Title :
Towards successful forensic recovery of bitlocked volumes
Author :
Dija, S. ; Balan, C. ; Anoop, V. ; Ramani, B.
Author_Institution :
Centre for Dev. of Adv. Comput., Thiruvananthapuram, India
Abstract :
Innovations in digital storage technologies pose challenges to cyber crime investigators. BitLocker Drive Encryption is such a new technology that is available in Windows 2008 and in ultimate and enterprise editions of Windows Vista and Windows 7. This technology protects a computer owner from confidential and personal data theft in instances of loss of machine or outside attacks through network. Since BitLocker Drive Encryption performs full encryption of digital storage media drives, it seems to be a real challenge for a cyber crime investigator to break the encryption. Although BitLocker provides a multi factor authentication by means of Trusted Platform Module (TPM), PIN number and USB, normally a computer user opt only a `USB-only´ mode. In this paper, authors describe different ways to recover fixed or removable storage media drives, bitlocked in USB-only mode. This paper describes a step-by-step algorithm to disclose the BitLocker Recovery information that can be used to unseal bitlocked drives. The paper addresses the recovery of Bitlocked Drives both in Live and Offline Forensics.
Keywords :
computer forensics; cryptography; digital storage; BitLocker Drive encryption technology; bitlocked volume; cyber crime investigation; digital storage technology; forensic recovery; live forensics; offline forensics; trusted platform module; Computers; Encryption; File systems; Forensics; Graphical user interfaces; Media; BitLocker; Full Volume Encryption Key; Live Forensics; Random Access Memory; Trusted Platform Module; Volume Master Key;
Conference_Titel :
System of Systems Engineering (SoSE), 2011 6th International Conference on
Conference_Location :
Albuquerque, NM
Print_ISBN :
978-1-61284-783-2
DOI :
10.1109/SYSOSE.2011.5966617
