From the course: Incident Response: Evidence Collection in Windows
Unlock the full course today
Join today to access over 22,600 courses taught by industry experts or purchase this course individually.
Determining if BitLocker is running
From the course: Incident Response: Evidence Collection in Windows
Determining if BitLocker is running
- [Instructor] When you're out in the field and trying to collect evidence from a Windows machine and it's anything newer than Windows XP you have to be worried about BitLocker. If BitLocker is enabled, that is going to be changing the way you're going to have to do your evidence collection. As I mentioned before, if BitLocker is enabled you're going to have to take a logical image of that hard drive before you shut it down. Because if you don't have the password or the key you're not going to be able to access the files on that hard drive once the system is shut down. So, to be able to determine if BitLocker is running you simply need to open up an administrative command prompt. So open up a command prompt by right clicking on command prompt and going run as admin. (computer window pop up ding) Then say yes, and from the prompt we are going to type in the command manage-bde - status. Now, once you hit enter…
Practice while you learn with exercise files
Download the files the instructor uses to teach the course. Follow along and learn by watching, listening and practicing.