±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 32774
New Yesterday: 3 Visitors: 184

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

Imaging Windows 10/Bitlocker/Dell7480 Problems

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2 
  

Re: Imaging Windows 10/Bitlocker/Dell7480 Problems

Post Posted: Tue Aug 29, 2017 5:58 am

- timtam
Here is the lsblk output:

I've imaged other Dell's 7450's, 7470's without any issue. Its this 7480 and M2 that doesn't seem to want to work.

I will order a DeLock or Gembird adapter and see if it works and post an update once they come in.

Thanks for the replies!


It seems that the drive is not detected by Linux, this issue would be hard to debug over the forum. But if the drive is recognized by BIOS, it would be possible to acquire the image using DOS or a custom GRUB image (this will be very slow, but no native drivers will be required, because all read requests are going to be served by BIOS). The "ls" command in the GRUB shell will show you a list of detected devices. After this, if you see an unencrypted boot partition on one of these devices (by typing something like "ls (hd0,msdos1)/"), it will be possible to acquire the image correctly. You can find GRUB in some of the live distributions (for example, it is available in grml, see the "Addons" section in its boot loader).  

thefuf
Senior Member
 
 
  

Re: Imaging Windows 10/Bitlocker/Dell7480 Problems

Post Posted: Thu Aug 31, 2017 12:46 pm

Sorry for the late reply, but you're dealing with an NVMe drive, and you seem to be trying to connect it via a SATA adapter. There's no way that will work. Although the M.2 connectors are often keyed the same for SATA and NVMe SSDs, they are not compatible. NVMe and SATA are two completely different protocols. NVMe is also often referred to as PCIe since it is a direct connection to the PCIe bus and many vendors use the terms interchangeably.

You'll find adapters for Tableau products, the new Tableau TX1 supports NVMe natively as does the Tableau t356789iu, and the Forensic Falcon can connect via an adapter. I'm sure there are others, but they're all relatively new.

www.guidancesoftware.c...are/tda7-2
www.guidancesoftware.c...rdware/tx1
www.guidancesoftware.c.../t356789iu
www.logicube.com/shop/...16fd43adaa

If you want to use a software product to create the image by booting the laptop with the drive installed, it will need to support NVMe drives. I haven't personally investigated which tools will work, but I'm sure something out there does.  

Bulldawg
Senior Member
 
 
  

Re: Imaging Windows 10/Bitlocker/Dell7480 Problems

Post Posted: Tue Sep 12, 2017 6:11 pm

Thanks all for the replies.
I went ahead and purchased the Tableau adapter and bridge:
www.guidancesoftware.c...are/tda7-2
www.guidancesoftware.c...dware//t7u

I have 3 NVMe SSDs. 2 are Toshiba brand and 1 is Samsung.

When I connect the Samsung SSD, the bridge is able to read it and give me all the device info and so forth.

When I connect the two Toshiba SSDs, both show up as "not connected" on the bridge.

Any thoughts? An SSD issue or Tableau issue? (Costed ~ $600 so I hope not a Tableau issue!)
Has anyone had success with Toshiba NVMe SSDs?  

timtam
Newbie
 
 
  

Re: Imaging Windows 10/Bitlocker/Dell7480 Problems

Post Posted: Mon Sep 18, 2017 3:21 pm

After contacting the supplier for a firmware update, my device was finally able to read the Samsung NVMe SSD.

My follow up question is, has anyone successful decrypted a Windows 10 Bitlocker image (I imaged to E01) using the recovery key??

I know EnCase only supports up to Windows 7 Bitlocker. If you have a Windows 10 Bitlocker image, EnCase will recognize the drive and that it is Bitlocker but when you enter the Recovery Key, it loads the drives but it is no encrypted because it is not yet supported. (I don't know why it would even accept it and return you to the evidence screen if it doesn't work.)

I also have two separate Windows 10 w/ Bitlocker SSDs (not NVMe) and when plugged into my host (via a write blocker), my host picks it up and sees it and prompts for the Recovery Key. For both devices, it keeps telling me the key is wrong. I've double checked the identifier. I remember having issues with entering a recovery key on the host device itself and a Dell support guy told me there was some hardware+ssd combo type issue that prevents/allows decryption. Does this make sense to anyone familiar with Bitlocker, how it works with hardware and so forth?

The Dell support guy had no idea what i was referring to when I said 'forensic image' so they are of no help.  

timtam
Newbie
 
 

Page 2 of 2
Go to page Previous  1, 2