
00:03
We can take that,
00:03
and that is the hash of our memory file.
00:03
Now we have our consolidated list
00:03
of evidence that we obtained,
00:03
we got the BitLocker encryption keys,
00:03
we have the memory file for the volatile memory,
00:03
we have our physical image,
00:03
and then we have the hash of
00:03
the volatile memory that we were
00:03
able to obtain and then
00:03
anything that we got from red line.
00:03
That's a consolidated list of
00:03
the evidence and artifacts that
00:03
you would have from your forensic investigation.
00:03
Then from here, we can go into the analysis portion.
00:03
Again, like all of the tools to capture this data,
00:03
there are a plethora of
00:03
analysis tools out there for you to use.
00:03
Just like Encase and FTK make their free versions of
00:03
the tools to acquire the memory,
00:03
they do have paid versions of Encase and
00:03
FTK that you can use
00:03
to examine the evidence that you will create.
Up Next
Similar Content
