No announcement yet.

BitLocker Encrypted Volume GUID Name and Creation Date

  • Filter
  • Time
  • Show
Clear All
new posts

  • BitLocker Encrypted Volume GUID Name and Creation Date

    OSForensics recently played a tremendous role in a case involving significant theft by a former employee.

    The former employee ("Sandy") returned their work laptop (a Lenovo Thinkpad Carbon X1) in a state such that if powered on, after POST, the laptop would immediately display a blue screen requiring the entry of a BitLocker recovery key; the laptop would not boot into Windows.

    We created a physical image of the laptop and then brought the resulting forensic image into OSForensics.

    OSForensics was able to identify the BitLocker encrypted volume's Volume GUID, Description and most critically the volume's Creation Date.

    The BitLocker encrypted volume's Creation Date was the morning the former employee shipped the laptop back to her former employer meaning the former employee had created a new volume on the laptop and encrypted it with BitLocker. Therefore, the former employee destroyed the laptop's contents by reformatting and encrypting the newly created volume.


    Where is the volume's Description information pulled from?

    In our case, the Description data was: SANDY-THINKPADX1 Windows 2022-06-03

    The date value appears to match the volume creation date minus a time stamp. Is this accurate or was this date value manually entered by the former employee?

    The "SANDY-THINKPADX1" appears to be the Window's Device Name unless the complete device name is actually "SANDY-THINKPADX1 Windows 2022-06-03"?

  • #2
    The data is coming from the "FVE Metadata Header"
    FVE = Full volume encryption.

    One of the fields in the header records the date and time Bitlocker was enabled. We assume Windows is accurately recording this, but haven't done any testing to prove it.

    If you Google, Bitlocker FVE Metadata Header, you can find a lot of additional details.