Internet Evidence Finder v6.33 and Bitlocker Compatibility
Does anyone know if Magnet Forensics' Internet Evidence Finder v 6.33 is compatible with Microsoft BitLocker?
I have a BitLocker encrypted E01 image and also the correct BitLocker recovery key, but I do not see any prompts or locations to input the BitLocker recovery key when setting up a new case using Internet Evidence Finder.
I searched Magnet Forensics' support site and found no references to BitLocker; I also searched Internet Evidence Finder's help manual and found no references to BitLocker.
** I do not want to upgrade to Axiom as I have enough Axiom-like forensic tools.
I suppose I could mount the encrypted image using Mount Image Pro, enter the BitLocker recovery key and then create a new unencryted forensic image of the Mount Image Pro mounted image but I was hoping to shortcut this process.
I'm not sure off the top of my head but it's probably worth giving you the headsup that, having also avoided upgrading to Axiom for ages, and persisting with IEF, I can now say that Axiom is MILES faster, and has definitely been worth the upgrade (ignoring any feature differences).
No we use Passware for bitlocker decryption and didn't integrate Passware into IEF so it won't decrypt it.
As you suggested, either
1) Mount, decrypt, re-image
2) Mount, decrypt, scan the mounted image, or
3) use AXIOM or similar tool that does decryption.
Hope that helps,