±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 1
New Yesterday: 2
Overall: 27631
Visitors: 62

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

EnCase Bitlocker

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

EnCase Bitlocker

Post Posted: Wed Feb 19, 2014 3:04 pm

Hello,

I am trying to image a hard drive with bitlocker enabled on it. I am using EnCase V7.07. The drive itself has Windows 7 Enterprise OS on it.

I have the Bitlocker Recovery Key for the hard drive, but EnCase only imports BEK files.

Is there a way to create my own BEK file and throw in the Recovery key I have? I have tried google and have had no luck finding an answer. Thank you.  

jmrose
Newbie
 
 
  

Re: EnCase Bitlocker

Post Posted: Sat Feb 22, 2014 9:58 pm

You could slave through a write-blocker the target drive to a workstation. The workstation needs to have BitLocker enabled, and of course your preferred imaging tool. As soon as you attach the target drive, it will ask for the key and make it readily available for imaging.

You can image the encrypted drive and get a physical, then image the drive through the OS and get a logical.

Finally, take a copy of the physical encrypted image, convert it to VHD and decrypt it.

You will end up with three images, the physical encrypted, the physical decrypted and the logical decrypted. Your logical image is really just to prove that the decrypted physical is matching at logical file level.

Have fun. Mr. Green  

jhup
Senior Member
 
 
  

Re: EnCase Bitlocker

Post Posted: Mon Feb 24, 2014 9:32 am

EnCase does support the use of the BitLocker Recovery Key.

When loading the piece of evidence you will be prompted to enter the BitLocker credentials.

In the dialog that pops up you have the option to provide the recovery key (which is the BEK) and a recovery password.

If you select "Recovery Password" that will allow you to enter the 48 character recovery key. Also select the correct "Password ID" (the one that matches the recovery key identification in the text file containing your recovery key)

Entering this material will allow EnCase to decrypt your BitLocker volume.  

hommy0
Member
 
 
  

Re: EnCase Bitlocker

Post Posted: Mon Feb 24, 2014 9:46 am

One thing to keep in mind (I think it is still the case according to Guidance's documentation) - EnCase's Decryption Suite is not supported when using EnCase on a 64-bit machine; you need to be running EnCase on 32-bit platform.  

vootz
Member
 
 
  

Re: EnCase Bitlocker

Post Posted: Mon Feb 24, 2014 10:13 am

I use EnCase 7.09.02 64Bit to decrypt BitLocker.

A very quick scan of the V7 manual and there are some references to 32 Bit, namely relating to MacAfee, SafeBoot, and WinMagic  

hommy0
Member
 
 
  

Re: EnCase Bitlocker

Post Posted: Mon Feb 24, 2014 10:38 am

Thanks Hommy0 - good to know!  

vootz
Member
 
 
  

Re: EnCase Bitlocker

Post Posted: Thu Feb 27, 2014 1:22 pm

I write blocked the drive and EnCase prompted me for a Bitlocker recovery key. EnCase did not take the key at first, because it had trailing white space. Thanks everyone for the suggestions and comments.  

jmrose
Newbie
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 2
Go to page 1, 2  Next