BitLocker/TPM and E...
 
Notifications
Clear all

BitLocker/TPM and EnCase

5 Posts
5 Users
0 Reactions
5,472 Views
(@mazren79)
New Member
Joined: 4 years ago
Posts: 1
Topic starter  

Hello, 

I'm relatively new to forensics and I've run into an issue with an E01 image that contains BitLocker and came from a computer with TPM installed.  We took a full physical image and we have the BitLocker password ID and corresponding password.  After adding and validating the image, I'm prompted (in Encase 21.1) to add BitLocker's password.  When I add the correct password and click OK I'm again prompted to in put the password.  This occurs over and over again.  I cannot seem to get EnCase to get past the encryption.  I believe it may have something to do with the TPM, but I'm not sure.  I also do not have ready access to the device we imaged. 

Does anyone here have any advice (aside from obtaining the device and reacquiring an unencrypted image (we're working on it)) to get past this issue?  Aside from EnCase, is there another tool you would suggest to accomplish a forensic exam that could decrypt the image with the correct recovery password? 

Any help would be apricated.


   
Quote
kastajamah
(@kastajamah)
Estimable Member
Joined: 7 years ago
Posts: 113
 

I have had a similar issue.  After clicking OK, if you are prompted for it again, click Cancel and see if it will parse the image.  I know this sounds backward, but with a different disk encryption scheme, I have seen this work.


   
ReplyQuote
AmNe5iA
(@amne5ia)
Estimable Member
Joined: 9 years ago
Posts: 174
 

I'd recommend Arsenal Image Mounter.  Which you can download from here.

I use the free version.  Mount the image read only.  Windows should prompt you to input the recovery key.  Input the recovery key, then create a new e01 of the partition it now mounts.


   
ReplyQuote
(@hommy0)
Trusted Member
Joined: 14 years ago
Posts: 98
 

Hi,

If the recovery password is not working via EnCase; you could try as an alternative cancelling, when EnCase prompts for the recovery password.

EnCase should then present the device.  

From the right click contextual menu, choose

Device -> Share -> Mount as Emulated Disk - when you mount enable caching and create the differential file (D01)

this will mount the evidence file in windows, and should allow you to unlock the bitlocker volumes - using the credentials that you have.

If windows unlocks the bitlocker volume, add this to EnCase and acquire in its decrypted state.

 

I would also suggest raising this with opentext MySupport

 

Regards


   
ReplyQuote
minime2k9
(@minime2k9)
Honorable Member
Joined: 14 years ago
Posts: 481
 
Posted by: @amne5ia

I'd recommend Arsenal Image Mounter.  Which you can download from here.

I use the free version.  Mount the image read only.  Windows should prompt you to input the recovery key.  Input the recovery key, then create a new e01 of the partition it now mounts.

^ This, easiest way of dealing with bitlocker in general. Normally create a decrypted image afterwards


   
ReplyQuote
Share: