Digital Forensics and Cyber Crime. Fifth International Conference, ICDF2C 2013, Moscow, Russia, September 26-27, 2013, Revised Selected Papers

Research Article

Forensic Decryption of FAT BitLocker Volumes

Download
10637 downloads
  • @INPROCEEDINGS{10.1007/978-3-319-14289-0_2,
        author={P. Shabana Subair and C. Balan and S. Dija and K. Thomas},
        title={Forensic Decryption of FAT BitLocker Volumes},
        proceedings={Digital Forensics and Cyber Crime. Fifth International Conference, ICDF2C 2013, Moscow, Russia, September 26-27, 2013, Revised Selected Papers},
        proceedings_a={ICDF2C},
        year={2015},
        month={2},
        keywords={Bitlocker To Go Bitlocker keys Full volume encryption key Volume master key AES-CCM Elephant diffuser AES-CBC},
        doi={10.1007/978-3-319-14289-0_2}
    }
    
  • P. Shabana Subair
    C. Balan
    S. Dija
    K. Thomas
    Year: 2015
    Forensic Decryption of FAT BitLocker Volumes
    ICDF2C
    Springer
    DOI: 10.1007/978-3-319-14289-0_2
P. Shabana Subair1,*, C. Balan1,*, S. Dija1,*, K. Thomas1,*
  • 1: Centre for Development of Advanced Computing
*Contact email: shabana@cdac.in, cbalan@cdac.in, dija@cdac.in, thomaskldija@cdac.in

Abstract

New versions of Windows come equipped with mechanisms, such as EFS and BitLocker, which are capable of encrypting data to an industrial standard on a Personal Computer. This creates problems if the computer in question contains electronic evidence. BitLocker, for instance, provides a secure way for an individual to hide the contents of their entire disk, but as with most technologies, there are bound to be weaknesses and threats to the security of the encrypted data. It is conceivable that this technology, while appearing robust and secure, may contain flaws, which would jeopardize the integrity of the whole system. As more people encrypt their hard drives, it will become harder and harder for forensic investigators to recover data from Personal Computers. This paper documents the Bitlocker Drive Encryption System (version 2) in Windows 7. In particular it describes how to forensically decrypt and load a FAT disk or image which is bitlocked, if the keys are provided.