Notifications

Clear all

FTK Imager and Win7 BitLocker

Cults14 · 2012-06-15T19:33:25Z

I've just got my hands on my first HD encrypted with BitLocker. I connected it to my workstation via a Tableau T35es, get prompted for Recovery Key, enter it, and I can browse the drive in Windows.But when I Add it as Evidence in FTK Imager 3.1.0.1514, Partition 1 appears as "Unrecognised file system (HPFS/NTFS)I can see Partition 2 (300MB recovery partition).Am I doing something wrong here? Can't I explore a BitLocker partition in FTKI even if I've entered the Recovery Key in Windows?Seems like I can't triage as normal in FTK Imager and export files or Custom Image, and can't take full image.I've already posted same query on AccessData forum todayAssuming FTKI can't cope, what else (free) would allow me to do what I want i.e. full readable image, triage, export files and/or custom imageCheers

Page 2 / 2 Prev

General (Technical, Procedural, Software, Hardware etc.)

Last Post by bshavers 10 years ago

16 Posts

8 Users

0 Reactions

8,626 Views

RSS

bshavers

(@bshavers)

Estimable Member

Joined: 20 years ago

Posts: 211

26/11/2013 8:19 am

FYI

Manage-bde -unlock E -recoverypassword 11111-222222-…….777777-888888 works just fine from WinFE Lite thumb drive

Where E is the drive to be imaged and 11111-222222-…….777777-888888 is the recovery key (48-character)

Cheers

WinFE is very cool D

and free…

ReplyQuote

Cults14

(@cults14)

Reputable Member

Joined: 17 years ago

Posts: 367

Topic starter 24/03/2015 10:02 pm

You can take the physical drive image (dd) of a BitLockered drive and mount it as a VHD using a bit of ingenuity. Once mounted, it will show up as a BitLockered drive, and prompt for the key. Thereafter you can access it as a regular drive, decrypt it, image it logically, search it, etc.

When I have to image in situ, I take the physical of a BitLockered drive every time instead of mucking with boot up, login, etc.

Search for 'dd image to VHD'.

Every BitLockered boot drive has a minimum 2 partitions. One unencrypted boot, and one encrypted. Most 'full disk' encryption in my experience work this way.

Jhup, I just had my first Image delivered to me by a vendor who did some work abroad for us, including images of a couple of Bitlockered systems with no ID and no Recovery Password

Your method worked a treat, so thank you very much (for the record, I used the convertfromraw option with VBoxManage.exe which is bundled with VirtualBox)

Many thanks!! )

ReplyQuote

jhup

(@jhup)

Noble Member

Joined: 16 years ago

Posts: 1442

25/03/2015 11:30 pm

You are welcome.

Now go forth and spread your knowledge to other forensicators. mrgreen

ReplyQuote

mansiu

(@mansiu)

Trusted Member

Joined: 16 years ago

Posts: 83

26/03/2015 12:22 pm

FYI

Manage-bde -unlock E -recoverypassword 11111-222222-…….777777-888888 works just fine from WinFE Lite thumb drive

Where E is the drive to be imaged and 11111-222222-…….777777-888888 is the recovery key (48-character)

Cheers

WinFE is very cool D

and free…

any windows license issue building WinFE?

ReplyQuote

jaclaz

(@jaclaz)

Illustrious Member

Joined: 18 years ago

Posts: 5133

26/03/2015 4:03 pm

any windows license issue building WinFE?

No.

As long as you hold a valid corresponding license for a Windows OS, you do not redistribute the built WinPE/WinFE and you do not use it as a replacement for a "full" OS, you are good to go.
The WinFE is nothing but a specially built WinPE, and though it can be built from Windows install files (i.e. the WAIK/ADK is not really-really needed) usually, by extension, the WAIK/ADK license is used as reference.

jaclaz

ReplyQuote

bshavers

(@bshavers)

Estimable Member

Joined: 20 years ago

Posts: 211

26/03/2015 9:54 pm

If you have a Windows license, you can build a WinFE/PE.

Free online course on how-to build a WinFE at http//courses.dfironlinetraining.com/windows-forensic-environment

ReplyQuote

Page 2 / 2 Prev

8 Forums
15.7 K Topics
92.3 K Posts
269 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed