Research Article
Forensic Decryption of FAT BitLocker Volumes
@INPROCEEDINGS{10.1007/978-3-319-14289-0_2, author={P. Shabana Subair and C. Balan and S. Dija and K. Thomas}, title={Forensic Decryption of FAT BitLocker Volumes}, proceedings={Digital Forensics and Cyber Crime. Fifth International Conference, ICDF2C 2013, Moscow, Russia, September 26-27, 2013, Revised Selected Papers}, proceedings_a={ICDF2C}, year={2015}, month={2}, keywords={Bitlocker To Go Bitlocker keys Full volume encryption key Volume master key AES-CCM Elephant diffuser AES-CBC}, doi={10.1007/978-3-319-14289-0_2} }
- P. Shabana Subair
C. Balan
S. Dija
K. Thomas
Year: 2015
Forensic Decryption of FAT BitLocker Volumes
ICDF2C
Springer
DOI: 10.1007/978-3-319-14289-0_2
Abstract
New versions of Windows come equipped with mechanisms, such as EFS and BitLocker, which are capable of encrypting data to an industrial standard on a Personal Computer. This creates problems if the computer in question contains electronic evidence. BitLocker, for instance, provides a secure way for an individual to hide the contents of their entire disk, but as with most technologies, there are bound to be weaknesses and threats to the security of the encrypted data. It is conceivable that this technology, while appearing robust and secure, may contain flaws, which would jeopardize the integrity of the whole system. As more people encrypt their hard drives, it will become harder and harder for forensic investigators to recover data from Personal Computers. This paper documents the Bitlocker Drive Encryption System (version 2) in Windows 7. In particular it describes how to forensically decrypt and load a FAT disk or image which is bitlocked, if the keys are provided.