This script is designed to retrieve BitLocker recovery keys from the current Windows Active Directory domain and add them to the Passwords folder in the current case’s Secure Storage tab.

By default, all recovery keys will be processed albeit the examiner can use a condition to specify those that should be added to the current case.

The condition allows the examiner to test the following properties:

• Common name (will consist of a timestamp and the recovery GUID)
• Host name
• Distinguished name (will include the full LDAP path to the recovery key including the domain, organisational unit(s), hostname, and aforementioned common name)
• Volume GUID
• Recovery GUID

Volume and recovery GUIDs of the form XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX must be surrounded by curly braces.

The examiner’s workstation must belong to the domain in question.

Furthermore, he/she must be logged-in with the credentials needed to access BitLocker recovery keys in Active Directory. Alternatively, suitable credentials must be provided via the script’s dialog.

Once the recovery keys have been retrieved, there is no reason why the case cannot be transferred to an off-network workstation.

As per the following article, the default LDAP policy limits a domain controller from returning more than 1,000 results:

• http://support.microsoft.com/kb/315071

In order to overcome this, the script will instruct the server to return the results as a sequence of one or more pages each one being no more that 100-records in size. This can be increased to a maximum of 999-records per page. Alternatively, paging can be disabled by setting the page-size to zero.

Please note that the Secure Storage tab may need to be closed and re-opened to see the newly added recovery keys.

The previous point notwithstanding, EnCase will use the recovery keys automatically once added.

Feedback is provided via the console window.

This script was developed for use in EnCase training. For more details, please click the following link:

• OpenText EnCase Training