Encase V7.17 unallo...
 
Notifications
Clear all

Encase V7.17 unallocated Clusters bitlocker recovery key

lunamiramj
(@lunamiramj)
New Member

I had a hard time getting M.2 SSD evidence file using old write blocker so i used Paladin to collect dd raw file and add as evidence file in encase.

After first acquisition, asking bitlocker recovery key message popped up but unable to enter key information right away. It wouldn't ask for key information again but only showing "unallocated Clusters" instead.

Any suggestion at this point? i am unable to read my m.2 ssd evidence file in encase.

 

Thank you

Quote
Topic starter Posted : 13/05/2021 11:15 pm
hommy0
(@hommy0)
Member

Hi,

With a Bitlockered volume EnCase will require the Bitlocker Recovery Key or a BEK file.  If the evidence has been loaded into Entries without providing either of these items, EnCase will display that volume as Unallocated Clusters since it has not been able to parse the file system etc due to it still being encrypted.

If you now have the relevant Bitlocker material to "unlock" that volume you need EnCase to prompt once again to enter one of the recovery items.

This is achieved from the device (evidence) listing.  

Blue Check the evidence item that has the Bitlocker volume.  

There should be a button above that table called RESCAN. Clicking that button will cause EnCase to re-read the evidence and in this case provide the prompt to enter the Bitlocker recovery material.

Enter the relevant recovery key, EnCase should progress to Entries and present the unlocked volume for examination.

 

Regards 

ReplyQuote
Posted : 14/05/2021 10:23 am
Gsibat liked
Share: