best practices thou...
 
Notifications
Clear all

best practices thoughts /w acquiring Windows 10 image /w bitlocker and no key

cybertend
(@cybertend)
New Member

Scenario:

Windows 10 system /w bitlocker enabled.

I have the local administrator credentials.

I do not have the bitlocker keys.

Option 1) boot into windows, login as the administrator, run FTK imager from a USB drive.  Dump the memory and then take a logical image of the C:\ drive.

Option 2) boot into windows, login as the administrator, disable bitlocker, reboot machine with a live linux distro, us dd to take an image of the now decrypted physical volume.  

 

It seems to me that Option 2 is better:

1) The image of the volume will be more complete than a logical image. 

2) Since the volume is now decrypted, there should be no reason to ever boot the target system back up into windows and further dirtying the original target.

Argument against is that the received machine came with bitlocker and disabling bitlocker could raise questions.

Anyway, I just wanted thoughts as perhaps I am missing something on the pushback.

Quote
Topic starter Posted : 27/04/2021 4:16 am
noquarter
(@noquarter)
New Member

Hello,

log into windows on the target machine, start a terminal CMD as admin and export the bitlocker recovery key :

manage-bde -protectors -get c:

Then you can image the drive as encrypted and you will be able to decrypt it afterwards with the help of the bitlocker recovery key in mots of the forensic tools (ie EnCase).

Kind regards

ReplyQuote
Posted : 27/04/2021 9:53 am
the_df_guy
(@the_df_guy)
New Member

Hi,

With both options you have presented, you will not preserve the integrity of the image as you will be logging in prior to taking the image.

I have found the following solution works for me:

  1. Image using a USB bootable OS, CAINE etc.
  2. Log in as local admin and run "manage-bde -protectors C: -get" to obtain the Bitlocker recovery key

Then either:

  1. Use something like AXIOM or Passware to convert the encrypted image into a workable decrypted image
  2. Mount the encrypted image, unlock with the BL key and then use FTK to obtain an image.

 

I hope this helps.

ReplyQuote
Posted : 27/04/2021 10:04 am
cybertend liked
AmNe5iA
(@amne5ia)
Active Member

@the_df_guy Go with option 2 but instead of disabling bitlocker, suspend bitlocker and/or save the recovery key again.  With bitlocker suspended and/or with the bitlocker recovery key to hand, you can access the encrypted volume without having to wait for the whole volume to decrypt.  With option 2 you can also image the entire disk rather than just the bitlocker volume.

ReplyQuote
Posted : 27/04/2021 10:29 am
cybertend liked
cybertend
(@cybertend)
New Member

Thanks all, this helps for sure and I am sure helps others who are starting to run into more and more bitlocker enabled systems. I was unaware that one could export the bitlocker key as the local admin, it does make sense as the local admin can suspend/disable bitlocker.

ReplyQuote
Topic starter Posted : 27/04/2021 7:09 pm
TuckerHST
(@tuckerhst)
Active Member
Posted by: @the_df_guy

I have found the following solution works for me:

  1. Image using a USB bootable OS, CAINE etc.
  2. Log in as local admin and run "manage-bde -protectors C: -get" to obtain the Bitlocker recovery key

WARNING

If the system is an MS Surface device with a TPM chip (and likely other similar hardware), step  1 will require changing the BIOS to allow the untrusted OS to boot, and that action will wipe the BitLocker token from the device. It will then NO LONGER boot without the Recovery Key (which you don't have). In short, FUBAR.

Here's Microsoft's explanation of why this happens:

Windows will require a BitLocker recovery key when it detects an insecure condition that may be an unauthorized attempt to access the data. This extra step is a security precaution intended to keep your data safe and secure. Some changes in hardware, firmware, or software can present conditions which BitLocker cannot distinguish from a possible attack. In these cases, BitLocker may require the extra security of the recovery key even if the user is an authorized owner of the device. This is to be certain sure that it really is an authorized user of the device attempting to unlock it.

See https://support.microsoft.com/en-us/windows/finding-your-bitlocker-recovery-key-in-windows-10-6b71ad27-0b89-ea08-f143-056f5ab347d6

While it may seem "forensically unsound" to boot a computer and log in as a user prior to imaging it, if you do not already have the BitLocker recovery key, I highly recommend NOT taking the chance of booting the device into another OS to image it. You may end up with an encrypted image and no way of accessing the data on the device.

Please don't ask how I know.

ReplyQuote
Posted : 28/04/2021 6:17 pm
trewmte liked
C.R.S.
(@c-r-s)
Active Member

If you neither can boot into another OS with the present BIOS settings, nor image the drive through physical access before obtaining the key, a third option to avoid a login before imaging is to just boot and capture the key on the TPM's SPI bus (then reconfigure for imaging).

ReplyQuote
Posted : 30/04/2021 9:21 pm
Share: