Full Volume Encryption (FVE) is the process of encrypting a partition on a physical drive. This approach to encryption is slightly different from Full Disk Encryption (FDK) that encrypts the entire disk, including any and all partitions, slack space, and unallocated space.
If dealing with a machine that is powered off, an examiner would have a difficult time booting into the primary partition if that partition is volume that is encrypted using FVE. A password would be required upon boot time to unlock the volume and continue with the boot process. If the primary partition is unlocked but a secondary partition on the drive is encrypted using FVE, an examiner would be able to boot the machine and examine the file system. In either case imaging the drive would be best option for further examination.
A machine that is “live” presents an examiner with a stronger possibility of recovering file system information especially if the volume in question that is encrypted has been unlocked by the user. At this point the main objective of the examiner would be to keep the machine powered on in its current state and extract an image of the entire disk and dump the current state of memory for later examination. If a volume on the machine has not been unlocked in this current state, it would still be prudent on the part of the examiner to dump the memory to further examine for clues to what the encryption key could be.
A physical disk includes any number of partitions within it. Each partition within the drive is considered a volume. The disk also can include unallocated space that does not belong to a partition. A forensic image of a disk would encapsulate the data found within the disk. This would include the volumes found on the disk, along with any other unused space. A forensic image of a volume would include creating a clone of a given volume within the disk. The image would not include other volumes or unused space on the disk. An image file of either the disk or volume would duplicate the data found on either to the binary level. Every bit from the beginning of the disk or volume to the end would be copied into the image file for further examination.
Imaging the physical disk and logical volume on a “live machine” result in different information gathered. An image of a physical disk will return a bit for bit clone of the disk. This includes artifacts such as deleted files, slack space, unallocated space, etc. Every bit of data that is found on that physical disk is available for examination. When using forensic software on an image of a physical disk, the data in its entirety is presented to the examiner. A forensic image of a logical volume would return less information about the machine. Given that the image is of a particular volume on the disk, this leaves out data that resides outside of the volume on the rest of the disk. An image of a logical drive will not include slack space, unallocated space, and other areas that do not reside in a logical volume. These areas along with possible artifacts will not be present within forensic software if examining a logical volume image.
Scenario
The device found at the scene is a Windows Surface tablet. This is a battery powered mobile device that requires an external power source for extended use. An initial examination of the device would include creating an image of the disk and dumping the contents of memory into an external storage device. This would prove to take quite a bit of time, enough to run the battery down on the device which would possibly compromise the image or memory dump. A forensically tested power supply provided by the examiner would be better to use than the suspect’s device for reliability.
The operating system running on the tablet is Windows 8 Enterprise. An enterprise edition of Windows suggests that this device was company issued. A company issued device usually means there is an IT department responsible for maintaining a fleet of these devices. A talk with the IT Manager or System Administrator for the department may lead to information that would help the investigation. Information from the IT department may also help with the fact that the device is currently sitting at the user account lock screen. If in fact this device is maintained by an IT department, the user credentials may be for the company’s internal domain. The IT department could possibly clear the password of the user through Active Directory, allowing the examiner into the locked machine.
An iPhone is also found on scene with the “mSecure” app running with two entries; “BL encryption” and “Windows PW’s”. The app “mSecure” is a password management tool for storing and encrypting passwords. The app stores data with 256 Blowfish encryption. The first password entry, “BL encryption” could possibly refer to a bitlocker encryption password while the second password entry, “Windows PW’s” could possibly refer to Windows passwords including the user account. This assumption is also strengthened by the suspect saying the following during an interview; “Good luck getting into my Surface. Besides, my stuff is bitlocked.”
Actions taken
The objective of those arriving first on scene is to preserve the state of the devices so that they can be examined without contaminating evidence. Since both devices are found to be on, keeping them in this state is crucial to an investigation. After taking pictures of the initial states of each of the devices, including physical location and current screen state, an external power supply should be applied if not already in use. Ideally a power supply that has been forensically tested for reliability should be used to power the device. A power supply with a battery backup would also prove to be the best approach in this case so not to rely on the power infrastructure at the scene. If the power were to fail at the site, the battery backup would keep the device powered on for examination. The iPhone should be kept in an awaken state if unlocked so not to allow the OS to time out and possibly lock the phone.
A forensic memory dump of the devices should then be done. This will give examiners better insight to the state in which the devices were when investigators arrived on scene. Information regarding the current state of the system can be gathered by examining a memory dump file. Currently running programs and other system information can be gathered from a memory dump file. Once the memory of both devices has been acquired, forensic physical disk images would then be made. A physical disk image of the device would allow an examiner to search the entire disk of the device. Immediately following acquiring physical image and memory dump files of both devices, a hash value should be calculated and noted for each file. Once back in the lab, hash values will be calculated again and compared for data consistency.
Once images and memory has been acquired, an investigator would inquire about the suspect’s employment with a possible company that might be responsible for maintaining his tablet. This would be done because of the operating system the Surface is running. Windows Enterprise is not a common operating system for a general consumer to be using. It is usually used by employees of enterprise level businesses with their own central infrastructure. This infrastructure could be very helpful in possibly recovering the user account password and any bitlocker password. If the user account that is locked on the Surface is a domain login, the IT department should be able to clear the password. If the IT department allows for bitlocker to encrypt drives through Group Policy and has bitlocker recovery enabled in Active Directory, the bitlocker key can easily be recovered by a system administrator.