BitLocker experienc...
 
Notifications
Clear all

BitLocker experience  

Page 1 / 2
  RSS
Cults14
(@cults14)
Active Member

Thought I'd share a recent experience. I'm an internal corporate resource in a team of one (i.e. me). We had to get images of a number of Win7 Enterprise machines, some from "close by" and some from another continent. Corporate Policy protects Laptops with BitLocker but not Desktops.

I did the "close by" ones (mix of Laptop and Desktop). Due to time constraints I used WinFE to boot all machines, then got the Bitlocker ID using manage-bde and finally called our internal service desk who supplied the Recovery Password which is stored in MBAM. Then I created Logical images in FTK Imager Lite which is part of my WinFE config by mounting the BitLocker drive in read-only mode.

We used a vendor for the one in another continent, they did Physical acquisition in compressed E01 format and sent all the images to me on one 2TB drive.

The only way I know how to access a physical image taken from a BitLocker'd drive is to create a VHD and attach the VHD in Disk Management, so I
* Added the E01 image to FTK Imager
* Exported to DD format
* Converted from DD to VHD (VirtualBox "vboxmanage convertfromraw" command line)
* Attached the VHD in Disk Management which gives BitLocker ID
* Contact internal service desk to get the Recovery Password which is stored in MBAM

Along the way I discovered that the sector size on the 4TB drive I used to store the VHD files isn't supported by the "Attach VHD" operation so I copied them onto lower capacity capacity drives which worked just fine thereafter.

And finally I decided to make a logical image in DD format on the 4TB drive of the VHD so that I would finally have everything in one place and not need BitLocker passwords!

All in all a LOT of lapsed time was involved - I'd be interested in any ideas on doing this quicker (other than briefing external vendors to do either Logical acquisitions of BitLocker'd drives or to use DD format if they insist on E01 format (can't think why they would though)

I use FTK Imager (and Lite) on a Dell Precision and sometimes on an older Dell Latitude E6500, and occasionally use Tableau Image Manager, I have no duplicators.

Cheers

Quote
Posted : 20/04/2015 4:30 pm
Cults14
(@cults14)
Active Member

We used a vendor for the one in another continent, they did Physical acquisition in compressed E01 format and sent all the images to me on one 2TB drive.

Meant "ones" ………….

ReplyQuote
Posted : 20/04/2015 4:35 pm
dacorr
(@dacorr)
New Member

Would mounting the E01 in FTK Imager not made that simpler?

Granted you would need to image the unencrypted logical drive.

I have also mounted physical drives via writeblocker and decrypted/imaged them that way.

I believe Encase can decypt for you with the key but the last time I had to look at bitlocker was 3 years ago.

Dac

ReplyQuote
Posted : 20/04/2015 4:54 pm
jaclaz
(@jaclaz)
Community Legend

I am not sure to understand what the question is/are. ?

If you have a DD image (which by definition is a "whole disk" image or "fixed size") I doubt that there is a need to convert it to .VHD, as you can use (say) Arsenal Image Mounter
http//www.arsenalrecon.com/apps/image-mounter/
to mount it "as is" (BUT this driver allows also to directly mount the .E01), in any case the difference between a DD and a "fixed" .vhd is a single sector (footer) appended, there are several tools capable to do the "conversion" namely it is one of the features of Clonedisk
http//labalec.fr/erwan/?page_id=42
but there is an as simple as possible tool by Karyonix here
http//reboot.pro/topic/9715-firadisk-and-vhd-img-images/?p=83781

jaclaz

ReplyQuote
Posted : 20/04/2015 5:24 pm
Cults14
(@cults14)
Active Member

Would mounting the E01 in FTK Imager not made that simpler?

Granted you would need to image the unencrypted logical drive.
Dac

Maybe didn't make it clear. Source system was protected by BitLocker, the third party used FTK Imager with the Physical Drive option in compressed E01 format (multiple segments) - so the image appears as "unrecognised filesystem" in FTKI. Mounting doesn't help, prompt appears to format the mounted partition

I am not sure to understand what the question is/are. ?
jaclaz

Maybe I should have asked what methods people here use to access a physical image in compressed E01 format of a BitLocker'd Win7 system.
Even if what I had was a physical image in DD format of a BitLocker'd Win7 system (which is where I got to after the first conversion in my process), the Arsenal product doesn't seem to help as the drive appears in Disk Management as "Unallocated".
I haven't yet looked at the other options you mentioned but they seem to refer to VHD conversions and that's not the area of difficulty

BTW I know that if you add a physical image in compressed E01 format of a BitLocker'd system to FTK5 or similar, then FTK5 will display the 8-character BitLocker ID and prompt for the Recovery Password, and from there it appears you can export to a DD image, but on a day-to-day basis that's not feasible for me

HTH

ReplyQuote
Posted : 20/04/2015 7:52 pm
dacorr
(@dacorr)
New Member

Ah, ok

I had multiple issues in what you describe in that there was a great amount of converting required and particualy as it came down to a skill set issue in other office locations, i.e typical desktop support were not able to deal with imageing etc.

The solution I found was the simpler option in that they shipped the hard drive to my Lab so I could image it myself but I also had access to the recover console in Active Directory and reduced the amount of other departments that had to get involved in the chian.

The problem I found with this is that IT people did not necessarily know how to ship hard drives so after detailed instructions that became the norm. There was additional cost as each asset had to amintain a few spare hard drives and customes sometimes tried to chard tax on 'new computer' equipment purchases but it worked.

Eventually the company moved to an enterprise level solution which imaged remotely.

Dac

ReplyQuote
Posted : 20/04/2015 8:05 pm
Cults14
(@cults14)
Active Member

So I guess the questions are
does anyone know of a way to mount (or add or whatever verb works) a physical image in E01 compressed format in such a way that the Windows filesystem is recognisable with no further processing?

OR

does anyone know of a way to convert directly from E01 to VHD?

Cheers

ReplyQuote
Posted : 20/04/2015 8:06 pm
paul206
(@paul206)
Member

FTK 5.6 will decode bitlocker. Here is a quote from the current manual.

"If you have the proper credentials, you can decrypt Bitlocker encrypted partitions. You can decrypt the Bitlocker partitions from Windows Vista and Windows 7 computers. You can provide the unique credentials for multiple encrypted partitions. After you provide Bitlocker credentials, files in the encrypted partitions are decrypted while the evidence is processed."

1. Add evidence that has Bitlocker encryption to a case. If Bitlocker encryption is detected, you are prompted to enter credentials in the following dialog

2. Enter one of the following credentials
Boot Key File
Recovery Password.

3. If there are multiple partitions, a dialog will be displayed saying that the password for the first partition is valid, and that additional partitions remain encrypted.

4. Click OK and the credential dialog is again displayed for the next partition.
This sequence continues until you have entered the credentials for all encrypted partitions.

ReplyQuote
Posted : 21/04/2015 1:20 am
jaclaz
(@jaclaz)
Community Legend

So I guess the questions are
does anyone know of a way to mount (or add or whatever verb works) a physical image in E01 compressed format in such a way that the Windows filesystem is recognisable with no further processing?

OR

does anyone know of a way to convert directly from E01 to VHD?

Cheers

As said, the Arsenal Image Mounter driver does allow to DIRECTLY mount a .E01 image BUT you will need to check if it is capable of doing the same for a BDE (bitlocker) image (if you prefer AIM uses LIBEWF but may not use LIBBDE ? it is possible that this feature is not yet present ).

It is NOT possible to "convert directly" from .E01 to .VHD, in the sense that a .E01 is a compressed image while the .VHD is a "fully expanded" one, so the conversion implies a decompression.

Since a (fixed size) VHD is EXACTLY THE SAME as a DD image (exception for a single sector appended) it takes (say) 1 1/2 hours to decompress the .E01 to DD and then between one and three milliseconds to convert the DD image to VHD, so while such a software may exist, it would not offer any practical advantage.

IMHO the only reason to prefer a .VHD over a DD image is that the .VHD is compatible with Windows 7 and later "native" .VHD driver but there are several third party drivers that can mount directly the DD image without adding the footer, so the only "really needed" reason to have a .VHD instead of a DD image would be it's use in a VM that does not provide support for DD images, but anyway it is not a practical issue as converting a (fixed size) .VHD image to a DD image or viceversa is almost instantaneous.

jaclaz

ReplyQuote
Posted : 21/04/2015 1:24 am
Cults14
(@cults14)
Active Member

Apologies, I omitted to state in the questions that E01 is encrypted.

Paul206 - yes was aware of that already, suspect our posts crossed )

Jaclaz, I tried AIM with Bitlocker'd E01 but no joy - will PM you on that subject

Cheers, thanks for your input everyone

ReplyQuote
Posted : 21/04/2015 2:51 pm
Cults14
(@cults14)
Active Member

Success!!

Thanks to jaclaz for the lead and Mark Spencer @ Arsenal for the pointer to the updated dlls

To sum up, the aim of being able to mount a split E01 image of a Win 7 Enterprise SP1 physical disk protected by BitLocker was achieved

Thank you very much guys )

Peter

ReplyQuote
Posted : 22/04/2015 7:48 pm
jaclaz
(@jaclaz)
Community Legend

Success!!

Thanks to jaclaz for the lead and Mark Spencer @ Arsenal for the pointer to the updated dlls

To sum up, the aim of being able to mount a split E01 image of a Win 7 Enterprise SP1 physical disk protected by BitLocker was achieved

Thank you very much guys )

Peter

Good. )
Care to be more explicit in what is needed (and that you used successfully after your initial failure)?

jaclaz

ReplyQuote
Posted : 22/04/2015 8:28 pm
Cults14
(@cults14)
Active Member

Sure thing jaclaz

Initial failure was caused by me somehow getting hold of incorrect versions of the 64-bit dlls for my system which is Win7 Enterprie SP1 64-bit

The correct dlls can be found at
https://github.com/ArsenalRecon/Arsenal-Image-Mounter/blob/master/MountTool/msvcr100.dll
https://github.com/ArsenalRecon/Arsenal-Image-Mounter/blob/master/MountTool/libewf.dll
https://github.com/ArsenalRecon/Arsenal-Image-Mounter/blob/master/MountTool/zlib.dll

Again, seems to work like a charm )

ReplyQuote
Posted : 22/04/2015 9:25 pm
jaclaz
(@jaclaz)
Community Legend

Ah, I see.
YAVODH (Yet Another Victim Of Dll Hell) 😯

jaclaz

ReplyQuote
Posted : 22/04/2015 10:25 pm
ArsenalConsulting
(@arsenalconsulting)
Junior Member

Ah, I see.
YAVODH (Yet Another Victim Of Dll Hell) 😯

jaclaz

We are working on a user-focused (as opposed to developer focused) version of Arsenal Image Mounter now. It would have been done months ago but we've been buried in casework that takes priority. We know from the volume of emails about our sample application that the project has become very popular… so expect a greatly simplified Arsenal Image Mounter soon! If anyone is interested in aggressively testing pre-releases or incorporating the project in other open source DFIR projects let me ([email protected]) know.

Thanks,

Mark Spencer, President
Arsenal Consulting, Inc.
www.ArsenalExperts.com

ReplyQuote
Posted : 30/04/2015 6:07 pm
Page 1 / 2
Share: