Implementing BitLocker Drive Encryption for forensic analysis

This paper documents the BitLocker Drive Encryption system included with some versions of Microsoft's Windows Vista. In particular it describes the key management system, the algorithms and modes used, and the metadata format. Particular attention is given to methods forensic examiners can use to access protected data. There are some unanswered questions about how the cryptosystem operates, including an undocumented key management decision. This decision could allow, in a particular usage scenario, unauthorized access to a protected volume.