BitLocker is a new drive encryption technology introduced with the Vista operating system. With BitLocker enabled, all files on a personal computer’s hard disk drive are automatically encrypted. BitLocker is included in the Enterprise and Ultimate editions of Vista and is disabled by default. Disk encryption can pose a problem for forensic investigators and additional steps must be taken to insure access to suspect data.
When an investigator come across a running Windows Vista system they should first determine which version of Windows Vista the suspect system is running. As only Vista Enterprise and Ultimate offer BitLocker drive encryption, investigators can disregard further steps on other versions.
Once an investigator has determined that the system is running either Windows Vista Enterprise or Ultimate, the next step is to determine if BitLocker is running. The easiest way to determine this is through the BitLocker configuration in the Control Panel. If BitLocker encryption is running, use the following steps to disable it.
Disabling BitLocker does not decrypt the suspect data which would alter each file. Instead it stores the encryption key on the disk so that it can be decrypted when it is booted or accessed without the need for the startup key or numerical password.
The following command shows how to disable Bitlocker from the command line:
cscript manage-bde.wsf -protectors -disable c:
The above command will disable Bitlocker (not decrypt). It can then later be attached to another Vista machine using a hardware write blocker and all the data will be visible. The investigator can then image the suspect drive.
The investigator should also obtain the BitLocker numeric recovery password to ensure later access to the drive for imaging should it be needed.
The following command will display the BitLocker numerical recovery password:
cscript manage-bde.wsf -protectors -get c:
