Software Engineering

Open Access Open Access  Restricted Access Subscription Access
Open Access Open Access Open Access  Restricted Access Restricted Access Subscription Access

Reverse Engineering of Bitlocker External Key Files and Meta Data-A Forensic Need


Affiliations
1 Department of Information Security and Computer Forensics, SRM University, Chennai, India
2 Resource Center for Cyber Forensics, CDAC, Trivandrum, India
3 Department of Information Security and Computer Forensics, SRM University, Chennai, India
     

   Subscribe/Renew Journal


Microsoft’s Bit locker tool has made the job of forensic analysts tougher. It’s full disk encryption feature enables users to encrypt their data. When operated in USB key mode, bit locker generates an external key file called .bek file[1]. This file must be needed for an investigator to unlock and decrypt any encrypted drive. If the investigator fails to obtain this .bek file, he cannot unlock the encrypted media and cannot proceed with the further analysis. In this paper we propose a solution to this problem which aims at reconstruction of a .bek file. We observe the metadata sector of the encrypted drive. The metadata sector gives information about the .bek file name. This can be used to reconstruct a file. This reconstructed .bek file can be used to unlock an encrypted media and proceed with further forensic analysis.

Keywords

Bitlocker[4], .bek File[4], Metadata[1], USB Key Mode[4].
User
Subscription Login to verify subscription
Notifications
Font Size

Abstract Views: 468

PDF Views: 3




  • Reverse Engineering of Bitlocker External Key Files and Meta Data-A Forensic Need

Abstract Views: 468  |  PDF Views: 3

Authors

P. Srinivas Karthik
Department of Information Security and Computer Forensics, SRM University, Chennai, India
S. Dija
Resource Center for Cyber Forensics, CDAC, Trivandrum, India
S. Magesh
Department of Information Security and Computer Forensics, SRM University, Chennai, India

Abstract


Microsoft’s Bit locker tool has made the job of forensic analysts tougher. It’s full disk encryption feature enables users to encrypt their data. When operated in USB key mode, bit locker generates an external key file called .bek file[1]. This file must be needed for an investigator to unlock and decrypt any encrypted drive. If the investigator fails to obtain this .bek file, he cannot unlock the encrypted media and cannot proceed with the further analysis. In this paper we propose a solution to this problem which aims at reconstruction of a .bek file. We observe the metadata sector of the encrypted drive. The metadata sector gives information about the .bek file name. This can be used to reconstruct a file. This reconstructed .bek file can be used to unlock an encrypted media and proceed with further forensic analysis.

Keywords


Bitlocker[4], .bek File[4], Metadata[1], USB Key Mode[4].