I found some information that I thought could be interesting to share and hear theories about with skilled people. I was going throu a police investigation and found in the material that one of the suspects computers was protected with bitlocker. I also read the interrogations and do not find evidence for the suspect giving up his password. But cant take poison that did not happen. Anyway would be fun to see some speculations
The text have been translated.
"The harddisk is locked with bitlocker, but it boot up to the loginprompt
We need to get the password to be able to unlock the computer or the bitlock-key. It should be ddr3 memory."
------------
"The purpose is to decrypt data from the harddrive
The survey used a copy of the harddrive to boot the material. During startup, Windows announced that it was performing updates to the computer, with a red screen background.
When the image of the copy of the hard disk was compared with the image of the original hard disk, differences were found in which encryption keys were used for the BitLocker encryption on the hard disk.
It is unknown if the update was due to the use of a copy of the original hard disk, or if it was due to Windows having updates to install.
The fact that Windows changed the encryption keys does not affect the decrypted result material, the decrypted result material consists of data decrypted from the images on the original hard disk.
On the third partition on the image we find bit locker-encrypted filesystem
The encryption key for the encrypted file system was restored.
The encryption key was used to decrypt the file system on the third partition on the image."
__________
The police could also on a computer find conversations on the iphone-app Wire, throu the file "Iphone_chats/wire_iphone_chats/wire_app_messages.xlsx"
The text have been translated."The harddisk is locked with bitlocker, but it boot up to the loginprompt
We need to get the password to be able to unlock the computer or the bitlock-key. It should be ddr3 memory."
------------
"The purpose is to decrypt data from the harddrive
The survey used a copy of the harddrive to boot the material. During startup, Windows announced that it was performing updates to the computer, with a red screen background.
When the image of the copy of the hard disk was compared with the image of the original hard disk, differences were found in which encryption keys were used for the BitLocker encryption on the hard disk.
It is unknown if the update was due to the use of a copy of the original hard disk, or if it was due to Windows having updates to install.
The fact that Windows changed the encryption keys does not affect the decrypted result material, the decrypted result material consists of data decrypted from the images on the original hard disk.
On the third partition on the image we find bit locker-encrypted filesystem
The encryption key for the encrypted file system was restored.
The encryption key was used to decrypt the file system on the third partition on the image."
__________
The police could also on a computer find conversations on the iphone-app Wire, throu the file "Iphone_chats/wire_iphone_chats/wire_app_messages.xlsx"
