I have recently created an e01 image of an encrypted drive, which had been wholly encrypted using Truecrypt by its owner. Why is it that that, even though my image is a bit by bit copy, it cannot be opened using the Truecrypt password which I had in my possession? I resulted in opening the Truecrypt container and imaging the contents as a logical drive using FTK. Scratching my head and any advice would be welcomed. ?
Just to clarify my method, I mounted the e01 image using FTK Imager, I then mounted this in Truecrypt. I entered the correct password but Truecrypt would not accept it.
I think the way FTK imager mounts is not a kin to the way EnCase physical disk emulator mounts, so I suspect Truecrypt can not actually see the mounted image as a physical drive. I believe FTKi is closer to a network share when it mounts, although for some applications they can access the drive as if it were physical. I have had similar problems when dealing with volume shadow copies where the mounted image would not behave as a physical disk.
I would suggest either using Encase PDE or relaying the image to a hard drive and mounting (in Truecrypt) from there.
Be interested if anyone else has experienced this and any other suggestions for mounting without a dongle/EnCase ?
Thanks 96hz for your reply. The Truecrypt mounted the image, that was firstly mounted as a drive with FTKi, with no problem. The result was that when I entered the password, Truecrypt displayed a message saying that either the password was incorrect or it may not be a Truecrypt file……
I'm guessing FTK isn't really handling the drive mount correctly because of the encryption. As you have the data I would clone it back to a physical hard drive, attached that to your computer (or in the original hardware) and see if you can access it then. Once you have access via TC and the password I would then create an independant physical/logical image whilst it is in the unencrypted state. Good luck.
I had a similar problem with a chat examination using Internet Evidence Finder.
I mounted the image with FTK but the Internet Evidence Finder software could not see the mounted drive.
I mounted the drive with EnCase and the Internet Evidence Finder software saw the drive and worked fine.
I assume that there is something different in the way that FTK and EnCase mount drives.
I have a parallel thread going for this amongst the Truecrypt community for anyone interested. http//
When you mount with TrueCrypt, in the window where you type the password go to "Mount Options" and choose "Use backup header embedded in volume if available" and see if it works for you.
Thanks Ecophobia, I think I tried this but maybe the best bet now the case is to run some trials in the lab. I'll report back when I have a solution. That's after my 2 weeks vacation of course -)
There are some useful pointers that have landed today in the Truecrypt forum via the link in my last reply in this thread.