Forensically Imaging Bitlocker

Written by Blogger

September 22, 2021

Guest Blogger, Michael Zinn with Micro Systems Management

BitLocker is Microsoft’s Full Volume Encryption (FVE) feature in Windows. BitLocker can be used to encrypt operating system volumes, non-Operating System fixed drive volumes, and removable drive volumes.[1]

BitLocker relies on one or more Key Protectors to protect the BitLocker Encryption Key used to decrypt the BitLocker encrypted volume.[2]

A forensic examiner can approach the process of forensically imaging a BitLocker Encrypted Operating System volume that uses only the Trusted Platform Module (TPM) Key Protector. This blog will review the methods which Microsoft provides to decrypt a BitLocker Encrypted Volume. This blog will not address the legal considerations which must be addressed when performing digital forensics or related actions. While all information in this blog is publicly available information from Microsoft, we will re-iterate the standard disclaimer that you must only perform digital forensic work or attempt to defeat security protections when doing so is lawful and in accordance with applicable policies and regulations.

If the evidence computer is functional and there is a need to perform physical acquisition of the drive, an examiner can remove the drive from the computer and perform a physical acquisition, but the resulting drive image is of the data-at-rest and consequently in encrypted form since BitLocker encrypts data-at-rest. Depending on the forensic software used, the forensic examiner may be prompted to enter the unique 48-digit BitLocker Recovery Key for that BitLocker Encrypted Volume.

Knowing where to find the BitLocker Recovery Key is half of the battle and being familiar with the process to use BitLocker to encrypt a volume is helpful. Microsoft also offers information about obtaining the unique 48-digit BitLocker Recovery Key for a BitLocker Encrypted Volume at https://support.microsoft.com/en-us/windows/finding-your-bitlocker-recovery-key-in-windows-10-6b71ad27-0b89-ea08-f143-056f5ab347d6.

When you begin the process of encrypted a Windows Operating System Volume on a computer that has a TPM that is ready for use with BitLocker, BitLocker will ask you where to save a copy of the BitLocker Recovery Key. Depending on the configuration of the computer, the options presented to the user (if any) will vary. Here are some examples.

  1. If the person who encrypted the volume with BitLocker did so from a Microsoft account[3] (i.e. a consumer Microsoft cloud account), one location where the BitLocker Recovery can be stored is in the Microsoft account. To determine if a Microsoft account has the BitLocker Recovery Key for a specific BitLocker Encrypted Volume, someone would need to login to https://account.microsoft.com/devices/recoverykey?refd=support.microsoft.com with the Microsoft account.

Microsoft notes that if you have a device that supports “automatic device encryption,” the BitLocker Recovery Key is likely in the Microsoft account. This refers to Windows Operating System volumes on compatible devices automatically enabling BitLocker during the initial Out-of-box (OOBE) experience. If the person setting up the Windows 10 device chooses to use a Microsoft account or Azure Active Directory Account to sign into the computer during the OOBE, then BitLocker will be “armed” and the BitLocker Recovery Key will be stored in that user’s Microsoft account or Azure Active Directory Account, respectively.[4]

  1. This gives us another place to look – Azure Active Directory. If the computer is joined to an organization’s Azure Active Directory, the BitLocker Recovery Key may be stored there. There are two ways to check for the BitLocker Recovery Key in Azure Active Directory. The first way is if you know the Azure Active Directory Account that was used to enable BitLocker on the volume. If you do, someone can go to https://myaccount.microsoft.com/device-list and log in with that user’s Azure Active Directory Account.

If the user is unavailable, and you have the authorization to do this, you might be able to access the Azure Active Directory Account by using one of the methods to reset the user’s password below:

  1. If the organization uses Azure Active Directory Connect Sync or Active Directory Federation Services and the Azure Active Directory is a “synched from on-premises” account, then the password used is Azure Active Directory is controlled by Domain Services on one or more Domain Controllers in the organization. Those Domain Controllers may be physical or virtual. If the Domain Controllers are virtual, they may be stored on a server on-premises, on a server in a data center, or in the public cloud to include AWS, Google Public Cloud, and Microsoft Azure. If you can reset the password for that account in Active Directory on one of the Domain Controllers (and if Azure Active Directory Connect Sync is used to start synchronization from Active Directory to Azure Active Directory), then you should be able to authenticate to Azure Active Directory as that user with the password which was changed with the password reset.
  1. If the account is a “cloud” account, then if you have an account with one or more of the following Microsoft 365 roles, then you may be able to reset the password for the Azure Active Directory Account. The Microsoft 365 roles that provide you with the ability to reset another user’s password are Global admin, Helpdesk admin (see the link in the footnote for information about restrictions), and User admin (see the link in the footnote for information about restrictions).[5]

These methods do not work if the user’s account is secured with Multi-Factor Authentication.

After the user’s password is reset, you should be able to go back to https://myaccount.microsoft.com/device-list, identify the name of the computer in the Devices list, click “View Bitlocker Keys,” identify the corresponding Key ID, click “Show recovery key,” and obtain the BitLocker Recovery Key.

The BitLocker Recovery Key may have been saved to a USB flash drive, saved to a file (BitLocker does not allow you to save the BitLocker Recovery Key file to the same BitLocker Encrypted Volume and by default has a filename of “BitLocker Recovery Key <KEY ID>.TXT”, or printed. One thing to be aware of is that while BitLocker does not allow you to save the BitLocker Recovery Key file to the BitLocker Encrypted Volume, it does allow you to print the BitLocker Recovery Key to a PDF which you can save on the BitLocker Encrypted Volume.

Another location where the BitLocker Recovery Key may be stored is in Active Directory if the computer is joined to Active Directory.

For computers that are joined to Active Directory, the configuration of Group Policy can require computers to be encrypted with BitLocker, that the BitLocker Recovery Key be stored in Active Directory, and to “Omit recovery options from the BitLocker setup wizard to prevent users from specifying recovery options when they enable BitLocker on a drive.”[6]

If all that is available is the computer that has the BitLocker Encrypted Volume on the drive installed in it, then you need to login to the computer as an administrator. The good news is there are a few ways you might be able to do that.

  1. The first way is if you know the credentials for a local administrator.

2. The second way is if the computer is joined to Active Directory. If it is joined to Active Directory and can communicate with a domain controller for that Windows domain, then you should be able to login to the computer with a domain administrator account. The account does not need to be a domain administrator account but a domain account that is a member of the local Administrators group on the computer. Since “Domain Admins” is generally included in the local Administrators group on computers that are joined to Active Directory, a domain administrator account should work. If you need to maintain an audit record of logging into the computer as the examiner and differentiate that from other users logging into the computer prior to the forensic examination and do not only want to rely on the chain of custody you can also create a new user in Active Directory and use Group Policy Management to add the user to the local Administrators group on that computer.

If the computer is joined to Active Directory but cannot presently communicate with a domain controller for that Windows domain, you still may be able to login to the computer with a domain administrator account depending on whether previous logins are cached, if previous logins are cached, how login the previous logins are cached for, how long it has been since the domain administrator previously logged into the computer, and if you know the credentials for the domain administrator account that previously logged into the computer as the credentials were when they were last used to login to the computer.

  1. The third way is if the computer is joined to Azure Active Directory. See options 1, 2, and 3 for gaining access to an account stored in Azure Active Directory. Something to be aware of is if the BitLocker Recovery Key is not located in Azure Active Directory, then you can still use options 1, 2, and 3 to reset the password for an Azure Active Directory User so you can log in to the computer. You could create a new user in Azure Active Directory, however by default that user will be able to login to the computer but will not be a member of the local Administrators group. When a computer is joined to Azure Active Directory, the default setting is that the Azure Active Directory User that is used to join the computer to Azure Active Directory is added to the local Administrators group. Ideally, you want to reset the password for the Azure Active Directory User that joined the computer to Azure Active Directory. You will need to be able to log in to the computer with an account that is a member of the local Administrators group to be able to back up the BitLocker Recovery Key.

After you are able to login to the computer with credentials that have local Administrator rights, then you can open Control Panel, BitLocker Drive Encryption, and click “Backup up your recovery key,” and save the BitLocker Recovery Key to a file, save the BitLocker Recovery Key to a USB flash drive, or print the BitLocker Recovery Key.

If you were able to obtain the BitLocker Recovery Key, you should be able to decrypt the BitLocker Encrypted Volume you acquired when you performed a physical image of the drive.

 

[1] https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-basic-deployment

[2] https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1054.pdf

[3] https://support.microsoft.com/en-us/windows/finding-your-bitlocker-recovery-key-in-windows-10-6b71ad27-0b89-ea08-f143-056f5ab347d6

[4] https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-bitlocker

[5] https://docs.microsoft.com/en-US/microsoft-365/admin/add-users/about-admin-roles

[6] https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings

Michael Zinn, Micro Systems Management

Michael Zinn (ACE, CCE, CEH, CHFI, DSMO, MCSA, P2CE) is a recognized digital forensics and cybersecurity expert who has more than 14 years of experience working in Information Technology and is focused on cybersecurity. Michael is a Systems Engineer at Micro Systems Management who focuses on firewalls, VPNs, cybersecurity incident response, and cybersecurity training.

Subject matter expert consulting services are available through Micro Systems Management to aid with examinations that are out of your typical scope of work. 

Forensic-Impact Articles

The Role of Psychology in Digital Forensics

The Role of Psychology in Digital Forensics

 Written by Riley Anne JohnsAs more people depend on technology for both personal and professional endeavors, digital forensics has never been more important. Digital forensics is a branch of forensic science specifically focused on cybercrime, using computer evidence...

Waze Data in Smartphones

Waze Data in Smartphones

According to Wikipedia Waze is: Waze is a GPS navigation software app and a subsidiary of Google. It works on smartphones and tablet computers that have GPS support. It provides turn-by-turn navigation information and user-submitted travel times and route details...

iOS Backup vs iCloud          How can you compare?

iOS Backup vs iCloud How can you compare?

When you process an iOS device there are multiple locations that will provide you the data you are looking for. It is important to understand where you can see the differences in those data sources. Depending on your process checklist you might choose a different data...