for imaging a what is the best way to Avoid bitlocker when pulling out a hard drive or SSD. is it smarter to remove the battery and then pull the drive? I have read that pulling the battery can potently mess with the BIOS settings which will trip bitlocker. or is it smarter to leave the battery plugged in and then pull the drive? does this change with SSD? I don't want to avoid bitlocker but then kill the drive. I know I could log in and then pull the bitlocker key but that overwrites artifacts and then I would need the custodian credentials and then admin credentials which we sometimes don't get prefer to do a dead image. any help would be appreciated. Thank you
What do you mean by avoiding BitLocker?
If a volume has bitlocker encryption enabled… if you shut off the machine, and boot to a forensic OS for imaging (like palandin for example) you will get a physical image that has bitlocker encrypted partition. You can decrypt it using forensic tools, and providing it the bitlocker key or password.
But based on your description of the question…You may be talking about TPM chips? Essentially, if you pull the hard drive from the original system, then you cannot read any data off that drive. This is a separate thing than bitlocker encryption but rather a security feature that prevents a hard drive from being removed and read in another device.
Ways to avoid bitlocker encryption is if the system is on, check if bitlocker is enabled and if so disable it. Alternatively, you can do a live logical image of the bitlocker partition while it is decrypted.
if you shut off the machine without having the password or recovery key, then you risk not being able to decrypt the data later. This is a separate issue than not being able to read the data on the drive unless it is read off the host machine.
Does this make sense? Not sure if this helps or answered your question in any way. But saw no one had chimed in yet and wanted to at least try and help 🙂
As annucci stated, you have a couple of options depending on the config. You could remove the drive and take a full encrypted image then decrypt that image using a tool such as EnCase or AXIOM if you have the BitLocker Recovery Key/password. If you don't have access to those tools, you can mount the image using Arsenal image mounter - when Windows recognises the mounted drive it will prompt you for the BitLocker password and mount the drive in an unencrypted state and from there you can use FTK imager to create a logical decrypted image of the mounted decrypted volume. Alternatively, you could create a decrypted image while acquiring the data direct from the drive with imaging tools that support BitLocker decryption.