In today's video, we are going to take a look at 'Bitlocker' and
Other encryptions that windows provides
And how to unlock 'Bitlocker' without a password.
It is useful technique and it is usually used
In forensic investigation. So 'bit locker' is something
That encrypts the data in the data, whenever the harddisk
Is unplugged from the computer and plugged in another computer
The Harddisk/partition cannot be opened or the data
Cannot be retried without password. Bit locker is basically like
Encrypting the hard disk, so that once it is unplugged, it cannot be used
In other computers or without the key.
Bitlocker is used in conjunction with a hardware component
Called TPM - Trusted Platform Module
TRP is like a smart-card and
It is present on the motherboard that stores
Recovery keys. Bitlockers require TRM
Version 1.2 and higher. Right now, we are using a
Virtual system also known as VirtualBox
To demonstrate 'How to use Elcomsoft Disk Decrypter' ,
'How to unlock a Bitlocker encrypted hard drive or flash drive?'
And 'How forensics investigator conduct investigation on locked pendrives'
'How to conduct Forensic Investigation with ElcomSoft Forensic Disk Decrypter'
On bitlock devices and harddrivers.
For Example, let's start and I have just plugged in a
Harddrive, an Extra Harddisk for the demonstration
Purpose, Let's try to learn 'How to encrypt using Bitlocker'
'How to Encrypt Device with Bitlocker'
Before that, let's create a new partition in which I will add
Few files in the partition and encrypt the partition.
Let's create a new partition, I will create a simple new volume
Volume and as you can see, the volume or the disk drive
Is created and let's paste some simple data.
For example, we will paste some sample music
That is provided inside windows
I will just copy them and paste it inside the new volume. And now
This is the data that we will try to retrieve. For Example,
Let's rename the disk as bit locker. Let's
Encrypt it. If the user tries to encrypt it,
There are three options to encrypt the data, The first
One is via a password, then you can use the smart-card
i.e. TRM feature and you can automatically
Select and unlock the drive on this computer
Usually, you have to enter a password and this is what
We will do. You can also use a smart-card
Since we are on VirtualBox, we don't have the
TRM feature yet. We will just enter the password,
I will just enter a random password and click on next, And
The encryption will start. It takes some time to encrypt
And since we have a smaller amount of data
In the harddisk, it will be faster.
After encryption, you have to save the recovery key. You can either save it to
A USB, or as a file. In case if you forget
The password, these keys are used to recover
The password and decrypt the data
As you can see,
There are some keys available and this file is very important
To decrypt the bit locked device or
The drive. As you can see, encryption has started and
We are going to use a software that
Actually the data and recovery key from the memory so we don't
that file to decrypt the data, you can actually
Use the software to encrypt and decrypt data from
The file and it actually supports 'VeraCrypt' and various
Other decryption like FileVault 2 and PGP
Trucrypt and various other hardware decryptions
There are tons of decryption available, it actually
Extracts the key from the RAM and it actually
Works and tries to dump memory and
There are various features and tons of features, it is the best
Forensic tool. This is the best forensic
Disk decryptor tool that I have every seen. You need to download
The setup, once you have purchased the software, Yes! It is a paid software.
You have to purchase it. Once you have purchased the software, you have
To install it and you will be provided a download link
With a license key and a product key for the product.
By the way, if you are into forensic investigation then I would
Strongly suggest you to check the link provided in the description for more detail
About the product. For now, let me just install the
Product. So as you can see the setup is downloaded in the downloads
Folder and I will click on run, I will click on next
Let's click on accept and over here you have to enter the purchased license
Key after which you will be presented with the screen
That allows you to install it. As you can see
I have installed the software and there are tons of features including
Dumping memory and analysing memory. They are
The experts and the best 'Developers' and they develop
The best tools that are used by forensics investigators.
So there are various options available, I will guide you through all the options
For example, you can create a portable version
You can decrypt the drive i.e. the last step actually.
You can actually decrypt a physical drive which is present
On the computer i.e. physical disk.
Or hard-disk or physical partition basically. You can also
Decrypt an image. As you can see, this was the one that
Was encrypted and you can select a memory dump, you can select saved keys,
A saved a keys, you can select password file and various other
Things, We will take a look at all these options in a bit
But for now, let's take a look at all the features that are available
In the software, it actually tries to
Get the passwords from the memory dump and even the
Password file, you can also use an image. So most
Forensic investigator create an image of the
Victim's computer or victim's harddisk. You can use an image,
You can also use various mining tools. So these tools
Will provide key from memory dump. I will also
Show you how to create and find
Keys from the memory. The third option is to extract the data using
Various recovery tools that they provide. You can actually
Save the bit locked volume into a file,
Which can
Be later used to recover passwords. As you can see,
I will just save it as a test file. Step 1 is
To dump the memory. Why is memory dumping
So important? Usually all the softwares
Store something in the RAM. Bitlocker
Also stores Recovery key in the RAM. You can
Save the memory dump. You can create and save the memory dump
And save it. There are various other softwares available in the market.
Which store memory dump, but this is the best
That I have ever seen because it is faster and all the other
Dump creators and memory dumpers take long time, next step is
To extract the keys from the dump. You can either
Directly the file or the disk using the memory dump
Or you can extract the keys first. In this case, we will extract the
Key first. We will extract the recovery key just to demonstrate the
Key extraction. You just have to select the memory
Dump and it will start working on its own.
So the software is something that works on its own and
Has all the features that are required to unlock a bit
Locker disk driver and even various other encryption
Drives and disk. It also has features
That work along with other softwares for example,
If you have an image of the partition. If you have an
Image of the victim's drive., you can use it.
As you can see, various keys are extracted and you can actually see
Various PGP keys and various other keys.
You can select and save the keys. You can extract the recovery keys from memory dump.
If you have a tool that creates memory dump,
Then you can extract the keys from the memory dump. If you have
The memory dump, you can directly decrypt them or you can
Use the saved keys to decrypt
There are various options available to decrypt the disk. As you can see
I will select the key file. You can also select the memory
Dump and its time to save the decrypted disk.
You either save it as a file or you can mount it directly
So this makes it simple, I will just mount the
Decrypted disk and I will click on mount, I will click on allow access.
And this will mount the disk. Let's move on to
'My Computer' as you can see this is the encrypted and
This is the decrypted partition. We have all the decrypted data as it is.
In a separate mounted disk drive. This is how it works
Its An awesome software.
It is an all in one tool and they also make various forensics investigation tools
That will help you to work around with your investigation
If you are an forensic investigator, then I would suggest you to
Visit their website and take a look at their website.
All the products that they provide. All the best guys!
Thanks a lot for watching. Hit the like button if you liked the video.