Forums
Main Category
General (Technical,...
Alternative to Enca...
 
Notifications
Clear all

Alternative to Encase to view Bitlocked E01

 
Page 1 / 2
General (Technical, Procedural, Software, Hardware etc.)
Last Post by jaclaz 8 years ago
12 Posts
8 Users
0 Reactions
4,694 Views
RSS
 byrlord
(@byrlord)
New Member
Joined: 16 years ago
Posts: 4
Topic starter 25/11/2017 8:24 pm  

Fellow examiners, I have an E01 image from a bitlocked Windows 8 laptop and would like to use a Free tool to open and extract the files.

Please note I have the Bitlock recovery key.

Any suggestions?


   
Quote
Novunix
 Novunix
(@novunix)
Eminent Member
Joined: 16 years ago
Posts: 35
25/11/2017 11:04 pm  

Magnet Forensics Axiom has a free, fully functional trial


   
ReplyQuote
 randomaccess
(@randomaccess)
Reputable Member
Joined: 14 years ago
Posts: 385
26/11/2017 1:48 am  

You can use the SIFT workstation VM pretty easily
Rob Lee shows how to mount images in it and there's a python script called ImageMounter that lets you mount bitlocker stuff

You can then navigate to the shares (\\SIFTWORKSTATION) and they share out the MNT directory, which should have your mounted drives.


   
ReplyQuote
AmNe5iA
 AmNe5iA
(@amne5ia)
Estimable Member
Joined: 9 years ago
Posts: 175
26/11/2017 10:45 pm  

https://arsenalrecon.com/weapons/image-mounter/


   
ReplyQuote
JaredDM
 JaredDM
(@jareddm)
Estimable Member
Joined: 9 years ago
Posts: 118
27/11/2017 3:49 pm  

OSFMount should be able to mount it right in Windows, and then you should have no problem handling the BitLocker from there. Or, it can convert it to a raw binary image for you.


   
ReplyQuote
jaclaz
 jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
27/11/2017 4:57 pm  

OSFMount should be able to mount it right in Windows, and then you should have no problem handling the BitLocker from there. Or, it can convert it to a raw binary image for you.

Have you actually tried it? ?

OFS mount is a derivative of IMDISK, and as such it mountss the volume, not the disk.

The Arsenal Image Mounter (UNlike IMDSK, but by the same Author) mounts a "whole disk" image as if it was a hardware disk.

Afaik Bitlocker is a whole disk encryption and needs also the "hidden sectors" to be decoded. ?

Anyway, AIM has been tested successfully
https://www.forensicfocus.com/Forums/viewtopic/t=12904/

jaclaz


   
ReplyQuote
 chad131
(@chad131)
Trusted Member
Joined: 16 years ago
Posts: 63
27/11/2017 6:08 pm  

If you want open source…

https://github.com/libyal/libbde


   
ReplyQuote
jaclaz
 jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
27/11/2017 9:23 pm  

If you want open source…

https://github.com/libyal/libbde

Well, just for the record both Imdisk and AIM are open source anyway.

OFSmount most probably should, but it isn't. cry

jaclaz


   
ReplyQuote
AmNe5iA
 AmNe5iA
(@amne5ia)
Estimable Member
Joined: 9 years ago
Posts: 175
27/11/2017 9:40 pm  

I've used this with linux with success too

https://github.com/Aorimn/dislocker


   
ReplyQuote
 chad131
(@chad131)
Trusted Member
Joined: 16 years ago
Posts: 63
27/11/2017 10:00 pm  

If you want open source…

https://github.com/libyal/libbde

Well, just for the record both Imdisk and AIM are open source anyway.

OFSmount most probably should, but it isn't. cry

jaclaz

I've been waiting for over a year for EnCase to get off it's a*s and support XTS-AES. I'm 90% done getting libbde incorporated as an X-Ways X-Tension… i just need some more of that stuff people call free time.


   
ReplyQuote
Page 1 / 2
Forum Jump:
  Previous Topic
Next Topic  
Share: