BitLocker/TPM and E...
 
Notifications
Clear all

BitLocker/TPM and EnCase

Mazren79
(@mazren79)
New Member

Hello, 

I'm relatively new to forensics and I've run into an issue with an E01 image that contains BitLocker and came from a computer with TPM installed.  We took a full physical image and we have the BitLocker password ID and corresponding password.  After adding and validating the image, I'm prompted (in Encase 21.1) to add BitLocker's password.  When I add the correct password and click OK I'm again prompted to in put the password.  This occurs over and over again.  I cannot seem to get EnCase to get past the encryption.  I believe it may have something to do with the TPM, but I'm not sure.  I also do not have ready access to the device we imaged. 

Does anyone here have any advice (aside from obtaining the device and reacquiring an unencrypted image (we're working on it)) to get past this issue?  Aside from EnCase, is there another tool you would suggest to accomplish a forensic exam that could decrypt the image with the correct recovery password? 

Any help would be apricated.

Quote
Topic starter Posted : 30/03/2021 11:24 pm
kastajamah
(@kastajamah)
Active Member

I have had a similar issue.  After clicking OK, if you are prompted for it again, click Cancel and see if it will parse the image.  I know this sounds backward, but with a different disk encryption scheme, I have seen this work.

ReplyQuote
Posted : 31/03/2021 3:24 pm
AmNe5iA
(@amne5ia)
Active Member

I'd recommend Arsenal Image Mounter.  Which you can download from here.

I use the free version.  Mount the image read only.  Windows should prompt you to input the recovery key.  Input the recovery key, then create a new e01 of the partition it now mounts.

ReplyQuote
Posted : 31/03/2021 8:28 pm
hommy0
(@hommy0)
Member

Hi,

If the recovery password is not working via EnCase; you could try as an alternative cancelling, when EnCase prompts for the recovery password.

EnCase should then present the device.  

From the right click contextual menu, choose

Device -> Share -> Mount as Emulated Disk - when you mount enable caching and create the differential file (D01)

this will mount the evidence file in windows, and should allow you to unlock the bitlocker volumes - using the credentials that you have.

If windows unlocks the bitlocker volume, add this to EnCase and acquire in its decrypted state.

 

I would also suggest raising this with opentext MySupport

 

Regards

ReplyQuote
Posted : 02/04/2021 11:02 am
minime2k9
(@minime2k9)
Active Member
Posted by: @amne5ia

I'd recommend Arsenal Image Mounter.  Which you can download from here.

I use the free version.  Mount the image read only.  Windows should prompt you to input the recovery key.  Input the recovery key, then create a new e01 of the partition it now mounts.

^ This, easiest way of dealing with bitlocker in general. Normally create a decrypted image afterwards

ReplyQuote
Posted : 02/04/2021 3:50 pm
Share: