BitLocker experienc...
 
Notifications
Clear all

BitLocker experience  

Page 2 / 2
  RSS
jaclaz
(@jaclaz)
Community Legend

We are working on a user-focused (as opposed to developer focused) version of Arsenal Image Mounter now.

Good news ) , though - should you have missed it - we are ahead of you 😯 .
http//reboot.pro/files/file/374-imgmount/
(though this particular GUI has not - yet - a provision for EWF).

jaclaz

ReplyQuote
Posted : 30/04/2015 8:16 pm
Koenie
(@koenie)
New Member

For a small tool i wrote, i used OSFmount to mount a .e01 evidencefile.

ReplyQuote
Posted : 01/05/2015 3:26 am
Chris_Ed
(@chris_ed)
Active Member

As no-one has mentioned it yet - xmount can apparently do on-the-fly conversion of e01 to VHD. I haven't tried that specific option, but can attest that the on-the-fly e01 to DD works fine.

It requires you to use Linux or OSX though.

ReplyQuote
Posted : 01/05/2015 2:56 pm
jaclaz
(@jaclaz)
Community Legend

For a small tool i wrote, i used OSFmount to mount a .e01 evidencefile.

Not really-really. 😯
AFAIK the OFSmount is derived from IMDISK, and as such it doesn't really mount the .e01, but rather a volume in it (which may make no difference for your tool or more generically for most forensics purposes) but OFSmount would allow you to access the \\.\LogicalDrive, whilst the Arsenal Image Mounter will mount the \\.\PhysicalDrive.

JFYI, there is also a way through the use of a devio proxy that allow IMDISK to do the same making use of Joachimn Metz excellent libyall libewf.dll (i.e. avoiding discutils and .Net)
http//reboot.pro/topic/20467-use-libyal-libraries-with-devio-and-imdisk/

@Chris_Ed
Yep ), but that "on-the-fly conversion" is as well not a real "conversion", it is rather an "interpretation" as the above, i.e. the original file is never changed, it is rather "accessed as if it was" another format.
The xmount will allow mounting/accessing the "whole thing" like Arsenal Image Mounter.

jaclaz

ReplyQuote
Posted : 01/05/2015 4:59 pm
ArsenalConsulting
(@arsenalconsulting)
Junior Member

We are working on a user-focused (as opposed to developer focused) version of Arsenal Image Mounter now.

Good news ) , though - should you have missed it - we are ahead of you 😯 .
http//reboot.pro/files/file/374-imgmount/
(though this particular GUI has not - yet - a provision for EWF).

jaclaz

I did miss it, so thanks for the heads up. I'm happy to see an open-source project making use of our driver. Choice is good!

ReplyQuote
Posted : 01/05/2015 6:57 pm
Adam10541
(@adam10541)
Senior Member

Success!!

Thanks to jaclaz for the lead and Mark Spencer @ Arsenal for the pointer to the updated dlls

To sum up, the aim of being able to mount a split E01 image of a Win 7 Enterprise SP1 physical disk protected by BitLocker was achieved

Thank you very much guys )

Peter

Cults by this can we assume that it was Arsenal Disk Mounter that you successfully used?

ReplyQuote
Posted : 04/06/2015 9:24 am
Cults14
(@cults14)
Active Member

It sure was )

ReplyQuote
Posted : 04/06/2015 1:59 pm
Cults14
(@cults14)
Active Member

FYI I just re-created the scenario

* created physical-disk single-segment DD image from off-line Bitlocker-protected Win7 Enterprise SP1 32-bit system (booted system from WinFE USB stick and used FTK Imager Lite to create the image)

* also created physical-disk single-segment compressed E01 image from off-line Bitlocker-protected Win7 Enterprise SP1 32-bit system (booted system from WinFE USB stick and used FTK Imager Lite to create the image)

* Mounted both in Arsenal Image Mounter using the DLLs discussed earlier - in both cases I am prompted for the BitLocker Recovery Key to match the given BitLocker ID

* Both images mounted.

Have yet to test the same with 64-bit Win7 Enterprise SP1 system

HTH

ReplyQuote
Posted : 05/06/2015 6:54 pm
Page 2 / 2
Share: