Forensics Wiki
Register
Advertisement

BitLocker is a drive encryption technology introduced by Microsoft in its Windows Vista Operating System.

Default Configuration[]

BitLocker is off by default on a clean RTM install of the Windows Vista Ultimate Operating System.

OEM Default Configurations[]

There are no known configurations of OEM machines with BitLocker enabled by default.

Hardware Requirements[]

  • Two NTFS drive partitions.
  • For TPM
    • Trusted Platform Module (TPM) microchip, version 1.2, turned on.
    • Trusted Computing Group (TCG)-compliant BIOS.
  • For non-TPM
    • USB flash drive.
    • A BIOS that can read and write to a USB flash drive.

Software Requirements[]

BitLocker will be available in Windows Vista Ultimate and Windows Vista Enterprise versions only.

Modes[]

TODO TPM (Trusted Platform Module) USB Memory Stick

Back doors[]

There is no plan to implement back-door access in BitLocker.

Detection using WMI[]

To detect BitLocker or TPM you can use the Security WMI Providers. The reference page has links to both the BitLocker Provider and the TPM provider. Search for "Security WMI Providers Reference" if the link no longer works. As an example, the "GetEncryptionMethod" method of Win32_EncryptableVolume on the BitLocker provider indicates the encryption algorithm and key size used on the volume.

Detection Without WMI[]

When you need to detect BitLocker from a different Operating System, you can look at the BIOS Parameter Block (BPB) which is located in the first bytes of the first sector of the volume. The 8 bytes starting at offset 3 should be "-FVE-FS-". Further information can be found on the System Integrity Team Blog.

Algorithm[]

The BitLocker cryptographic algorithm has been published.

External Links[]

Advertisement