I have a forensic image (EO1) of Microsoft Surface Tablet that is bitlocker encrypted. I have the bitlocker recovery key but don't have the TPM password. How can I unlock it with EnCase or similar with the recovery key?
I have a forensic image (EO1) of Microsoft Surface Tablet that is bitlocker encrypted. I have the bitlocker recovery key but don't have the TPM password. How can I unlock it with EnCase or similar with the recovery key?
Check if this applies
https://www.forensicfocus.com/Forums/viewtopic/t=15440/
jaclaz
Not really. the member "rhickman" noted that he/she would have to use FTK or EnCase to get into the encrypted data but didn't explain how.
Not really. the member "rhickman" noted that he/she would have to use FTK or EnCase to get into the encrypted data but didn't explain how.
I was referring more to
…
I did a few of these recently and had success with the following method
…
Use the recovery password to decrypt the physical image you took with Caine (FTK for example will simply ask you for the recovery key when you add the image in).
This has generally worked well for me, also means you get an "untouched" image as oppose to having to image it live.
Failing that, as minime points out, select the drive letter and not the whole disk with FTK Imager.
Cannot say if this works or not.
jaclaz
if you have the recovery key you won't need the tpm password
So I have the recovery key that I obtained from the owner which was emailed to me as text. Using EnCase, when I add the EO1's to the case and let it verify, it all appears as Unallocated which I was expecting. I go to open the evidence and it prompts me for the Bitlocker Credentials but doesn't have a place for me to enter them.
Update
Using EnCase, I mounted the encrypted volume using the Physical Disk Emulator. Windows immediately knew that it was a Bitlocker encrypted volume and prompted me to enter the "Recovery Key" which I have. When I entered the recovery key, it's now telling me that I have the wrong key and that I need to type it again. I know the key is correct because I took a screen capture of it while the owner was logged into their Microsoft Account. This leads me to wonder whether or not I imaged the correct volume. In an earlier post related to this topic, the user said to image the partition and not the physical device. Is that perhaps where the problem is now at?
Thanks for all of your help.
What does "manage-bde -protectors -get Driveletter" say?
With manage-bde you can also specify one of the protectors to unlock the drive, in case the Recovery Key in your hands is a valid protector but overruled for the manual input by a later recovery protector.
When I check the bde status, it tells me that the size of the volume is unknown, "The parameter is incorrect", and throws up an Error as well on that volume.
Maybe the BDE filter driver has problems with the physical disk emulator. Can you dd the image to a physical disk or VHD?
