Open Access  Subscription or Fee Access

Microsoft’s Bit locker tool has made the job of forensic analysts tougher. It’s full disk encryption feature enables users to encrypt their data. When operated in USB key mode, bit locker generates an external key file called .bek file[1]. This file must be needed for an investigator to unlock and decrypt any encrypted drive. If the investigator fails to obtain this .bek file, he cannot unlock the encrypted media and cannot proceed with the further analysis. In this paper we propose a solution to this problem which aims at reconstruction of a .bek file. We observe the metadata sector of the encrypted drive. The metadata sector gives information about the .bek file name. This can be used to reconstruct a file. This reconstructed .bek file can be used to unlock an encrypted media and proceed with further forensic analysis.

Bitlocker[4], .bek File[4], metadata[1], USB Key Mode[4].

Implementing Bitlocker drive encryption for forensic analysis by jesse kornblum, jesse.kornblum@mantechinternational.com,

Bitlocker design guide, published by Microsoft corporation, http://technet.microsoft.com

Nitin kumar and Vipin kumar, windows vista and bitlocker , May 2009, http://nvlabs.in

Bitlocker glossary by Microsoft corporation published 2006, http://technet.microsoft.com

Neils fergussion, AES-CBC+ Elephant diffuser, a disk encryption algorithm for Windows Vista, technical report. Microsoft corporation, 2006.

Trusted platform based security on notebook PCs, by sandeep bajikar, INTEL corporation, 2002.

D. Whiting, R. Housley, and N. Ferguson. Counter with CBC-MAC (CCM). RFC 3610 (In-formational), September 2003.