Decrypting DDs from Bitlocker-Encrypted Disks during a Digital Forensics Analysis

Hello everyone!  

Following the article on intrusion analysis via Team Viewer that I recently shared in Flu Project, I was asked by a colleague about how to address forensic cases in which we come across a disk encrypted with Bitlocker. In these cases it is true that the processing of a dd clone is not immediate, and technologies such as Autopsy do not accept (at least without scripts or plugins) the decryption of these disks, so a previous decryption must be performed before using an analysis tool. Luckily, there are already tools that we can use, and one of the most used is bdemount. 

There is little to say about Bdemount. As its own description indicates, mounts to BitLocker Drive Encryption (BDE) encrypted volume. However, we will obviously need to know the password in advance, and then the offset where the partition begins. There are ways to get the bitlocker key from a memory dump with some tool like Volatility, but I'll leave that for future articles. 

Once the forensic disk is cloned in dd format, we can list its contents using fdisk -l (encryption does not prevent cloning, so up to this point we should have no major drawbacks):  

The disk may contain several partitions, and the one we want to access to may be the one encrypted. You can find out with the Autopsy itself or FTK Imager visually:

Or if you like terminals best, with Hexdump:

To know if a partition is encrypted with Bitlocker you can look at the first bytes and you will find the following string: "-FVE-FS-". Here is a remarkably interesting link including many technical details about Bitlocker encryption:

https://forensicswiki.xyz/wiki/index.php?title=BitLocker_Disk_Encryption

Once the partition is identified, the only thing left to do is mount it in a decrypted form. To do this, here are the parameters to be used:

sudo bdemount -pPASSWORD -o $((512*OFFSET)) forensicsimage.dd /media/destination

Remember to previously have a folder with write permissions on destination. 

Now you can work with it as you deem appropriate. You can make another dd of the decrypted partition, you can analyse it from, for example, the version of Autopsy for Linux, you can extract specific files such as access logs to a certain application, etc.

In addition to bdemount, you can also use other tools such as Dislocker to decrypt an encrypted partition with Bitlocker. Dislocker is available among Kali's tools. Here is an interesting post by Stefan Rows, where he not only explains how to install and use Dislocker, but also details how to prepare a self-assembly script:

https://www.ceos3c.com/linux/open-bitlocker-drive-linux/

Finally, and to bring you some more reading on Bitlocker decryption for this week, here is a Twitter thread that I found thanks to DragonJAR:

A gem of a thread by Jon Aubrey, in which he shows how he managed to decrypt - in fact with Dislocker -, an encrypted laptop, extracting the key at the hardware level with a Saleae analyzer:

I’m sure this thread will have you "playing" for a while with any laptop you may have at hand :) 

I hope you found this article interesting. 

Regards! 

Digital Forensics of emails in Microsoft Office 365

Context

The advancement of the cloud and the automation of processes in companies are leading Microsoft Office 365 to spread unstoppably, replacing traditional installations of Exchange that required greater maintenance and control. However, the cloud brings changes, and we have to adapt to a host of new settings, new ways to do things and new licensing modes. 

From a forensic point of view, experts had different options to present an expert opinion attesting to the existence of certain emails within a mailbox. Among other outstanding options —and according to the principle of always "cloning" the largest container—, we could access Exchange to export the user's mailbox, we could clone the mail server itself, or even, the hard disk of the user's own PC from which then the PST would be extracted. However, this is changing. Servers are now in an external provider: Microsoft (as was already the case if we had contracted a hosting in SaaS mode), and users are getting used to using Office 365 from their browser. Under these circumstances, how could we clone an email inbox while fully guaranteeing forensic integrity? Keep reading to find out! 

Introduction

In Zerolynx we carry out forensic expert reports every month, mainly derived from clients who call us after having suffered a CEO Scam, with the aim of, on the one hand, analysing the security breach that has led to the interception of the mail to try to tackle the issue, and, on the other hand, to facilitate the prosecution of the case and the potential recovery of the money. But we will talk about these cases in another article, today we want to focus only on Office 365. 

The first thing we need to know is that Microsoft has different licensing modes, depending on the number of tools and functionalities included. Advanced security is only included in the E5 suite. Please, keep this in mind, because later we will return to this detail.

 

Most of the companies that work with Office 365 have E1 or E3 suites, which usually cover almost all the needs of organizations. 

Problem

When Zerolynx started performing forensics in Office 365, we kept working as usual, cloning the computers of the users where their mailboxes were synchronized (within the Outlook client), but then we came up with a forensic case where this was not possible. Omitting the complexity of the case, which does not provide any further detail to contextualize the article itself, we referred to the Office 365 compliance centre with a user with the corresponding privileges provided by the client. Our aim was to access, freeze the mailbox to have a full and unalterable copy that guaranteed that we would always get the same hash signature, and download it. 

Below, we briefly show the mailbox downloading process, widely documented in multiple articles on the Internet. .

 

Mailbox selection

Details of results

Exporting information

Downloading the results

Once the PST was downloaded, we then signed the file, obtaining the corresponding SHA256 hash. And, as a regular habit in forensics to ensure integrity, and as a good habit, we downloaded it again and re-signed it to verify that the process was working correctly, so that, in case of issuing a second report, the future extraction would be identical to the current one. To our surprise, despite having the mailbox apparently immobilized, the hash did not match. What was happening? Although we were more or less clear about what was going on, we opened a case with Microsoft, and we took the opportunity to discuss the issue in parallel with other MVPs who, like us, are regularly dealing with these technologies. A few days later we got the following answer:

 

Yes indeed, contrary to what you might think, Microsoft modifies the files in real time during each download, adding certain bytes that alter their content, and, therefore, their hash. Thus, it is not possible to download an entire mailbox while maintaining its integrity. 

Under these circumstances and with some lateral thinking, the situation could still be justified in the expert report: the technological problem was reported, and, irremediably, the "msg" was extracted from the mail to be ratified itself, signing (even if it were the latter) in order to evidence that the same hash would be obtained if extracted in a future download. But, once again we got a surprise: the msg were not whole either, and they also included certain new bytes with each download.  

Hence, there was only one solution left, and it is the one that Microsoft gives as a response: acquire a E5 license, which, with the Advanced eDiscovery option, does allow to generate an "online" hash and guarantee said hash during downloads. 

Formerly, the companies specialising in forensics were the ones who had to acquire the necessary tools to perform cloning and analysis, but, with the new approach to the cloud, everything is oriented to customers who now have to buy these tools and give us investigators access so we can work. 

Here follow some of the screenshots of the process so that you can see how the hash would be generated with an E5 license.

 

Access to Advanced eDiscovery

Case creation

Subsequently, a suspension of the mail account would be created to preserve the contents of the mailbox in its entirety.

 Suspension of mail account

Selected Account Suspension Detail and Date Filters

 

A custodian would then be assigned to the case:

Custodian Assignment

Later, a collection would be created, that is, the complete content of the mailbox to be downloaded would be selected:

Collection Detail

 

At this point, a review set would be created that would be assigned to the previously defined collection:

Creation of Review Set 

Assignment of Review Set to Collection 

 

And finally, the forensic export file would be generated:

 

Exporting information 

Once the export has been generated, it would be downloaded.

Downloading the results

Once downloaded, it maintains its integrity and, therefore, guarantees its hash over time.

Conclusion

The most important thing in an expert report is to be clear, to be sure and conclude without a doubt that our premises are the right ones. It is true that the inalterability of the content of an evidence can be guaranteed even if its hash signature is modified. But if we can avoid it, in this case, by contracting a new license, we will save explanations and questions during ratification in court. Therefore, before starting an Office 365 forensic analysis, make sure that your client has an E5 license you have access to, or, otherwise, the issue may cause you some major headaches.