I've just got my hands on my first HD encrypted with BitLocker. I connected it to my workstation via a Tableau T35es, get prompted for Recovery Key, enter it, and I can browse the drive in Windows.
But when I Add it as Evidence in FTK Imager 3.1.0.1514, Partition 1 appears as "Unrecognised file system (HPFS/NTFS)
I can see Partition 2 (300MB recovery partition).
Am I doing something wrong here? Can't I explore a BitLocker partition in FTKI even if I've entered the Recovery Key in Windows?
Seems like I can't triage as normal in FTK Imager and export files or Custom Image, and can't take full image.
I've already posted same query on AccessData forum today
Assuming FTKI can't cope, what else (free) would allow me to do what I want i.e. full readable image, triage, export files and/or custom image
Cheers
Update. Adding as Logical works fine, I'm OK with that.
Just for fun, I tried adding the physical disk as evidence to a FTK full version, got prompted for BitLocker Encryption Credentials. I supplied the correct credentials, received error message "Invalid BitLocker credentials for evidence"
Took this up with AD, they say
"FTK supports decrypting BitLocker from Windows Vista. As FTK does not have a way to distinguish between BitLocker from Vista and BitLocker from 7, FTK still prompts your for keys. However, as Windows 7 BitLocker is not supported, FTK does not know how to handle the decryption and assumes your keys are incorrect."
HTH
Cults14, you scare me.
jhup, that doesn't sound good ………………
Assuming FTKI can't cope, what else (free) would allow me to do what I want i.e. full readable image, triage, export files and/or custom image
Revise your process. Don't start with the hard drive extracted from the system…leave it in the system, boot & log into the system, then run FTK Imager from an external drive, performing a live acquisition, thoroughly documenting your process.
You can take the physical drive image (dd) of a BitLockered drive and mount it as a VHD using a bit of ingenuity. Once mounted, it will show up as a BitLockered drive, and prompt for the key. Thereafter you can access it as a regular drive, decrypt it, image it logically, search it, etc.
When I have to image in situ, I take the physical of a BitLockered drive every time instead of mucking with boot up, login, etc.
Search for 'dd image to VHD'.
Every BitLockered boot drive has a minimum 2 partitions. One unencrypted boot, and one encrypted. Most 'full disk' encryption in my experience work this way.
Excluding live forensics which doesn't apply when you start with a powered down system, a computer forensic examiner should always attempt to utilize a method that doesn't alter the drive such as what jhup recommends, before resorting to a boot live and image solution. There are some very limited exceptions, such as when you have an extremely limited window of access to the system. If you're strictly doing IR and not caring about the evidence implications, then stomp all over your system at will.
If I don't have a solution and have to boot to solve, I'll still take a full forensically sound image before booting, and I'll generally try to work the boot using a clone rather than the original drive. There are limited circumstances where this won't work such as systems where the drive and motherboard are secured as a pair, which I've seen a lot in video monitoring systems.
You can also boot to WinFE and image a bitlocked drive if you have the credentials.
FYI
Manage-bde -unlock E -recoverypassword 11111-222222-…….777777-888888 works just fine from WinFE Lite thumb drive
Where E is the drive to be imaged and 11111-222222-…….777777-888888 is the recovery key (48-character)
Cheers
Cults14,
I have successfully mounted, "suppressed"/unlocked Bitlocker encrypted images and accessed file contents using Mount Image Pro v. 5.28 (1156) that could not be accessed using FTK Imager Lite.
I believe Mount Image Pro runs about $500 per license, but it has proven invaluable in many cases where FTK Imager Lite was not able to fully "mount" a forensic image (DD or otherwise).
For some reason, forensic images mounted by Mount Image Pro are more "robust" or complete than forensic images mounted by FTK Imager Lite. I do not have a quantitative explanation of the differences in mounted images between the two, but am guessing that Mount Image Pro perhaps more completely simulates an actual physical hard drive, thus allowing Bitlocker encryption to be suppressed or turned off.
I am able to use FTK Imager Lite mounted images in conjunction with OSForensics' excellent tool just fine assuming there is no Bitlocker encryption in place.
Regards -