BitLocker is a popular full-disk encryption scheme employed in all versions of Windows (but not in every edition) since Windows Vista. BitLocker is used to protect stationary and removable volumes against outside attacks. Since Windows 8, BitLocker is activated by default on compatible devices if the administrative account logs in with Microsoft Account credentials. BitLocker protection is extremely robust, becoming a real roadblock for digital forensics.
Various forensic techniques exist allowing experts overcoming BitLocker protection. Capturing a memory dump of a computer while the encrypted volume is mounted is one of the most frequently used venues of attack. However, acquiring BitLocker-encrypted volumes may become significantly more difficult with the release of Windows 10 November Update. In this article, we’ll explore existing methods of recovering BitLocker volumes, look at what has changed with November Update, and review the remaining acquisition paths.