Okay. I am stumped.
Anyone know how you could mount and have Win7 recognize a BitLocker drive?
The image is an encrypted E01 (within a TrueCrypt volume), and although mountImage Pro mounts it, I am unable to read the BitLocker encrypted volume, and the OS does not recognizes it as BitLocker volume. (
So its TC(E01(Bitlocker))?
You got a full image of the machine? IE, is virtualisation an option or could you restore it to a spare drive and boot the copy?
In Win7 you can mount a VHD as if it were a regular hard drive (don't have my notes with me on which versions support it, but you're running Ultimate, right?) Do a "restore" in Virtual PC and then try to mount it.
Correct, it is TC(E01(BitLocker(data))). There may also be some EFS and file level TC for good measure, here and there.
I did not image the device . . .
I am running Win 7 Enterprise. I am surprised that once I mounted the TC, mounted the E01 (Mountimage pro), the OS did not recognize the BitLocker.
I am curious to find out why it failed.
I am planning to convert the E01 to VHD/vmdk and hope to mount it as such.
The onion was peeled as such -
Originally TC(E01(BitLocker(data)))
1. Copy the E01 out of TrueCrypt.
2. Covert the E01 to raw.
3. Convert the raw to .vhd
4. Mount the vhd
5. Provide the BitLocker key.
6. Image the logical BitLocker volume on the vhd to raw.
7. Image the logical BitLocker volume on the vhd to E01.
It turns out the actual raw image had some corruption. I do not know why, but once that fixed it, I was able to convert it and get a new image mounted properly.
Thanks all.
Its like Inception of computer forensics. Hopefully you had a cool snowmobile chase 😉
I'm confused, EnCase does bitlocker doesnt it? Couldn't you just open your truecrypt volume, point EnCase at the E01 and provide the bitlocker info to view it decrypted?