Daily Blog #431: Bitlocker Experiments Part 2

Bitlocker Experiments Part 2 by David Cowen - Hacking Exposed Computer Forensics Blog

Hello Reader,
             I'm continuing my Bitlocker experiments while here in Abu Dhabi until I return home this weekend to do more MAPI testing of OWA changes. After my last post and experiment I got some help from a friend and reread the Bitlocker specification from libbde here. In my prior Bitlocker work I don't think I appreciated what information the FVE metadata blocks were providing me.

Within the Bitlocker encrypted volume (without providing any keys, just the raw encrypted data) there are three metadata blocks that i'm looking into and that Metz has documented. Looking at the first one I see the following entry on a new vhd that I created, attached and bitlocker encrypted.


Bitlocker Experiments Part 2 by David Cowen - Hacking Exposed Computer Forensics Blog

If you look closely starting at 3100078 you will see the start of a Unicode string that says Desktop-IVOIVRB this hostname of the machine I did the bitlocker encryption with followed by the date I encrypted the volume.

I thought this was very interesting! We can determine the name of the machine that encrypted the volume and when it was encrypted, but this was a fixed vhd. So I decided to use my SANS instruction laptop to encrypt a flash drive with Bitlocker ToGo to see if there was any difference.

Bitlocker Experiments Part 2 by David Cowen - Hacking Exposed Computer Forensics Blog

Looking here starting at Offset 2800078 you can see the beginning of the Unicode string SANS-FOR600 which is the name of my instructor laptop and the date I encrypted the drive.

So Bitlocker of Bitlocker ToGo both will tell you the hostname of the system that encrypted the volume and the date it was encrypted! Faxcinating! More to come as I begin to tweak the properties of these drives with manage-bde and see what comes to light. 

Post a Comment