Encase V7.17 unallo...
 
Notifications
Clear all

Encase V7.17 unallocated Clusters bitlocker recovery key

2 Posts
2 Users
1 Likes
2,153 Views
(@lunamiramj)
Posts: 1
New Member
Topic starter
 

I had a hard time getting M.2 SSD evidence file using old write blocker so i used Paladin to collect dd raw file and add as evidence file in encase.

After first acquisition, asking bitlocker recovery key message popped up but unable to enter key information right away. It wouldn't ask for key information again but only showing "unallocated Clusters" instead.

Any suggestion at this point? i am unable to read my m.2 ssd evidence file in encase.

 

Thank you

 
Posted : 13/05/2021 10:15 pm
(@hommy0)
Posts: 98
Trusted Member
 

Hi,

With a Bitlockered volume EnCase will require the Bitlocker Recovery Key or a BEK file.  If the evidence has been loaded into Entries without providing either of these items, EnCase will display that volume as Unallocated Clusters since it has not been able to parse the file system etc due to it still being encrypted.

If you now have the relevant Bitlocker material to "unlock" that volume you need EnCase to prompt once again to enter one of the recovery items.

This is achieved from the device (evidence) listing.  

Blue Check the evidence item that has the Bitlocker volume.  

There should be a button above that table called RESCAN. Clicking that button will cause EnCase to re-read the evidence and in this case provide the prompt to enter the Bitlocker recovery material.

Enter the relevant recovery key, EnCase should progress to Entries and present the unlocked volume for examination.

 

Regards 

 
Posted : 14/05/2021 9:23 am
Gsibat reacted
Share: