Innovations in digital storage technologies pose challenges to cyber crime investigators. BitLocker Drive Encryption is such a new technology that is available in Windows 2008 and in ultimate and enterprise editions of Windows Vista and Windows 7. This technology protects a computer owner from confidential and personal data theft in instances of loss of machine or outside attacks through network. Since BitLocker Drive Encryption performs full encryption of digital storage media drives, it seems to be a real challenge for a cyber crime investigator to break the encryption. Although BitLocker provides a multi factor authentication by means of Trusted Platform Module (TPM), PIN number and USB, normally a computer user opt only a ‘USB-only’ mode. In this paper, authors describe different ways to recover fixed or removable storage media drives, bitlocked in USB-only mode. This paper describes a step-by-step algorithm to disclose the BitLocker Recovery information that can be used to unseal bitlocked drives. The paper addresses the recovery of Bitlocked Drives both in Live and Offline Forensics.
[1]
Jesse D. Kornblum.
Implementing BitLocker Drive Encryption for forensic analysis
,
2009,
Digit. Investig..
[2]
Christopher James Hargreaves,et al.
Recovery of Encryption Keys from Memory Using a Linear Scan
,
2008,
2008 Third International Conference on Availability, Reliability and Security.
[3]
Ariel J. Feldman,et al.
Lest we remember: cold-boot attacks on encryption keys
,
2008,
CACM.
[4]
Liu Sheng-li,et al.
The Analysis of Security Weakness in BitLocker Technology
,
2010,
2010 Second International Conference on Networks Security, Wireless Communications and Trusted Computing.