Notifications
Clear all

Bitlocker Image  

  RSS
Adam10541
(@adam10541)
Senior Member

I have a problem I'm hoping someone here can assist with.

Background another firm initially starts this job and as part of the job takes an image of a hard drive that has bitlocker encryption enabled. They use a TD3 machine to acquire the whole disk image and were given the bitlocker key by the IT.

The laptop was at some stage after this accidentally formatted and OS reinstalled.

The laptop then makes it's way to me, I acquire a logical image with the encryption unlocked allowing the file structure to be viewed, but due to the reinstall most of the data referred to in the previous firms report is non existent.

I'm trying to verify some of the work undertaken and get deleted files etc from this earlier stage.

Has anyone had any success in accessing an image taken in this fashion? I have had no luck in getting any software to prompt for the bitlocker key to unlock it, they all just show unknown file system or unallocated space.

Edit I may have a solution, it appears they have also taken an unencrypted image using EnCase and stored it as a Logical Evidence File. I can mount that with EnCase imager and Mount Image Pro and see the file structure of the computer and it appears to include unallocated space…I'm reimaging with Xways to E01 format and will see what I end up with.

Quote
Posted : 03/06/2015 11:15 am
kbertens
(@kbertens)
Member

I tried it recently and if you use the physical image with Encase, it detects bitlocker and asks for the key.
The other solution is mount the physical image and use Windows to unlock the disk with normal Bitlocker features.

ReplyQuote
Posted : 03/06/2015 7:09 pm
TuckerHST
(@tuckerhst)
Active Member

Edit I may have a solution, it appears they have also taken an unencrypted image using EnCase and stored it as a Logical Evidence File. I can mount that with EnCase imager and Mount Image Pro and see the file structure of the computer and it appears to include unallocated space…I'm reimaging with Xways to E01 format and will see what I end up with.

Interestingly, that's similar to what I was going to recommend in another recent thread about converting an AD1 to an E01, namely, mount and image with X-Ways.

I haven't used EnCase for a while, so correct me if I'm wrong, but it seems to me that a Logical Evidence file (LX01) does not contain unallocated space, by definition. Please keep us updated.

ReplyQuote
Posted : 03/06/2015 9:46 pm
jaclaz
(@jaclaz)
Community Legend

I am missing something ? ? 😯

Do you actually have the image originally taken through the TD3?
If yes, in which format is it?

Have you already checked this thread?
http//www.forensicfocus.com/Forums/viewtopic/t=12904/

Don't the tools mentioned there apply to your case?

jaclaz

ReplyQuote
Posted : 03/06/2015 11:55 pm
Adam10541
(@adam10541)
Senior Member

Jaclaz I hadn't actually seen that thread but that was suggested to me by a former colleague so I'm going to try that today.

Tucker, I didn't think it would either but on mounting the evidence files I can clearly see 80GB of unused space and the hex view is showing that it's not all 00, of course it could just be random data but will let you know.

Edit Arsenal didn't work for me even after adding the correct .dll files as Cults linked. I get an error trying to use the 'mount with libewf' option, "System exception, error opening image files".

I'm converting the Ex01 image file to a DD now to try the VHD option as described earlier in the thread.

Edit again Tucker it would appear that however they have created the logical evidence file it's included the unallocated space. Like you it's been a while since I used EnCase, perhaps it's possible to select unallocated space a long with everything else and add it to the file, much the same way you could with Xways evidence container. In any case the data carve has found 400k off deleted files thus far and is nearly complete.

Just in case though I have converted the Ex01 to DD, then to VHD and mounted that using the method Jaclaz linked to and i also have that mounted and ready to go. I'll image that with Xways and compare the findings with the EnCase evidence file I'm currently working with.

As always thanks for the help gents, got me out of a tight spot.

ReplyQuote
Posted : 04/06/2015 8:50 am
jaclaz
(@jaclaz)
Community Legend

Edit Arsenal didn't work for me even after adding the correct .dll files as Cults linked. I get an error trying to use the 'mount with libewf' option, "System exception, error opening image files".

This could be (another) form of mis-installation of the package, if this is the case you should report (with details) the issue to Mark Spencer over at Arsenal.

It could also be the particular format of the files you have, a couple of EWF formats are not (yet) supported by the libewf
https://github.com/libyal/libewf
If your files are not in one of the non-supported formats, you may want to contact Joachim (Metz) through the forum or the above project page.

jaclaz

ReplyQuote
Posted : 04/06/2015 4:06 pm
Share: