Implementing BitLocker Drive Encryption for …

1 Implementing BitLocker Drive Encryption for Forensic Analysis . Jesse D. Kornblum, ManTech International Corporation Abstract When the system is booted, the integrity of the op- erating system and hardware is verified. If the verifi- This paper documents the BitLocker Drive Encryp- cation succeeds, the TPM releases an Encryption key tion system included with some versions of Mi- that allows the system to continue booting. The user crosoft's Windows Vista. In particular it describes does not have to provide any information to decrypt the key management system, the algorithms and the volume. If a protected volume is removed from modes used, and the metadata format. Particular the system, however, it may be difficult if not im- attention is given to methods forensic examiners can possible for an examiner to read the protected data. use to access protected data. There are some unan- Decrypting the data without the keys stored in the swered questions about how the cryptosystem oper- TPM is infeasible.

2 Ates, including an undocumented key management Other modes of BitLocker operation allow the sys- decision. This decision could allow, in a particular tem to require a PIN to be entered, a specific remov- usage scenario, unauthorized access to a protected able storage device to be connected, or both, for a volume. protected volume to be unlocked. A protected vol- Keywords: BitLocker , Encryption , Key Manage- ume can also be unlocked using a recovery password, ment, Windows Vista, Elephant or a 48 digit hexadecimal number typed by the user. BitLocker can be disabled without the protected 1 Introduction volume being decrypted. When disabled no authen- tication or TPM verification is needed for the volume Some versions of Microsoft's Windows Vista include to be accessed, but it remains encrypted. Instead a Full Volume Encryption feature called BitLocker Windows creates a new Encryption key and writes it Drive Encryption .

3 This feature enabled users to en- to the protected volume. As explained below, this crypt the system volume in the original version of key can be used to decrypt the existing series of keys Windows Vista and additional volumes as of Service necessary to access the protected data. Like leaving Pack 1. The BitLocker system was intended to be a house key under the doormat, the volume is still used with a Trusted Platform Module (TPM) chip protected, but by knowing where to look it's trivial on the computer's motherboard and provide strong to bypass the protection. but unobtrusive protection for data at rest. The Microsoft Corporation has provided detailed In its default mode, BitLocker stores a series of documentation on BitLocker Drive Encryption . The keys on each protected volume and in the TPM. cryptosystem is detailed in [1] and some of the key This is the author's version of a work that was accepted for management in [4, 5, 6, 7].

4 Kumar and Kumar's pa- publication in Digital Investigation. Changes resulting from per and source code added more detail on the key the publishing process, such as peer review, editing, correc- management system [2]. tions, structural formatting, and other quality control mecha- Unfortunately these documents do not provide nisms may not be reflected in this document. A definitive ver- sion was subsequently published in Digital Investigation and all of the information necessary to create tools for is available at the forensic analysis of BitLocker protected vol- 1. umes. Although a BitLocker protected volume can FVEK are used in for the AES-CBC key and bits be mounted on another computer running Windows 256-511 are used in the sector key, as shown in Figure Vista, the examiner may prefer or be required to use 2. another operating system. The diffuser mentioned above, Elephant, is a non- This paper contains details necessary to access Bit- standard cryptographic algorithm invented by Fergu- Locker protected volumes but not included in any son and added to the cryptosystem to provide ad- previously published documentation.

5 It describes ditional security properties that are desirable in the how BitLocker operates, what cryptographic prim- disk Encryption setting but which are not provided itives it employs, how those primitives are imple- by AES-CBC cipher methods [1]. Specifically the mented, and how the keys for those primitives are diffuser was added to prevent a manipulation attack. stored. Section 2 gives details on how the data at In such an attack a malfeasant could change a small rest is protected. Section 3 describes the means by amount of ciphertext in the hopes of changing a small which different keys are manipulated to access the amount of plaintext, such as a security setting. By al- data at rest. Sections 4 and 5 describe the metadata tering just a small piece of data, the malfeasant could BitLocker maintains. Finally, some unanswered ques- weaken the security of the system. By diffusing any tions about the cryptosystem and how it operates are change in the ciphertext throughout the plaintext, presented in section 6.

6 Such targeted manipulations are much more difficult. Although Ferguson described the Elephant diffuser in [1], he did not provide a reference implementation. 2 Cryptosystem Overview The description is sufficient to implement the sys- tem, however, and Kumar and Kumar were gracious The BitLocker cryptosystem was developed by Niels enough to do so in [2]. Ferguson and mostly relies on previously published cryptographic primitives [1]. The data on a Bit- Locker protected volume is encrypted in one of four 3 Key Management methods, all of which use the Advanced Encryp- tion Standard (AES) in Cipher Block Chaining mode The BitLocker key management system uses a series (CBC). The user can configure whether to use the 128 of keys to protect the data at rest. This section de- bit or 256 version of AES as well whether or not to scribes these keys as they have been documented by diffuse the encrypted data.

7 The default mode is to Microsoft. Additional details developed from reverse use 128-bit AES with the diffuser enabled. engineering the system are then presented to demon- When data is encrypted it is first XOR'ed against strate how the key management system was imple- a sector key, optionally diffused, and then encrypted mented. with AES-CBC. Decryption is the reverse: The data The key used to protect the data at rest, the Full is first decrypted using AES-CBC, optionally dif- Volume Encryption Key, is stored on the protected fused, and then XOR'ed against a sector key. Note volume. To prevent unauthorized access the FVEK. that the diffuser contains two functions, A and B. is encrypted using another key. In particular the When decrypting they must be run in the reverse or- FVEK is encrypted using a 256-bit AES key work- der, B then A. ing in Counter with CBC-MAC (AES-CCM) mode.

8 All of the key material used to encrypt and decrypt (Although the CCM standard was originally defined data comes from the 512-bit Full Volume Encryption using 128-bit keys [9], Microsoft has extended it to Key (FVEK). When working with 128-bit AES, bits 256-bit keys. It should also be noted that Ferguson, 0-127 of the FVEK are used in the AES-CBC key the designer of the BitLocker cryptographic system, and bits 256-383 are used in the sector key. The was also a co-author of CCM mode.) The key used remaining bits are not used, as shown in Figure 1. to encrypt the FVEK, the Volume Master Key or When working with 256-bit AES, bits 0-255 of the VMK, is also stored on the protected volume. In 2. Figure 1: Layout of the FVEK in the 128-bit modes Figure 2: Layout of the FVEK in the 256-bit modes fact several copies of the VMK are stored on the pro- MAC of each key is stored along with the encrypted tected volume.

9 Each copy of the VMK is encrypted version of that key. When the system decrypts the using a different key. The different keys allow dif- ciphertext, it can compute a MAC for the decrypted ferent access mechanisms to be used to access the value. If the computed MAC matches the stored stored data. Each access mechanism can be used to MAC, then the system can assume, with an error decrypt a copy of the VMK which in turn is used to probability of 2 128 , it has successfully decrypted the decrypt the FVEK which in turn is used to decrypt key. the protected data. The Encryption and decryption operations of AES- The supported access mechanisms in Windows CCM mode also depend on a nonce, or a number used Vista, documented in [5], are a Trusted Platform once to generate an initialization vector. The nonce Module (TPM) chip, TPM plus a PIN, TPM plus is also stored with the ciphertext.

10 An external USB device (aka Startup Key ), an ex- At this point we begin describing how these cryp- ternal USB device, a recovery password, or an unpro- tographic primitives are implemented in BitLocker . tected key saved to the protected volume. The last Specifically we are interested in how to conduct case is used to disable the BitLocker system without the decryption operations, where each of the above requiring the user to decrypt the protected data. named values is stored, and any other information Using AES-CCM mode to encrypt these keys al- that can be gleaned from those values. lows BitLocker to determine if a decryption opera- We'll begin with the BitLocker key structure. This tion has been successful. An AES transform can be structure is used to hold Encryption keys such as the applied to any data using any key and be consid- FVEK. The structure, shown in Table 1, holds a size, ered successful.