How to Decrypt a BitLocker Drive
OSForensics is capable of accessing images or drives that are encrypted using Bitlocker, though it is important to understand that this is only achievable where the user has a valid key.
The following key protectors can be used to unlock a drive:
- Recovery Key
- Start-up Key File (.bek file)
1. The image or disk must first be added in its encrypted form to your case. For example, an Encase image file of a BitLocker encrypted drive, bitlocker.e01 is added.
2. To access the drive in decrypted form, a ‘BitLocker Drive’ device must be added to the case on top of the image file device. To do this, open the ‘Add Device’ dialog and select ‘BitLocker Encrypted Drive’. From here you can select the previously added bitlocker.e01 image file from the drop down list.
3. To Verify whether the drive can be decrypted, click on ‘Verify Key’. This will open a new window where you can select one of the key protectors to unlock the device. If a key protector is disabled this means that it cannot be used to unlock the drive.
4. Upon successful key verification, click Ok in the ‘Add Device’ dialog and this will add the image or disk to the case.
5. This will prompt a 2nd verification window, after entering the key one more time the device should be accessible via any OSForensics module in decrypted form.
6. Once you have verified the drive, it will be both visible and accessible in your list of devices.
It is important to note that OSForensics supports the following encryption algorithms BitLocker uses to encrypt the drive:
- AES-CBC 128-bit encryption with diffuser
- AES-CBC 256-bit encryption with diffuser
- AES-CBC 128-bit encryption
- AES-CBC 256-bit encryption
- AES-XTS 128-bit encryption
- AES-XTS 256-bit encryption
Related: It is also possible to make your own self booting USB flash drive from within the OSForensics software.