How to copy files without being traced?

[automotivesharekb]

Hello all,

Just want to know how can we copy files from one computer without being traced? Win7 with bitlocker - so no usb boot possible.
If we create a temp server on target computer and then access it from other computer - will it be traced?
Ex: Python's inbuilt server script

What are your views?

[bobcat1]

Hi
Use HTML email server like gmail
open new email & attache a file - don't send it, save the email (in gmail sever)
on the other side reopen the email and down load the file
(only work 's if you have internet access on the local machine)

All the best

Bobi

[automotivesharekb]

Thank you Bobi,

But the data is huge and email is not option...

[SB7]

Small possibility ..If you have bitlocker user password , and are not running TPM ( highly unlikely) you could try dislocker on a boot USB . It should decrypt the drive into a virtual NFTS volume.
If you are running Bitlocker/TPM then I'm afraid to use dislocker you would need the Bitlocker recovery password. 
In my younger days I got the IT guy to cough up the AD recovery password because I "needed" to run system restore...and of course I needed to disable bitlocker for that :-)

Depending on your setup , IMHO I'm afraid you don't have too many options.

[optikon]

Hello all,

Just want to know how can we copy files from one computer without being traced? Win7 with bitlocker - so no usb boot possible.
If we create a temp server on target computer and then access it from other computer - will it be traced?
Ex: Python's inbuilt server script

What are your views?

If I recall, bitlocker protection has been cracked, decryption software available. Does that help?

[fpgaguy]

couple things you can try

1/ transfer over serial port via xmodem/zmodem, etc

2/ If you don't have physical access but have video access you can use something called paperback which puts up a ecc'd bitmap on the screen (think large QR code) - you will need to be able to install a binary and make some modifications to it - then take 1000's of screenshots or record video and postprocess
(see ollydbg.de/Paperbak/index.html) - similarly you cant print that copy if possible.

3/ install a VM with vmware which will likely allow you to mount a USB image

4/ add another system to the network with an email server that accepts large files, and point your email client there

there's always a method

[automotivesharekb]

Small possibility ..If you have bitlocker user password , and are not running TPM ( highly unlikely) you could try dislocker on a boot USB . It should decrypt the drive into a virtual NFTS volume.
If you are running Bitlocker/TPM then I'm afraid to use dislocker you would need the Bitlocker recovery password. 
In my younger days I got the IT guy to cough up the AD recovery password because I "needed" to run system restore...and of course I needed to disable bitlocker for that :-)

Depending on your setup , IMHO I'm afraid you don't have too many options.

Thank you SB7

I have heard about dislocker but not yet tried. I could not find the direct bootable USB with dislocker. Do you have some leads?

Posted on: July 11, 2017, 07:53:50 19:53 - Automerged

couple things you can try

1/ transfer over serial port via xmodem/zmodem, etc

2/ If you don't have physical access but have video access you can use something called paperback which puts up a ecc'd bitmap on the screen (think large QR code) - you will need to be able to install a binary and make some modifications to it - then take 1000's of screenshots or record video and postprocess
(see ollydbg.de/Paperbak/index.html) - similarly you cant print that copy if possible.

3/ install a VM with vmware which will likely allow you to mount a USB image

4/ add another system to the network with an email server that accepts large files, and point your email client there

there's always a method

hello fpgaguy,

Thank you for the paperback idea... I am having doubt of these methods, it might be easily traced.

Posted on: July 11, 2017, 07:55:00 19:55 - Automerged

If I recall, bitlocker protection has been cracked, decryption software available. Does that help?

Dear optikon, thank you for the reply. I have heard about it but not sure where to get the actual software. I googled for few, but most of them needs the harddisk to be removed from original machine and use it in other machine. If any bootable solution exists with USB or net boot - will be useful.

[SB7]

auto...  one the best forensic linux disks is caine live USB>CD, it has dislocker complied and built in , along with tons of other excellent tools.
Cracking bitlocker usually requires a memory dump or hib file, ( unless brute forcing , which really isn't an option.. as it's normally AES-XTS ( CBC)  with diffuser etc) )  which would normally require file/application installation or at least copying , all of which would be logged.. hence why a forensic approach , on an unmounted OS is advisable.
On our global enterprise , everything a user does is logged.. and I mean everything ...Being a "backup IT guy" allows me to see , in real time everything a user does without their knowledge ( as they consented the minute they joined us... All hardware activity, every file accessed and when, all the way web traffic ,including SSL decryption, behavioral monitoring tools that can correlate seeming unrelated events across the enterprise.   ...If people only knew .. 
Step lightly as you might never know just what is being tracked.

[SB7]

Ok, after a few experiments, it is quite simple ... if you have the recovery key.
Couple of ways to do this.. Linux based and Winblows way.

As previously mentioned, boot to "caine" and use ddrescue-gui to create full drive image.
Decrypt using dislocker ( mount loop) and you will have an exact copy of your target drive.
Instructions for how to use dislocker with recovery key are only a google away.
As for not changing the boot order in BIOS/UEFI.. as that would be logged... ( as you discovered).. unless your IT department is really on the ball, most if not all PC's will still retain the "one time boot" option that will allow you to select a different boot device .. on my HP Z-book it's the "esc" , for my Dell 4800 it's the F12 key.  Most IT dept's will not disable the "one time boot" as that would prevent them from at least attempting to recovery the data should the system fail to boot .

However, one does not need to use dislocker ( and it's command line based so it can be tricky for some.  
A far easier solution would be to mount the image on a windows machine using "Arsenal Image Mounter" . Winblows will recognize it's a Bitlocker drive and prompt you to enter the recovery password. Enter it and you now have decrypted copy of your target drive. Invoke the bitlocker management tools and you can permanently disable bitlocker on that drive/image .

If you have issues using "caine" & ddrescue-gui to make dd image, you can always use OSFClone ( make a boot usb) and allow ti to make a "dd" format image.  It's child's play.
I have tested both methods ..

While the dd image can take a number of hours to complete ( dependent on drive size of course) , it is a forensically prudent approach that leaves no traces ( that I can see) and gives you a duplicate of your target drive for to play around with ,for as long as you need to, with no risk to the original.

So... (Linux) ddrescue-gui + dislocker  or   Winblows OSFClone( linux "Tiny" USB) + Arsenal Image Mounter + Winblows Bitlocker Tools.  ( The nice things about uisng Winblows tools is that it shoudl also work for Win10 ( which upgraded bitlocker encryption.. not sure dislocker works on Wn10)