Notifications
Clear all
Topic starter
23/03/2016 9:52 pm
I've a Bitlocker image which I unlocked using bdemount with the Bitlocker recovery key on SIFT3, made a cp of the bdemounted decrypted image to a .dd file. This one is analysed in Autopsy 4.0.0 on a Win 8 software appliance (I know I need to get Autopsy 4 running on SIFT 3). All files can be read and the .dd image can be analysed. Only extracting the orphan files ($OrphanFiles folder) results in garbage. The files having no valid headers (in Autopsy and also after extraction). I'm not sure what happened on this PC.
How do I check if this files have been encrypted by ransomware/ trojan?
If bitlocker disk encryption is unlocked all files are encrypted (disk encryption) or are files also encrypted?