±Forensic Focus Partners

Become an advertising partner

±Your Account


Forgotten password/username?

Site Members:

New Today: 3 Overall: 36459
New Yesterday: 5 Visitors: 119

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Imaging Windows 10/Bitlocker/Dell7480 Problems

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2 

Senior Member

Re: Imaging Windows 10/Bitlocker/Dell7480 Problems

Post Posted: Aug 29, 17 11:58

- timtam
Here is the lsblk output:

I've imaged other Dell's 7450's, 7470's without any issue. Its this 7480 and M2 that doesn't seem to want to work.

I will order a DeLock or Gembird adapter and see if it works and post an update once they come in.

Thanks for the replies!

It seems that the drive is not detected by Linux, this issue would be hard to debug over the forum. But if the drive is recognized by BIOS, it would be possible to acquire the image using DOS or a custom GRUB image (this will be very slow, but no native drivers will be required, because all read requests are going to be served by BIOS). The "ls" command in the GRUB shell will show you a list of detected devices. After this, if you see an unencrypted boot partition on one of these devices (by typing something like "ls (hd0,msdos1)/"), it will be possible to acquire the image correctly. You can find GRUB in some of the live distributions (for example, it is available in grml, see the "Addons" section in its boot loader).  

Senior Member

Re: Imaging Windows 10/Bitlocker/Dell7480 Problems

Post Posted: Aug 31, 17 18:46

Sorry for the late reply, but you're dealing with an NVMe drive, and you seem to be trying to connect it via a SATA adapter. There's no way that will work. Although the M.2 connectors are often keyed the same for SATA and NVMe SSDs, they are not compatible. NVMe and SATA are two completely different protocols. NVMe is also often referred to as PCIe since it is a direct connection to the PCIe bus and many vendors use the terms interchangeably.

You'll find adapters for Tableau products, the new Tableau TX1 supports NVMe natively as does the Tableau t356789iu, and the Forensic Falcon can connect via an adapter. I'm sure there are others, but they're all relatively new.


If you want to use a software product to create the image by booting the laptop with the drive installed, it will need to support NVMe drives. I haven't personally investigated which tools will work, but I'm sure something out there does.  


Re: Imaging Windows 10/Bitlocker/Dell7480 Problems

Post Posted: Sep 13, 17 00:11

Thanks all for the replies.
I went ahead and purchased the Tableau adapter and bridge:

I have 3 NVMe SSDs. 2 are Toshiba brand and 1 is Samsung.

When I connect the Samsung SSD, the bridge is able to read it and give me all the device info and so forth.

When I connect the two Toshiba SSDs, both show up as "not connected" on the bridge.

Any thoughts? An SSD issue or Tableau issue? (Costed ~ $600 so I hope not a Tableau issue!)
Has anyone had success with Toshiba NVMe SSDs?  


Re: Imaging Windows 10/Bitlocker/Dell7480 Problems

Post Posted: Sep 18, 17 21:21

After contacting the supplier for a firmware update, my device was finally able to read the Samsung NVMe SSD.

My follow up question is, has anyone successful decrypted a Windows 10 Bitlocker image (I imaged to E01) using the recovery key??

I know EnCase only supports up to Windows 7 Bitlocker. If you have a Windows 10 Bitlocker image, EnCase will recognize the drive and that it is Bitlocker but when you enter the Recovery Key, it loads the drives but it is no encrypted because it is not yet supported. (I don't know why it would even accept it and return you to the evidence screen if it doesn't work.)

I also have two separate Windows 10 w/ Bitlocker SSDs (not NVMe) and when plugged into my host (via a write blocker), my host picks it up and sees it and prompts for the Recovery Key. For both devices, it keeps telling me the key is wrong. I've double checked the identifier. I remember having issues with entering a recovery key on the host device itself and a Dell support guy told me there was some hardware+ssd combo type issue that prevents/allows decryption. Does this make sense to anyone familiar with Bitlocker, how it works with hardware and so forth?

The Dell support guy had no idea what i was referring to when I said 'forensic image' so they are of no help.  

Page 2 of 2
Page Previous  1, 2