Thursday, January 30, 2020

How to handle Bitlocker Encrypted Volumes

The question

You are on-site. PC is on. You recognize an open Bitlocker drive. What now?
Just take a physical image of the drive because it is open and everything is fine, you have all the data? Well, short answer -> no. You would have a bad day the moment you want to analyze the data because you would see that the content of your created image is encrypted.

I will explain in this post what you can do on-site to get all data from the Bitlocker Volume. And I will explain how to handle created images when the data is Bitlocker encrypted on it on Windows and Linux with free tools.

IMPORTANT: I will only focus on the data in the Bitlocker Volume. Not the other volatile data in a running system. So, when I write you can shutdown the machine without data loss I only mean the stored data in the Bitlocker volume!

First: On-Site

To do what I explain here you need Administrator permission on the machine and you need an imaging tool. I use FTK Imager Light. It's free to download from https://accessdata.com/product-download/ftk-imager-lite-version-3-1-1

You find in the Explorer something like this:

An open Bitlocker drive. Good, data is accessible. But, if you now just create a physical image of the drive, the data will be encrypted in your image.

I tested this with FTK Imager, selected the physical drive and created an image. See the result below:

Unrecognized File System. To be sure, I also added the image to Autopsy 4.14. Same there, no data from the inside of the encrypted volume.

Get Recovery Key


Okay, so I would first get the Recovery Key from the drive. With this you can open the encrypted data later if necessary.

1. Open an elevated power shell
2. Type in the command manage-bde.exe -status

As you can see above the drive only encrypted the used space and a numerical password is used.

3. Type in command manage-bde.exe -protectors -get F:
Where "F:" is the corresponding drive letter.

From the above output you can find the recovery key:
078078-476773-168652-322883-163504-646536-206338-022825


Create Image?

Now the question, shall we create an image directly from the running system? We could. I see four possiblities:

1. Create image from the physical drive, then you need to decrypt it later with the Recovery Key

2. Create image of the logical drive.
One could say that when imaging the logical drive you won't get deleted data. That's not correct. You get the same data like from the physical drive but not the files outside of the encrypted partition. SO you only get the data in the encrypted partition, nothing else.

3. Don't create an Image.
Shut down the machine and create the image later. You have the recovery key so no problem.

4. Decrypt the volume on the machine and then create a Physical Image.
This could take much time. I don't recommend this way but it is possible.

What would I do? If I can take the computer with me, I would shut it down and image it later, so I don't loose time On-Site. But this really depends on the case. As I stated at the beginning, I only focus on the Bitlocker part here. Please don't get me wrong. I definitely would backup data like Passwords from Browser, running processes, open Network Connections etc. and create a RAM dump before I shut down the machine.




Second: At lab, physical image of Bitlocker Volume, Windows

As already written, when having a physical image of a Bitlocker volume the data is encrypted. But, if you have the recovery key, no problem. So how to hanlde the image on a Windows machine?

What do you have:

1. An E01-Image from the disk.
2. A Windows System that can handle Bitlocker (Professional Version or Enterpise Version since Windows 7)
3. The Recovery Key

You can mount the E01 with Arsenal Image Mounter (https://arsenalrecon.com/downloads/). Don't try to mount it with FTK Imager, that won't work.
After it's mounted you can open the volume via the Windows Explorer.

When that is successful you can then create an image of the logical drive via FTK Imager.
You can than analyse the data e.g. in Autopsy.

As you can see, no paid software needed.
With e.g. Magnet AXIOM or EnCase you could directly open the images with the Recovery Key. But, under the hood they will first decrypt the data.

One other way, just to mention it:
You could also mount the image with a write through file in Arsenal Image Mounter. Than it would be writeable. After this you could decrypt the volume and than create a physical image via FTK Imager.

Third: At lab, physical image of Bitlocker Volume, Linux

I used Tsurugi Linux (https://tsurugi-linux.org/downloads.php) for this. All necessary tools are installed in this great distro.

What do you have:

1. An E01-Image from the disk.
2. A linux system with the following tools:
a) xmount
b) sleuthkit
c) libbde-utils
d) guymager
e) dd
f) mount



Step 1: Use xmount

First we take the E01 and use xmount to create a raw image that we can later use with bdemount.

Command:
sudo xmount --owcache /tmp/bitlocker_test --in ewf ~/Desktop/Bitlocker_physisch_test.E01 --out raw ~/xmount_pount/

Output:


I use the option "owcache" that create an overlay file to make the image writable. For this example this is optional.
Please use the help function to find all options.

Explanation:

owcache: Overlay file, content will be overwritten if file already exists.
--in ewf: Type of the image is ewf
--out raw: I want a RAW image as output.

Step 2: Use Sleuthkit

We need the offset of the encrypted partition the the image, for this we use the tool "mmls" from the sleuthkit.

Command:
mmls ~/xmount_pount/Bitlocker_physisch_test.dd

Output:

You could also use the command directly on the E01-Image.

Explanation:
You can see the partition table of the image. The NTFS partition starts at sector 2048. This is the encrypted partition.

We can check this with the tool "fls" from the sleuthkit.

Commmand:
fls -o 2048 ~/xmount_pount/Bitlocker_physisch_test.dd

Output:

Explanation:
Sleuthkit cannt recognize the file system type because of Bitlocker. Bitlocker is not support by the Sleuthkit.

We can take a look at the hex values to see if it is really Bitlocker:

Command:
dd if=~/xmount_pount/Bitlocker_physisch_test.dd skip=2048 count=1 | xxd

Output:

With the values EB 58 90 2D 46 56 45 2D 46 53 2D "ëX¬|-FVE-FS-" we now know that the device is Bitlocker encrypted with Windows 7 or higher.

Step 3: Use bdeinfo

Okay, let us get the information of the bitlokcer volume with the tool "bdeinfo" from libbde-utils.

Command:
bdeinfo -o $((512*2048)) ~/xmount_pount/Bitlocker_physisch_test.dd

Output:

Explanation:
We use the offset 512 * 2048 because the tools wants as offset the bytes. One sector for our images has 512 bytes and this times the 2048 sector offset.

We get information like the identifier of the recovery key and the used encryption algorithm and the volume identifier.
But, that's the most important: We now know that we are correct with the offset and that there is the bitlokcer volume.

Step 4: Use bdemount

Now we want to get acces to the data in the volume.

Command:
sudo bdemount -p 12345678 -o $((512*2048)) ~/xmount_pount/Bitlocker_physisch_test.dd ~/bde_mount/

Output:

Explanation:
No error message means it has worked.
I used "-p 12345678" because that is the user password.
If you want to use the recovery key you would use "-r [RECOVERYKEY]" instead.
The created file with the unencrypted data in it is now at "~/bde_mount"

Step 5: Let's mount it

Okay, last step, than we have access to the data.

Command:
sudo mount -o loop,ro ~/bde_mount/bde1 ~/decrypt_mount

Output:
Nothing, no errer means everything went well.

Explanation:
We mount the data to "~/decrypt_mount".
We mount it read-only ("ro") and use a loop device ("loop")

If yo have an older system with an older mount command you cannot use the option "loop". Than you would need to use the tool "losetup". I won't explain how to do this here.

Step 6: Look at the data

We can now go through the data at the mount point. E.g. list the content.

Command:
ls -al ~/decrypt_mount/

Output:


Step 7: Create image of unencrypted data

We can now create an unencrypted image with guymager. Similar procdure than under Windows with FTK Imager. Just start the application "guymager".



When finished you can check the content e.g. with the tool "fls" from sleuthkit.

Command:
fls decrypted_bitlocker.E01

Output:

Explanation:
You don't need to give any offset, because the image is a partition image.

Now you can also analyse the data. e.g. load it into Autopsy.

All tools used are free.

Conclusion

Okay, this post was getting much longer than I thought. Thx for reading.

1. Keep in mind that just creating a physical image from an open Bitlocker Volume won't give you access to its data later. But, if you habe the recovery key thats not a problem. So it's seems to be a good idea to get the recovery key asap from the system.

2. On Windows you can mount an Image of a Bitlocker volume with Arsenal Image Mounter and create than an image of the decrypted data. If you have the Recovery Key.

3. On Linux you need a few steps in the terminal and a few tools. With Tsurugi Linux they are all onboard. But when having everything you can access the data without a problem.

4. You don't need to pay for the tools used here. They are free.