Hello,
I am trying to image a hard drive with bitlocker enabled on it. I am using EnCase V7.07. The drive itself has Windows 7 Enterprise OS on it.
I have the Bitlocker Recovery Key for the hard drive, but EnCase only imports BEK files.
Is there a way to create my own BEK file and throw in the Recovery key I have? I have tried google and have had no luck finding an answer. Thank you.
You could slave through a write-blocker the target drive to a workstation. The workstation needs to have BitLocker enabled, and of course your preferred imaging tool. As soon as you attach the target drive, it will ask for the key and make it readily available for imaging.
You can image the encrypted drive and get a physical, then image the drive through the OS and get a logical.
Finally, take a copy of the physical encrypted image, convert it to VHD and decrypt it.
You will end up with three images, the physical encrypted, the physical decrypted and the logical decrypted. Your logical image is really just to prove that the decrypted physical is matching at logical file level.
Have fun. mrgreen
EnCase does support the use of the BitLocker Recovery Key.
When loading the piece of evidence you will be prompted to enter the BitLocker credentials.
In the dialog that pops up you have the option to provide the recovery key (which is the BEK) and a recovery password.
If you select "Recovery Password" that will allow you to enter the 48 character recovery key. Also select the correct "Password ID" (the one that matches the recovery key identification in the text file containing your recovery key)
Entering this material will allow EnCase to decrypt your BitLocker volume.
One thing to keep in mind (I think it is still the case according to Guidance's documentation) - EnCase's Decryption Suite is not supported when using EnCase on a 64-bit machine; you need to be running EnCase on 32-bit platform.
I use EnCase 7.09.02 64Bit to decrypt BitLocker.
A very quick scan of the V7 manual and there are some references to 32 Bit, namely relating to MacAfee, SafeBoot, and WinMagic
Thanks Hommy0 - good to know!
I write blocked the drive and EnCase prompted me for a Bitlocker recovery key. EnCase did not take the key at first, because it had trailing white space. Thanks everyone for the suggestions and comments.
One thing to keep in mind (I think it is still the case according to Guidance's documentation) - EnCase's Decryption Suite is not supported when using EnCase on a 64-bit machine; you need to be running EnCase on 32-bit platform.
This isn't true; I've been running Encase 64-bit since v7.01 and successfully decrypted Bitlocker'd hard drives. Currently running Encase v7.08.1 on my 64bit workstation, with success.
Thanks. This is still the case for MacAfee, SafeBoot, and WinMagic, and some other encryption. Others have verified it is not the case for BitLocker.