Creating Forensical...
 
Notifications
Clear all

Creating Forensically Sound Images using Opensource

Bell_4
(@bell_4)
New Member

Hello,

I am looking for some help to develop a process using ONLY free software that I can use to forensically create sound images of Windows 10 Bitlocker encrypted hard-drives. I will also need to be able to decrypt the hard-drives using free software. Any recommendations on the step-by-step process using free-based tools would be GREATLY appreciated.

Thanks in advance,
S P

Quote
Topic starter Posted : 19/08/2017 1:03 am
Bunnysniper
(@bunnysniper)
Active Member

Hello,

I am looking for some help to develop a process using ONLY free software that I can use to forensically create sound images of Windows 10 Bitlocker encrypted hard-drives.P

Booting from a Linux drive and imaging an underlying hard drive with "dd" is not a rocket science. Easier to use is OSFClone from https://www.osforensics.com/tools/create-disk-images.html written by this Forums regular "Passmark". It allows you to use "a free, self-booting solution which enables you to create or clone exact raw disk images quickly and independent of the installed operating system".

But there is no way to decrypt Bitlocker without the matching password and i do not know any alternative to Microsoft`s manage-bde application. Please let us know if you find or develop one. Thanks in advance!

Robin

ReplyQuote
Posted : 19/08/2017 4:28 am
Bell_4
(@bell_4)
New Member

Thanks Robin for the input.

After using the method you described below. What tool would you use to mount the image file? The bitlocker keys will be available to me to unlock.

Thanks in advance,
S P

ReplyQuote
Topic starter Posted : 19/08/2017 4:52 am
tracedf
(@tracedf)
Active Member

You can mount images in FTK Imager and map them as local drives. That should enable you to use Windows to unlock the drive. I haven't tried this with Bitlocker, but I have mounted images and mapped them.

ReplyQuote
Posted : 19/08/2017 6:25 am
jaclaz
(@jaclaz)
Community Legend

You can mount images in FTK Imager and map them as local drives. That should enable you to use Windows to unlock the drive. I haven't tried this with Bitlocker, but I have mounted images and mapped them.

Well, then he could use FTKImager directly to make the image, point is whether FTKImager is "free", surely it is not "open source".

BTW, open source and free are NOT the same thing, and free may mean more than one thing.

@Bell_4
You can use a free and open source tool like Arsenal Image Mounter (on Windows)
https://arsenalrecon.com/apps/image-mounter/
See
http//www.hecfblog.com/2014/03/daily-blog-263-decrypting-images-with.html

There are a number of dd ports (or similar imaging tools) for Windows (though you may need to use anyway a WinFE of some kind), the question point remains about the "free" or "open source" (or both).

jaclaz

ReplyQuote
Posted : 19/08/2017 3:25 pm
gungora
(@gungora)
Junior Member

Hello,

I am looking for some help to develop a process using ONLY free software that I can use to forensically create sound images of Windows 10 Bitlocker encrypted hard-drives. I will also need to be able to decrypt the hard-drives using free software. Any recommendations on the step-by-step process using free-based tools would be GREATLY appreciated.

Thanks in advance,
S P

If you plan to decrypt and access the BitLocker encrypted partitions under Linux, you may find Dislocker helpful.

https://github.com/Aorimn/dislocker

ReplyQuote
Posted : 20/08/2017 9:22 am
Bell_4
(@bell_4)
New Member

Thank you all!!!

ReplyQuote
Topic starter Posted : 30/08/2017 7:10 pm
slippery
(@slippery)
New Member

You can use Guymager to image the drive, and I've used dislocker. It works great, providing you have the password or recovery key.

ReplyQuote
Posted : 31/08/2017 4:42 pm
Bell_4
(@bell_4)
New Member

Awesome. Yup I will have the passwords. Thank you!

ReplyQuote
Topic starter Posted : 31/08/2017 4:48 pm
Share: