Good Morning fellow forensicators!
Â
I work in a corporate environment where BitLocker is used for encryption and the keys are managed by Sophos. When I have to examine an endpoint I can attach the suspect drive to a forensic workstation (write blocked) and I am prompted for the BitLocker key. I enter the key that was obtained from Sophos and the logical OS drive opens and everything is good. I can image the logical drive and then process.
If I were to image the full physical drive and process the image in tools such as FTK Enterprise or Axiom, I am prompted to enter the recovery key for the encrypted partition. You would think the recovery key would unlock the drive and then you can process as normal. Wrong! There is an error with the key that states the BitLocker key is invalid.Â
The question is why does it work natively in Windows to open the drive and not within the forensic applications. A side issue/question relating to this is that I am having some trouble processing the drive and thought that it might have something to do with only acquiring the logical partition. I am doing some troubleshooting and trying to process with the full physical disk (and then unlock the partition during processing).
Anyone have any thoughts or suggestions.
Hi, could it be that the forensic solution is (quite a bit) outdated and doesn't support Bitlocker in XTS mode (i.e. CBC/Elephant only)? To rule out any imaging issues, did you mount the physical image in Windows to try the recovery key?
I was able to mount the full disk image with Arsenal Image Mounter and successfully unlock the drive showing the OS partition.
could it be that the forensic solution is (quite a bit) outdated and doesn't support Bitlocker in XTS mode
I am using Magnet Axiom (latest version available). I also tried Accessdata Enterprise with a fairly recent version. As I mentioned in an earlier reply, I was able to mount the image using Arsenal Image Mounter with no issue.
Thanks for your input.
I found this post informative.Â
Than you.
Hi,
The issue you are describing is due to the differences between the logical and the physical images when using bitlocker.
When a bitlocker drive is attached to a machine, the logical data is decrypted where as the physical disk is still encrypted.
By acquiring a full image of the logical drive (i.e. e:\) you will get the equivalent of a whole disk image for that partition.
Unfortunately the terms logical and physical images have been corrupted so much by the Mobile Phone world that its hard to use them in an explanation
TLDR; logical image of mounted drive is what you need.
You can pull an unencrypted image from a mounted and unlocked Bitlocker partition by accessing it through the Bitlocker filter driver (also addressed as "logical" disk access, e.g. in X-Ways). But the features to process Bitlocker images in forensic software exist to avoid this.
On the other hand, they should not depend on taking an encrypted "physical" image of just the partition (vs. the entire disk), but I don't have the products to test it. The fact that they recognize the Bitlocker partition on the entire disk image also indicates that they could theoretically handle the situation. I think only the vendors of these products can shed some light on how they process Bitlocker volumes. Maybe Sophos alters a Bitlocker metadata region and Windows falls back to another one, while the forensic product doesn't. You could work through unofficial Bitlocker specs like these and look for anything unexpected: https://github.com/libyal/libbde/blob/main/documentation/BitLocker%20Drive%20Encryption%20(BDE)%20format.asciidoc
I had a similar experience last year. I created a physical image with a TX1 using the EX01 format. That resulted in an error with Magnet AXIOM when processing the BitLocker partition. Like you, I was able to use AIM to mount the EX01 image, using the recovery key to mount it. Â
Using an E01 format with the TX1, AXIOM is able to decrypt the physical image and unlock the partition with the recovery key.