Acquiring Windows PCs

Oleg Afonin, Danil Nikolaev, Yuri Gubanov © Belkasoft Research

In Belkasoft’s previous article, we talked about acquiring tablets running Windows 8 and 8.1. In this publication, we will talk about the acquisition of Windows computers – desktops and laptops. This class of devices has their own share of surprises when it comes to acquisition.

The obvious path of acquiring a Windows PC has always been “pull the plug, take the disk out, connect to an imaging device and collect evidence”. Sounds familiar? Well, in today’s connected world things do not work quite like that.

In this article, we will have a look at measure the investigator has to take before taking the disk out, and even before pulling the plug, review Windows security measures and how they can work in combination with the computer’s hardware.

Read other Belkasoft articles

Windows Security Model

In our previous article, we mentioned Windows RT as an exemplary platform with strict and thorough implementation of a straightforward security model, which made forensic acquisition of Windows RT devices difficult. Fortunately for us, in general, Windows PCs and laptops are not anywhere close to reaching that security level, relying instead on restricting physical access to computer hardware and locking user accounts with passwords. This, however, does not protect the actual data.

Locked bootloader? We do not see that often on Windows laptops, let alone desktop computers. Secure Boot? Disabled by default or easily deactivated from the computer’s UEFI BIOS. BitLocker encryption? Not if the computer’s motherboard lacks TPM support. NTFS encryption? Can be attacked offline by recovering (or breaking) the user’s account password.

So does that all mean one can follow with the familiar pull-the-plug approach? Not quite. By powering down the device, you’ll be losing the content of the computer’s volatile memory, missing the chance to obtain valuable evidence – or even accessing the disk at all, if encrypted volumes are present.

Windows 7, BitLocker and TPM (Trusted Platform Module)

While BitLocker is an essential part of the Windows security model, it has never been all that popular on Windows desktops, and is only available on counted laptops. Why is it so?

Let us have a look at the Windows ecosystem consisting today of Windows tablets, laptops and desktop PCs. As mentioned in our previous article, Windows tablets run either Windows RT or Windows 8/8.1. These tablets often include TPM (Trusted Platform Module) hardware that is required for BitLocker to work. All Windows RT tablets and at many mid-range and high-end Windows 8 devices such as Microsoft Surface Pro and Surface 3 are equipped with a TPM module and BitLocker, which activates automatically when the user logs in under their Microsoft Account credentials as an administrator.

Please register to access full versions of Belkasoft articles

Oleg Afonin, Danil Nikolaev, Yuri Gubanov © Belkasoft Research