FTK Imager and Win7...
 
Notifications
Clear all

FTK Imager and Win7 BitLocker

16 Posts
8 Users
0 Likes
5,742 Views
(@cults14)
Posts: 367
Reputable Member
Topic starter
 

I've just got my hands on my first HD encrypted with BitLocker. I connected it to my workstation via a Tableau T35es, get prompted for Recovery Key, enter it, and I can browse the drive in Windows.

But when I Add it as Evidence in FTK Imager 3.1.0.1514, Partition 1 appears as "Unrecognised file system (HPFS/NTFS)
I can see Partition 2 (300MB recovery partition).

Am I doing something wrong here? Can't I explore a BitLocker partition in FTKI even if I've entered the Recovery Key in Windows?

Seems like I can't triage as normal in FTK Imager and export files or Custom Image, and can't take full image.

I've already posted same query on AccessData forum today

Assuming FTKI can't cope, what else (free) would allow me to do what I want i.e. full readable image, triage, export files and/or custom image

Cheers

 
Posted : 15/06/2012 7:33 pm
(@cults14)
Posts: 367
Reputable Member
Topic starter
 

Update. Adding as Logical works fine, I'm OK with that.

Just for fun, I tried adding the physical disk as evidence to a FTK full version, got prompted for BitLocker Encryption Credentials. I supplied the correct credentials, received error message "Invalid BitLocker credentials for evidence"

Took this up with AD, they say
"FTK supports decrypting BitLocker from Windows Vista. As FTK does not have a way to distinguish between BitLocker from Vista and BitLocker from 7, FTK still prompts your for keys. However, as Windows 7 BitLocker is not supported, FTK does not know how to handle the decryption and assumes your keys are incorrect."

HTH

 
Posted : 22/06/2012 3:23 pm
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

Cults14, you scare me.

 
Posted : 22/06/2012 6:58 pm
(@cults14)
Posts: 367
Reputable Member
Topic starter
 

jhup, that doesn't sound good ………………

 
Posted : 22/06/2012 6:59 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Assuming FTKI can't cope, what else (free) would allow me to do what I want i.e. full readable image, triage, export files and/or custom image

Revise your process. Don't start with the hard drive extracted from the system…leave it in the system, boot & log into the system, then run FTK Imager from an external drive, performing a live acquisition, thoroughly documenting your process.

 
Posted : 22/06/2012 11:14 pm
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

You can take the physical drive image (dd) of a BitLockered drive and mount it as a VHD using a bit of ingenuity. Once mounted, it will show up as a BitLockered drive, and prompt for the key. Thereafter you can access it as a regular drive, decrypt it, image it logically, search it, etc.

When I have to image in situ, I take the physical of a BitLockered drive every time instead of mucking with boot up, login, etc.

Search for 'dd image to VHD'.

Every BitLockered boot drive has a minimum 2 partitions. One unencrypted boot, and one encrypted. Most 'full disk' encryption in my experience work this way.

 
Posted : 24/06/2012 4:50 am
(@patrick4n6)
Posts: 650
Honorable Member
 

Excluding live forensics which doesn't apply when you start with a powered down system, a computer forensic examiner should always attempt to utilize a method that doesn't alter the drive such as what jhup recommends, before resorting to a boot live and image solution. There are some very limited exceptions, such as when you have an extremely limited window of access to the system. If you're strictly doing IR and not caring about the evidence implications, then stomp all over your system at will.

If I don't have a solution and have to boot to solve, I'll still take a full forensically sound image before booting, and I'll generally try to work the boot using a clone rather than the original drive. There are limited circumstances where this won't work such as systems where the drive and motherboard are secured as a pair, which I've seen a lot in video monitoring systems.

 
Posted : 24/06/2012 8:48 am
bshavers
(@bshavers)
Posts: 210
Estimable Member
 

You can also boot to WinFE and image a bitlocked drive if you have the credentials.

 
Posted : 02/07/2012 4:48 am
(@cults14)
Posts: 367
Reputable Member
Topic starter
 

FYI

Manage-bde -unlock E -recoverypassword 11111-222222-…….777777-888888 works just fine from WinFE Lite thumb drive

Where E is the drive to be imaged and 11111-222222-…….777777-888888 is the recovery key (48-character)

Cheers

 
Posted : 22/11/2013 8:10 pm
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

Cults14,

I have successfully mounted, "suppressed"/unlocked Bitlocker encrypted images and accessed file contents using Mount Image Pro v. 5.28 (1156) that could not be accessed using FTK Imager Lite.

I believe Mount Image Pro runs about $500 per license, but it has proven invaluable in many cases where FTK Imager Lite was not able to fully "mount" a forensic image (DD or otherwise).

For some reason, forensic images mounted by Mount Image Pro are more "robust" or complete than forensic images mounted by FTK Imager Lite. I do not have a quantitative explanation of the differences in mounted images between the two, but am guessing that Mount Image Pro perhaps more completely simulates an actual physical hard drive, thus allowing Bitlocker encryption to be suppressed or turned off.

I am able to use FTK Imager Lite mounted images in conjunction with OSForensics' excellent tool just fine assuming there is no Bitlocker encryption in place.

Regards -

 
Posted : 23/11/2013 1:30 am
Page 1 / 2
Share: