Notifications
Clear all

EnCase Bitlocker

9 Posts
5 Users
0 Likes
5,896 Views
(@jmrose)
Posts: 5
Active Member
Topic starter
 

Hello,

I am trying to image a hard drive with bitlocker enabled on it. I am using EnCase V7.07. The drive itself has Windows 7 Enterprise OS on it.

I have the Bitlocker Recovery Key for the hard drive, but EnCase only imports BEK files.

Is there a way to create my own BEK file and throw in the Recovery key I have? I have tried google and have had no luck finding an answer. Thank you.

 
Posted : 20/02/2014 2:04 am
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

You could slave through a write-blocker the target drive to a workstation. The workstation needs to have BitLocker enabled, and of course your preferred imaging tool. As soon as you attach the target drive, it will ask for the key and make it readily available for imaging.

You can image the encrypted drive and get a physical, then image the drive through the OS and get a logical.

Finally, take a copy of the physical encrypted image, convert it to VHD and decrypt it.

You will end up with three images, the physical encrypted, the physical decrypted and the logical decrypted. Your logical image is really just to prove that the decrypted physical is matching at logical file level.

Have fun. mrgreen

 
Posted : 23/02/2014 8:58 am
(@hommy0)
Posts: 98
Trusted Member
 

EnCase does support the use of the BitLocker Recovery Key.

When loading the piece of evidence you will be prompted to enter the BitLocker credentials.

In the dialog that pops up you have the option to provide the recovery key (which is the BEK) and a recovery password.

If you select "Recovery Password" that will allow you to enter the 48 character recovery key. Also select the correct "Password ID" (the one that matches the recovery key identification in the text file containing your recovery key)

Entering this material will allow EnCase to decrypt your BitLocker volume.

 
Posted : 24/02/2014 8:32 pm
(@vootz)
Posts: 27
Eminent Member
 

One thing to keep in mind (I think it is still the case according to Guidance's documentation) - EnCase's Decryption Suite is not supported when using EnCase on a 64-bit machine; you need to be running EnCase on 32-bit platform.

 
Posted : 24/02/2014 8:46 pm
(@hommy0)
Posts: 98
Trusted Member
 

I use EnCase 7.09.02 64Bit to decrypt BitLocker.

A very quick scan of the V7 manual and there are some references to 32 Bit, namely relating to MacAfee, SafeBoot, and WinMagic

 
Posted : 24/02/2014 9:13 pm
(@vootz)
Posts: 27
Eminent Member
 

Thanks Hommy0 - good to know!

 
Posted : 24/02/2014 9:38 pm
(@jmrose)
Posts: 5
Active Member
Topic starter
 

I write blocked the drive and EnCase prompted me for a Bitlocker recovery key. EnCase did not take the key at first, because it had trailing white space. Thanks everyone for the suggestions and comments.

 
Posted : 28/02/2014 12:22 am
Armycop
(@armycop)
Posts: 3
New Member
 

One thing to keep in mind (I think it is still the case according to Guidance's documentation) - EnCase's Decryption Suite is not supported when using EnCase on a 64-bit machine; you need to be running EnCase on 32-bit platform.

This isn't true; I've been running Encase 64-bit since v7.01 and successfully decrypted Bitlocker'd hard drives. Currently running Encase v7.08.1 on my 64bit workstation, with success.

 
Posted : 05/03/2014 12:14 am
(@vootz)
Posts: 27
Eminent Member
 

Thanks. This is still the case for MacAfee, SafeBoot, and WinMagic, and some other encryption. Others have verified it is not the case for BitLocker.

 
Posted : 05/03/2014 1:05 am
Share: