I was recently required to create a forensic image of two computers; a laptop and a desktop. The method I used for these acquisitions is to remove the source drives, plug them onto the forensics server and acquire using ewfacquire tool from a Kali Linux live CD. Both acquisitions concluded seemingly successfully - no errors reported.
Upon attempting to mount the laptop EO files in EnCase 6, I was prompted for a Bitlocker recovery key which I had to request from the client.
Upon attempting to mount the desktop EO files in EnCase 6, I was NOT prompted for a Bitlocker password and EnCase indicates the drive to be part of a RAID array which is not correct. The client indicated that both computers in fact had Bitlocker on them. This, however, does not explain why EnCase recognises Bitlocker in one drive and not the other. IEF mounts and attempts to index the EO files but finds nothing. Not surprising since it does not prompt for a Bitlocker key.
For my own satisfaction, I did a second acquisition of both hard drives in their resident computers using the dcfldd tool. This time EnCase 6 prompted me for the Bitlocker recovery key for both hard drives.
? Is there a way to recognise Bitlocked hard drives in the field during clandestine acquisitions when it is not feasible to ask the computer user if he/she uses Bitlocker? ? It isn't always possible to acquire a hard drive in it's resident computer.
Rowland,
Computer Forensics Analyst, Ethical Hacker
? Is there a way to recognise Bitlocked hard drives in the field during clandestine acquisitions when it is not feasible to ask the computer user if he/she uses Bitlocker? ? It isn't always possible to acquire a hard drive in it's resident computer.
http//
http//
jaclaz