Abstract:
Bitlocker is an encryption technique used in Windows Vista Ultimate and Enterprise editions to encrypt the entire volume in which the operating system is installed. The purpose is to protect the computer system against malicious offline attacks; this is achieved by blocking the system if someone removed the encrypted hard drive from its original computer in order to boot it from another system. While this is a plus for system security, it would pose serious challenges for computer forensic examiners as they need the encryption keys to examine the Bitlocker’s protected volume. This paper investigates the implications of Bitlocker on forensic investigations and proposes forensic guidelines to handle Bitlocker encryption in forensic examinations. Several forensic tools were used to examine a Bitlocker encrypted volume using offline and online imaging. Experiments revealed that the acquisition of online images is the optimal approach to handle Bitlocker drive encryption. Based on results, Digital Forensics guidelines for Windows Vista Bitlocker Encryption were developed.