Anyone seen Encase ...
 
Notifications
Clear all

Anyone seen Encase not decrypt bitlocker with recovery pwd?

4 Posts
3 Users
0 Likes
1,219 Views
(@computerforensicsonline)
Posts: 14
Active Member
Topic starter
 

Has anyone seen Encase 7.x and 8.x not decrypt all the volumes on a bitlockered drive ?

Just looked at two images, both ask for and accept the correct recovery password, but the operating system volume is showing as unallocated clusters on both images.

The header is there FVE-FS followed by the usual boot sector stuff, but usually all of the volumes are decrypted.

I mounted the volumes that I can't see using the physical disk emulator - Windows pops up and states it is Bitlockered, enter the key - great. But as these are from Windows 10 machines and I only have Windows 7 on my analysis machine, I can't decrypt them even with the correct key.

Going to set up a windows 10 machine and see how I get on.

Images made with Cain and Guymager and FTK Imager 3.4 so its not the disk images themselves that are snafoood.

Anyone seen this before ? Did a quick search, but saw nothing.

 
Posted : 14/07/2017 6:45 pm
Igor_Michailov
(@igor_michailov)
Posts: 529
Honorable Member
 

I have similar trubles on Windows 7 running workstation.

 
Posted : 14/07/2017 7:36 pm
(@computerforensicsonline)
Posts: 14
Active Member
Topic starter
 

So no dice even using Windows 10 and Encase.

But the disk emulator route works, Windows prompts for the recovery password and accepts it this time.

So I just added that drive into Encase and bobs your uncle, I can image the logical partition I need to.

I assume Windows 7 is still devoid of the routines to handle the newer Bitlocker encryption.

Problem solved.

 
Posted : 14/07/2017 8:59 pm
AmNe5iA
(@amne5ia)
Posts: 173
Estimable Member
 

Use Encase's physical disk emulator to mount the disk on a machine running a recent version of Windows 10. Let Windows 10 decrypt the volume. With later versions of windows 10 they introduced a new XTS encryption scheme that neither Encase nor previous versions of Windows can decrypt.

 
Posted : 16/07/2017 12:21 am
Share: