Join Us!

Encrypted NTFS Imag...
 
Notifications
Clear all

Encrypted NTFS Images - Or Not????  

  RSS
UnallocatedClusters
(@unallocatedclusters)
Senior Member

Colleagues,

We used FTK Imager Lite 3.1.1 to create full physical images of multiple Dell laptops.

The full physical image creation completed and verified successfully.

** However, when one views the resulting E01 images in FTK Imager, the main "User" partition is encrypted "Unrecognized File System".

We then created "logical" drive images of the laptops' C partitions using FTK Imager Lite 3.1.1 and were able to get unencrypted physical images of the C partitions.

This is where things get weird………

The corporate client claims (I believe them) that they never encrypted the Dell laptops' C partitions.

My research shows that Microsoft is shipping laptop hard drives in an encrypted state, but without Bitlocker being initialized

https://superuser.com/questions/1299600/is-a-volume-with-bitlocker-waiting-for-activation-encrypted-or-not

On the original Dell laptops, one can choose the C partition and "turn on Bitlocker" and save a recovery key to a text file. Corporate users can also use Active Directory to ingest and maintain the Bitlocker recovery keys.

So, it appears that "encryption" and "BitLocker encryption" are two different subjects; Bitlocker appears to be Microsoft's encryption management system.

1) When we mount the FTK Imager created full physical disk images using FTK Imager, the C partition is encrypted and not accessible.

2) When we mount the FTK Imager created full physical disk images using Arsenal Image Mounter, the C partition is encrypted and not accessible.

3) When we mount the FTK Imager created full physical disk images using GetData's Mount Image Pro v6, the C partition is accessible!!!!!!

Any ideas why Mount Image Pro is the only tool that can mount and make available for use the C partition as un-encrypted but none of the other tools can???

I also tried Passmark's OSForensics to mount the full disk image in the hopes that OSForensics would prompt for the BitLocker recovery key, but OSForensics did not; OSForensics mounts the full disk image as encrypted.

So, our new standard operating procedure is to first preview hard drives using FTK Imager to determine if the C partition is encrypted even if the corporate client tells us they never encrypted the hard drives; if we see that the C partition is encrypted, we will create a logical image of the C partition and check other partitions to see if there is other user generated data to collect. We also create a full disk physical image in addition to the C partition logical image so that we have both.

Kudos to GetData and Mount Image Pro for being the only tool able to decrypt these images without even asking for the Bitlocker recovery key.

Any ideas what is going on with this encryption / not-encrypted issue????

Quote
Posted : 27/08/2019 10:21 pm
thefuf
(@thefuf)
Active Member

When mounting a physical image using FTK Imager and/or Arsenal Image Mounter, do you see the "-FVE-FS-" signature in the first sector of the encrypted partition?

ReplyQuote
Posted : 27/08/2019 11:05 pm
Passmark
(@passmark)
Active Member

I suspect there is more going on.
With modern encryption you can't just decrypt it without the password or they key. The 256-bit AES encryption is just too solid for that.
Either it was never actually encrypted or the key was available (somehow).

Initially you said the "user" partition was encrypted. But then said it was the "c partitions". Maybe it was EFS file level encryption, not partition encryption? So just some selected files in the file system (e.g. the User folder) were encrypted?

Or it might just be an unexpected partition type. See this list here.
https://en.wikipedia.org/wiki/Partition_type
There are some pretty strange ones out there.

So it would also be good to see the dump of the partition table (and the 1st sector of the partition).

ReplyQuote
Posted : 28/08/2019 2:48 am
jaclaz
(@jaclaz)
Community Legend

More loosely, "Unrecognized File System" does not really mean in itself that the volume is encrypted, it means "Unrecognized File System" (that could be caused by encryption of by other reasons)

As an example, not your case of course, but I seem to remember similar issues years ago with a Partition ID of 42 which was "Dynamic Disk", the volume was unaccessible and simply editing the partition ID to 07 (which is commonly thought as meaning NTFS, but isn't[1]) allowed access to data.

I would check both the partition table (MBR or GPT) and the first few sectors of the volume.

It could also be some sort of "special case" connected to FTK (though I doubt it)
is the behaviour the same with a plain dd-like copy (both of the whole disk and of only the volume)?

jaclaz

[1] 07 is actually a "protective" partition ID to mean to non-NT systems "ignore this", it may mean HPFS (rare) or nowadays increasingly common exFAT/TexFAT

ReplyQuote
Posted : 28/08/2019 8:08 am
athulin
(@athulin)
Community Legend

My research shows that Microsoft is shipping laptop hard drives in an encrypted state, but without Bitlocker being initialized

Sounds like you may be talking about Bitlocker pre-provisioning. Pre-provisioning may be enabled, but that does not necessarily mean that encryption is done to any degree of normal security.

ReplyQuote
Posted : 28/08/2019 11:17 am
passcodeunlock
(@passcodeunlock)
Senior Member

Just check the image file header and footer and you will get your answers.

I think of an error when mounting the partitions based on the MBR / GPT.

Do you have log files of the failure ?!

ReplyQuote
Posted : 28/08/2019 12:41 pm
dandaman_24
(@dandaman_24)
Active Member

Bitlocker Clearkey

ReplyQuote
Posted : 28/08/2019 8:35 pm
AmNe5iA
(@amne5ia)
Active Member

Bitlocker Clearkey

I was thinking clearkey but that doesn't really explain why it wasn't automatically decrypting when using other mounting tools (AIM, FTK Imager).

ReplyQuote
Posted : 29/08/2019 12:29 pm
UnallocatedClusters
(@unallocatedclusters)
Senior Member

When mounting a physical image using FTK Imager and/or Arsenal Image Mounter, do you see the "-FVE-FS-" signature in the first sector of the encrypted partition?

Yes

ëX.-FVE-FS-……….ø..?.ÿ..8……à………………………..)….NO NAME FAT32 3É.Ѽô{.Á.Ù½.| û}´}.ð¬[email protected]´.»..Í.ëï ý}ëæÍ.Í……………………;ÖgI).ØJ..ö£9ãÐ….þ…… þ……¡þ……………………………………………………
Remove disks or other media.ÿ
Disk errorÿ
Press any key to restart
…………………

ReplyQuote
Posted : 04/09/2019 10:27 pm
deeFIR
(@deefir)
Junior Member

Devices with TPM will do this.

ReplyQuote
Posted : 05/09/2019 3:15 am
thefuf
(@thefuf)
Active Member

When mounting a physical image using FTK Imager and/or Arsenal Image Mounter, do you see the "-FVE-FS-" signature in the first sector of the encrypted partition?

Yes

ëX.-FVE-FS-……….ø..?.ÿ..8……à………………………..)….NO NAME FAT32 3É.Ѽô{.Á.Ù½.| û}´}.ð¬[email protected]´.»..Í.ëï ý}ëæÍ.Í……………………;ÖgI).ØJ..ö£9ãÐ….þ…… þ……¡þ……………………………………………………
Remove disks or other media.ÿ
Disk errorÿ
Press any key to restart
…………………

That's strange. My first guess was about a misaligned partition (because of a different sector size for example, a 4Kn drive mounted as a 512n drive), but now we know that the header is there, so the encrypted volume is aligned properly. I have no idea what's going on (a possible problem with partition types is mentioned in another post, but I don't think it's the real reason, because another tool was able to mount the image without the issue; also, a wrong partition type is expected to make the system unbootable, but this is not the case).

ReplyQuote
Posted : 10/09/2019 3:47 pm
Share: