A Geek Raised by Wolves [entries|archive|friends|userinfo]
jessekornblum

[ website | My Website ]
[ userinfo | livejournal userinfo ]
[ archive | journal archive ]

Links
[Links:| Browse by Tag LiveJournal Portal Update Journal Logout ]

BitLocker To Go, Google Earth Forensics at DoD Cyber Crime Conference [Sep. 9th, 2009|10:29 am]
[Tags|, , , , ]

I have been selected to give two presentations at 2010 DoD Cyber Crime Conference in January 2010 in St. Louis, MO. Unfortunately the St. Louis Blues will be out of town during the conference. Does anybody have some ideas on what to see and do during the off hours? The Stella Artois Anheuser-Busch tour? The gourmet burger bar? What else?

My first talk will be on BitLocker To Go, how Microsoft has extended BitLocker Disk Encryption to removable devices like USB sticks. You can learn how the technology works, how it uses passwords and smart cards, its applications for force protection, and how the protected data can be accessed during forensic examination. The second talk will cover Google Earth cache file forensics. You'll see what data is in the file, how it's stored, and how it can be viewed.

Speaking of BitLocker, we discussed the tool in the most recent CyberSpeak podcast, published on Monday. The show was recorded live at the SANS What Works in Computer Forensics conference a few months ago. You can listen as Ovie and Bret interview me, Harlan Carvey, Ken Bradley, and Rob Lee on a host of topics.
Link2 comments|Leave a comment

Revised journal articles on BitLocker, Buffalo [Feb. 5th, 2009|12:06 am]
[Tags|, , ]

Good news everyone! Thanks to a revised legal agreement from the journal Digital Investigation I have been able to publish the edited versions of my papers Implementing BitLocker Drive Encryption for Forensic Analysis and Using Every Part of the Buffalo in Windows Memory Analysis. Although there isn't much new content in the latter, the former was almost entirely rewritten between its original submission and the present form. Enjoy!
Link1 comment|Leave a comment

Slides from DoD Cyber Crime 2009 [Jan. 31st, 2009|09:10 am]
[Tags|, , ]

As promised, a version of the slides from my talk, Practical Methods for Dealing with Full Disk Encryption at the 2009 DoD Cyber Crime Conference is now online. I've redacted the law enforcement sensitive material. Enjoy!
LinkLeave a comment

BitLocker Paper Accepted [Jan. 14th, 2009|10:17 am]
[Tags|, , ]

My paper on Microsoft's BitLocker, Implementing BitLocker Drive Encryption for Forensic Analysis, has been accepted for publication in the journal Digital Investigation. The paper has been significantly revised since I last wrote about it. The online version bears only a passing resemblance to the final version. As such, here's the new abstract:
This paper documents the BitLocker Drive Encryption system included with some versions of Microsoft's Windows Vista. In particular it describes the key management system, the algorithms and modes used, and the metadata format. Particular attention is given to methods forensic examiners can use to access protected data. There are some unanswered questions about how the cryptosystem operates, including an undocumented key management decision. This decision could allow, in a particular usage scenario, unauthorized access to a protected volume.
You'll have to read the published article to get the whole story!
LinkLeave a comment

The BitLocker paper [Sep. 10th, 2008|08:33 am]
[Tags|, , ]

In the most recent CyberSpeak podcast I was interviewed about several topics including my work with Microsoft's BitLocker Drive Encryption. It's a great interview and I highly recommend it. Here are three additional resources on BitLocker.

First, you can check out my slides from the Open Memory Forensics Workshop. These detail how to find BitLocker keys in memory images, along with my interpretation of "tool marks" in computer forensics.

Second, you can now read my paper about BitLocker's key management system. (The paper has been submitted to Digital Investigation and has not been published previously.) The paper documents how to use each kind of key to decrypt the protected data. It also covers some parts of the key management system which I don't know why Microsoft included. Even with those parts included, however, I do not think there are any backdoors in BitLocker. Here's the abstract
This paper provides details necessary, given the correct keys, to access the protected data on volumes encrypted with Microsoft's BitLocker Drive Encryption. Although Microsoft published some of the BitLocker specifications there were details left out, particularly those regarding key management. Examples are given to demonstrate the cryptographic modes claimed. The author is not aware of any backdoors in the BitLocker system, meaning forensic examiners must obtain the necessary encryption keys to access a protected volume. There are, however, some unanswered questions about how the cryptosystem was designed and operates, including an undocumented key management decision.
Finally, the patient among you can wait for my presentation, "Practical Methods for Dealing with Full Disk Encryption" at the 2009 DoD Cyber Crime Conference. The conference will once again be held at the end of January in St. Louis, MO. Bring your mittens!
LinkLeave a comment

OMFW and DFRWS Report [Aug. 14th, 2008|09:26 am]
[Tags|, ]

Whew! I am happily exhausted after the Open Memory Forensics Workshop and the Digital Forensic Research Workshop. It was good to put faces with names and get some get new information too. Anybody interested can check out my slides on Practical Cryptographic Key Recovery or my paper on using JPEG Quantization Tables. See you in Montreal for DFRWS 2009!
LinkLeave a comment

navigation
[ viewing | most recent entries ]

Advertisement