Is there a way to forensically bypass Bitlocker?

Dakota Sherman 0 Reputation points


I am doing Azure administration and some cybersecurity related functions within my job currently. Without diving into the details of it, a user quit and held onto a company owned Windows laptop for several months. Upon getting it back, that user had either swapped the SSD or reimaged the drive to be used for other purposes. While attempting to do forensics on the drive, I was running into Bitlocker being an issue. The underlying issue is that we have all the key IDs and recovery keys in Entra, but this one did not match due to the previously mentioned issue with swapping or reimaging the drive.

Is there a way to:

  1. bypass the Bitlocker (there isn't and shouldn't be to my knowledge) to get a forensic image?
  2. reimage the drive, remove Bitlocker, and view the previous versions in the Volume Shadow Copies? Be it directly or using ShadowExplorer or something.
  3. Is there a way to prevent users from reimaging or restoring a drive without an administrator account?
  4. Is there a way to prevent the swapping of HDD or SSD on a laptop within Azure? Like a way to link the serial number of the drive to the serial number of the device so if a user attempts to swap the drive out, the device locks up.

I know that is a lot, but they are all interconnected. Please advise and thank you.

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,600 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Philippe Levesque 5,261 Reputation points MVP
    1. No.
    2. No either. The data is encrypted, so even if you can format the drive, the last data is encrypted and without possibility to see.
    3. You can limit local admin right, but that don't prevent if a user swap the disk from another computer. (but that prevent the bitlocker removal or configuration change to the OS)
    4. Yes and No. You need a OEM's option for such thing. I'am not affiliated to HP, but check HP tamperlock's option. It can prevent startup if a tamper is detected. I'am not sure other OEM vendor got such option. (ref)
      1. Keep in mind here that you would need to secure the BIOS too, to make sure the machine can't boot on to a temporary OS from a flash memory - USB media (like a Linux OS on a key or a WinPE). It's the most modern way to bypass the local HDD nowadays.
      2. Keep in mind too that adding a new OS disk don't mean that he's enrolled to the domain, so in a security perspective it's not a direct risk. The risk is more that he use a business asset for his personal's leisure. Such need can arise too in some business. Like if it's a worker that travel a lot and don't want to bring his personal laptop with him due to space restriction, it's a useful way to be able to use a business asset outside of the business hours and to not risk to infect business operation by personal need (like to use netflix or anything else).