BitLocker experienc...
 
Notifications
Clear all

BitLocker experience

23 Posts
8 Users
0 Likes
3,014 Views
(@cults14)
Posts: 367
Reputable Member
Topic starter
 

Thought I'd share a recent experience. I'm an internal corporate resource in a team of one (i.e. me). We had to get images of a number of Win7 Enterprise machines, some from "close by" and some from another continent. Corporate Policy protects Laptops with BitLocker but not Desktops.

I did the "close by" ones (mix of Laptop and Desktop). Due to time constraints I used WinFE to boot all machines, then got the Bitlocker ID using manage-bde and finally called our internal service desk who supplied the Recovery Password which is stored in MBAM. Then I created Logical images in FTK Imager Lite which is part of my WinFE config by mounting the BitLocker drive in read-only mode.

We used a vendor for the one in another continent, they did Physical acquisition in compressed E01 format and sent all the images to me on one 2TB drive.

The only way I know how to access a physical image taken from a BitLocker'd drive is to create a VHD and attach the VHD in Disk Management, so I
* Added the E01 image to FTK Imager
* Exported to DD format
* Converted from DD to VHD (VirtualBox "vboxmanage convertfromraw" command line)
* Attached the VHD in Disk Management which gives BitLocker ID
* Contact internal service desk to get the Recovery Password which is stored in MBAM

Along the way I discovered that the sector size on the 4TB drive I used to store the VHD files isn't supported by the "Attach VHD" operation so I copied them onto lower capacity capacity drives which worked just fine thereafter.

And finally I decided to make a logical image in DD format on the 4TB drive of the VHD so that I would finally have everything in one place and not need BitLocker passwords!

All in all a LOT of lapsed time was involved - I'd be interested in any ideas on doing this quicker (other than briefing external vendors to do either Logical acquisitions of BitLocker'd drives or to use DD format if they insist on E01 format (can't think why they would though)

I use FTK Imager (and Lite) on a Dell Precision and sometimes on an older Dell Latitude E6500, and occasionally use Tableau Image Manager, I have no duplicators.

Cheers

 
Posted : 20/04/2015 3:30 pm
(@cults14)
Posts: 367
Reputable Member
Topic starter
 

We used a vendor for the one in another continent, they did Physical acquisition in compressed E01 format and sent all the images to me on one 2TB drive.

Meant "ones" ………….

 
Posted : 20/04/2015 3:35 pm
(@dacorr)
Posts: 8
Active Member
 

Would mounting the E01 in FTK Imager not made that simpler?

Granted you would need to image the unencrypted logical drive.

I have also mounted physical drives via writeblocker and decrypted/imaged them that way.

I believe Encase can decypt for you with the key but the last time I had to look at bitlocker was 3 years ago.

Dac

 
Posted : 20/04/2015 3:54 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I am not sure to understand what the question is/are. ?

If you have a DD image (which by definition is a "whole disk" image or "fixed size") I doubt that there is a need to convert it to .VHD, as you can use (say) Arsenal Image Mounter
http//www.arsenalrecon.com/apps/image-mounter/
to mount it "as is" (BUT this driver allows also to directly mount the .E01), in any case the difference between a DD and a "fixed" .vhd is a single sector (footer) appended, there are several tools capable to do the "conversion" namely it is one of the features of Clonedisk
http//labalec.fr/erwan/?page_id=42
but there is an as simple as possible tool by Karyonix here
http//reboot.pro/topic/9715-firadisk-and-vhd-img-images/?p=83781

jaclaz

 
Posted : 20/04/2015 4:24 pm
(@cults14)
Posts: 367
Reputable Member
Topic starter
 

Would mounting the E01 in FTK Imager not made that simpler?

Granted you would need to image the unencrypted logical drive.
Dac

Maybe didn't make it clear. Source system was protected by BitLocker, the third party used FTK Imager with the Physical Drive option in compressed E01 format (multiple segments) - so the image appears as "unrecognised filesystem" in FTKI. Mounting doesn't help, prompt appears to format the mounted partition

I am not sure to understand what the question is/are. ?
jaclaz

Maybe I should have asked what methods people here use to access a physical image in compressed E01 format of a BitLocker'd Win7 system.
Even if what I had was a physical image in DD format of a BitLocker'd Win7 system (which is where I got to after the first conversion in my process), the Arsenal product doesn't seem to help as the drive appears in Disk Management as "Unallocated".
I haven't yet looked at the other options you mentioned but they seem to refer to VHD conversions and that's not the area of difficulty

BTW I know that if you add a physical image in compressed E01 format of a BitLocker'd system to FTK5 or similar, then FTK5 will display the 8-character BitLocker ID and prompt for the Recovery Password, and from there it appears you can export to a DD image, but on a day-to-day basis that's not feasible for me

HTH

 
Posted : 20/04/2015 6:52 pm
(@dacorr)
Posts: 8
Active Member
 

Ah, ok

I had multiple issues in what you describe in that there was a great amount of converting required and particualy as it came down to a skill set issue in other office locations, i.e typical desktop support were not able to deal with imageing etc.

The solution I found was the simpler option in that they shipped the hard drive to my Lab so I could image it myself but I also had access to the recover console in Active Directory and reduced the amount of other departments that had to get involved in the chian.

The problem I found with this is that IT people did not necessarily know how to ship hard drives so after detailed instructions that became the norm. There was additional cost as each asset had to amintain a few spare hard drives and customes sometimes tried to chard tax on 'new computer' equipment purchases but it worked.

Eventually the company moved to an enterprise level solution which imaged remotely.

Dac

 
Posted : 20/04/2015 7:05 pm
(@cults14)
Posts: 367
Reputable Member
Topic starter
 

So I guess the questions are
does anyone know of a way to mount (or add or whatever verb works) a physical image in E01 compressed format in such a way that the Windows filesystem is recognisable with no further processing?

OR

does anyone know of a way to convert directly from E01 to VHD?

Cheers

 
Posted : 20/04/2015 7:06 pm
(@paul206)
Posts: 70
Trusted Member
 

FTK 5.6 will decode bitlocker. Here is a quote from the current manual.

"If you have the proper credentials, you can decrypt Bitlocker encrypted partitions. You can decrypt the Bitlocker partitions from Windows Vista and Windows 7 computers. You can provide the unique credentials for multiple encrypted partitions. After you provide Bitlocker credentials, files in the encrypted partitions are decrypted while the evidence is processed."

1. Add evidence that has Bitlocker encryption to a case. If Bitlocker encryption is detected, you are prompted to enter credentials in the following dialog

2. Enter one of the following credentials
Boot Key File
Recovery Password.

3. If there are multiple partitions, a dialog will be displayed saying that the password for the first partition is valid, and that additional partitions remain encrypted.

4. Click OK and the credential dialog is again displayed for the next partition.
This sequence continues until you have entered the credentials for all encrypted partitions.

 
Posted : 21/04/2015 12:20 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

So I guess the questions are
does anyone know of a way to mount (or add or whatever verb works) a physical image in E01 compressed format in such a way that the Windows filesystem is recognisable with no further processing?

OR

does anyone know of a way to convert directly from E01 to VHD?

Cheers

As said, the Arsenal Image Mounter driver does allow to DIRECTLY mount a .E01 image BUT you will need to check if it is capable of doing the same for a BDE (bitlocker) image (if you prefer AIM uses LIBEWF but may not use LIBBDE ? it is possible that this feature is not yet present ).

It is NOT possible to "convert directly" from .E01 to .VHD, in the sense that a .E01 is a compressed image while the .VHD is a "fully expanded" one, so the conversion implies a decompression.

Since a (fixed size) VHD is EXACTLY THE SAME as a DD image (exception for a single sector appended) it takes (say) 1 1/2 hours to decompress the .E01 to DD and then between one and three milliseconds to convert the DD image to VHD, so while such a software may exist, it would not offer any practical advantage.

IMHO the only reason to prefer a .VHD over a DD image is that the .VHD is compatible with Windows 7 and later "native" .VHD driver but there are several third party drivers that can mount directly the DD image without adding the footer, so the only "really needed" reason to have a .VHD instead of a DD image would be it's use in a VM that does not provide support for DD images, but anyway it is not a practical issue as converting a (fixed size) .VHD image to a DD image or viceversa is almost instantaneous.

jaclaz

 
Posted : 21/04/2015 12:24 am
(@cults14)
Posts: 367
Reputable Member
Topic starter
 

Apologies, I omitted to state in the questions that E01 is encrypted.

Paul206 - yes was aware of that already, suspect our posts crossed )

Jaclaz, I tried AIM with Bitlocker'd E01 but no joy - will PM you on that subject

Cheers, thanks for your input everyone

 
Posted : 21/04/2015 1:51 pm
Page 1 / 3
Share: