This script is designed to retrieve BitLocker recovery keys from the current Windows Active Directory domain and add them to the Passwords folder in the current case’s Secure Storage tab.

By default, all recovery keys will be processed albeit the examiner can use a condition to specify those that should be added to the current case.

The condition allows the examiner to test the following properties:

• Common name (will consist of a timestamp and the recovery GUID)
• Host name
• Distinguished name (will include the full LDAP path to the recovery key including the domain, organisational unit(s), hostname, and aforementioned common name)
• Volume GUID
• Recovery GUID

Volume and recovery GUIDs of the form XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX must be surrounded by curly braces.

Given that the script uses LDAP, the examiner’s workstation must belong to the domain in question. The examiner must also be logged into their workstation with the permissions needed to access BitLocker recovery keys. That said, there is no reason why the case cannot be transferred to an off-domain workstation once the account entries have been created.

As per the following article, the default LDAP policy limits a domain controller from returning more than 1,000 results:

• http://support.microsoft.com/kb/315071

In order to overcome this, the script will instruct the server to return the results as a sequence of one or more pages each one being no more that 100-records in size. This can be increased to a maximum of 999-records per page. Alternatively, paging can be disabled by setting the page-size to zero.

Please note that the Secure Storage tab may need to be closed and re-opened to see the newly added recovery keys.

The previous point notwithstanding, EnCase will use recovery keys automatically once added.

Feedback is provided via the console window.

This script was developed for use in EnCase training. For more details, please click the following link:

• OpenText EnCase Training