When a case was at risk of No Further Action, CCL deployed its own Advanced BitLocker password recovery solution across three exhibits to find the evidence that would get things moving
The investigating team passed over three exhibits: a Dell tower with three hard drives, a Dell laptop, and an external hard drive. A total of five encrypted forensic images were obtained from the three exhibits. The suspect refused to provide any type of password so CCL was tasked with breaking the encryption otherwise the case was at risk of No Further Action.
With standard methods proving no match for the advanced security deployed across all exhibits, we gave the client the option of Advanced BitLocker password recovery: a highly sophisticated means of obtaining BitLocker recovery keys for encrypted PCs, laptops etc, which has been developed in-house by our R&D specialists.
The CCL methodology was deployed on the tower PC and laptop, with two BitLocker recovery keys successfully obtained allowing us in turn to acquire two out of five decrypted forensic images. Our analysts, armed with the Recovery Key ID, then went through these two decrypted images and managed to find all the remaining BitLocker recovery keys. These were then used to decrypt the outstanding encrypted images.
CCL managed to decrypt all the images so that they could be passed for analysis to inform the investigation. This despite having no password or recovery key and a high level of security applied across the exhibits.
Without this sophisticated advanced extraction technique, there was a very real risk of the investigation being NFA’d. Given the early indications that there is indeed a case to answer, this has been a highly satisfying outcome.
Read more about our Digital Forensics work: Case Work: Why an investigative mindset matters in Digital Forensics
Our experts are on hand to learn about your organisation and suggest the best approach to meet your needs. Contact an expert today.
Get in touch