FOR207 - BitLocker Operation and Internals

BitLocker is being used more and more to protect the contents of disks from loss and theft. Unfortunately, it is also being used by cybercriminals to hide their activities from law enforcement. This course describes the internal operation of BitLocker, and how  law enforcement can defeat it in some cases. 

Level: Intermediate
Audience:

Cyber forensics investigators

Topics:
  • BitLocker overview
    • Goals and functions
    • Comparison with EFS
    • Code integrity
    • Encryption algorithms
    • Encryption usage
    • Decrypting BitLocker
    • Enabling and disabling BitLocker
    • Automatic provisioning
  • Trusted Platform Module (TPM)
    • Key generation
    • Key storage
    • Measurements
    • Platform Configuration Registers (PCRs)
    • Chain of trust
  • Key management
    • Encryption keys
    • Key protectorsKey escrow
    • Recovery console
    • PowerShell
    • Control panel
  • BitLocker volume structure
    • Disk layout
    • Protective MBR
    • Metadata
  • Booting from an encrypted boot volume
    • Secure startup
    • S-CRTM BIOS
    • Master Boot Record (MBR)
    • Volume Boot Record (VBR)
    • BootMgr
    • WinLoad/WinResume
    • NTOSKRNL
  • Recovering a BitLocker volume
    • Recovery key
    • Microsoft Account
    • Active Directory
    • Recovery key details
  • BitLocker-To-Go
    • Differences and limitations
    • Using BtG
    • Volume layout
    • Down-level reader
Prerequisites:

FOR220, Windows Storage Architectures Overview; and FOR205, Windows Internals for Forensics; and FOR206, Windows Cryptography

Operating systems supported: Windows Vista and later
Durations and formats: 1 day with labs