Research On Bitlocker Keys Extraction From Memory Image And Application

The disk encryption has been increasingly used, and it is difficult for investigators to extract the original evidence from the protected data of suspicious targets. Therefore, it makes computer forensics face enormous challenges. An on-the-fly disk encryption system keeps keys in memory for a long time while the system is running. Memory data becomes the security vulnerability of disk encryption systems. As an important branch of computer forensics, memory forensics has the capability to obtain the credible evidence or key information. It has been concerned by the information security field and forensic institutions in recent years.Bit Locker Drive Encryption is a disk encryption system developed by Microsoft and widely applied into most new Windows operating systems. Based on the actual needs of on-scene forensic, various types of encrypted volumes mounted on BitLocker are tested and analyzed in experiments. By studying the patterns of BitLocker keys' structures and distance intervals in memory under a variety of forensic scenes, on the basis of AES key extraction techniques, the thesis proposes a Volume Master Key extraction method and a Full Volume Encryption Key extraction method based on memory images.The thesis focuses on BitLocker encryption methods and the disk encryption technology, and then develops a forensic tool named BitLocker Decryptor Forensic System made of four modules, which are the key extraction module, the encrypted volume analysis module, the key verification module and the encrypted volume decryption module, respectively. This forensic system can intelligently extract BitLocker keys from memory images and verify the correct key. A lot of encrypted volumes created by all sorts of encryption methods and file formats are tested in multiple versions of Windows operating systems, and the result of experiments shows that this system can extract BitLocker keys fast, effectively and stably in complex forensic cases. It can complete the decryption operation of encrypted volumes automatically to obtain reliable evidences, and finally files can be recovered from encryption disks or protected mobile devices. BitLocker Decryptor Forensic System could be a potent tool of encrypted data forensics.