Notifications
Clear all

EnCase Bitlocker  

  RSS
jmrose
(@jmrose)
New Member

Hello,

I am trying to image a hard drive with bitlocker enabled on it. I am using EnCase V7.07. The drive itself has Windows 7 Enterprise OS on it.

I have the Bitlocker Recovery Key for the hard drive, but EnCase only imports BEK files.

Is there a way to create my own BEK file and throw in the Recovery key I have? I have tried google and have had no luck finding an answer. Thank you.

Quote
Posted : 20/02/2014 2:04 am
jhup
 jhup
(@jhup)
Community Legend

You could slave through a write-blocker the target drive to a workstation. The workstation needs to have BitLocker enabled, and of course your preferred imaging tool. As soon as you attach the target drive, it will ask for the key and make it readily available for imaging.

You can image the encrypted drive and get a physical, then image the drive through the OS and get a logical.

Finally, take a copy of the physical encrypted image, convert it to VHD and decrypt it.

You will end up with three images, the physical encrypted, the physical decrypted and the logical decrypted. Your logical image is really just to prove that the decrypted physical is matching at logical file level.

Have fun. mrgreen

ReplyQuote
Posted : 23/02/2014 8:58 am
hommy0
(@hommy0)
Member

EnCase does support the use of the BitLocker Recovery Key.

When loading the piece of evidence you will be prompted to enter the BitLocker credentials.

In the dialog that pops up you have the option to provide the recovery key (which is the BEK) and a recovery password.

If you select "Recovery Password" that will allow you to enter the 48 character recovery key. Also select the correct "Password ID" (the one that matches the recovery key identification in the text file containing your recovery key)

Entering this material will allow EnCase to decrypt your BitLocker volume.

ReplyQuote
Posted : 24/02/2014 8:32 pm
vootz
(@vootz)
Junior Member

One thing to keep in mind (I think it is still the case according to Guidance's documentation) - EnCase's Decryption Suite is not supported when using EnCase on a 64-bit machine; you need to be running EnCase on 32-bit platform.

ReplyQuote
Posted : 24/02/2014 8:46 pm
hommy0
(@hommy0)
Member

I use EnCase 7.09.02 64Bit to decrypt BitLocker.

A very quick scan of the V7 manual and there are some references to 32 Bit, namely relating to MacAfee, SafeBoot, and WinMagic

ReplyQuote
Posted : 24/02/2014 9:13 pm
vootz
(@vootz)
Junior Member

Thanks Hommy0 - good to know!

ReplyQuote
Posted : 24/02/2014 9:38 pm
jmrose
(@jmrose)
New Member

I write blocked the drive and EnCase prompted me for a Bitlocker recovery key. EnCase did not take the key at first, because it had trailing white space. Thanks everyone for the suggestions and comments.

ReplyQuote
Posted : 28/02/2014 12:22 am
Armycop
(@armycop)
New Member

One thing to keep in mind (I think it is still the case according to Guidance's documentation) - EnCase's Decryption Suite is not supported when using EnCase on a 64-bit machine; you need to be running EnCase on 32-bit platform.

This isn't true; I've been running Encase 64-bit since v7.01 and successfully decrypted Bitlocker'd hard drives. Currently running Encase v7.08.1 on my 64bit workstation, with success.

ReplyQuote
Posted : 05/03/2014 12:14 am
vootz
(@vootz)
Junior Member

Thanks. This is still the case for MacAfee, SafeBoot, and WinMagic, and some other encryption. Others have verified it is not the case for BitLocker.

ReplyQuote
Posted : 05/03/2014 1:05 am
Share: