Notifications

Clear all

How should I acquire an image and mount Bitlocker drives?

General (Technical, Procedural, Software, Hardware etc.)

Last Post by Gridlock777 7 years ago

5 Posts

3 Users

0 Reactions

7,147 Views

RSS

Forenguy

(@forenguy)

New Member

Joined: 8 years ago

Posts: 2

Topic starter 09/02/2018 7:25 pm

I am fairly new to digital forensics and I need to image laptops that are encrypted with Windows 10 Bitlocker where I have the recovery key and encryption password. I prefer utilizing free open source tools at this point before going on trial Encase/FTK.

What I've tried so far

I used Guymager from Caine Live USB to acquire the image from a laptop running Windows 10 with an NTFS volume and it seems to have success creating an E01 image of the entire physical disk (single non-split E01 file 80GB).

One thing I notice is that Guymager seems to only give the option to create an image of the entire disk and doesn't give me the option to only image a logical volume. Most of the time I'll just need to look through the C drive. For a Bitlocker encrypted drive, does it matter whether I image an entire physical disk or a logical volume?

After imaging, I tried following the steps in this tutorial video from Rob Lee using SANS SIFT in VMWare Workstation Pro as guest under a Windows 10 host to mount the E01 image but it's not working. Any suggestions would be greatly appreciated.

$ sudo su # imageMounter.py -e -b -k {recovery_key} image.E01 /mnt/windows_mount [+] Processing E01 File ewfmount 20140608


[+] Mounted E0 File at /mnt/ewf_2018_02_09-18_49/ewf1

   [-] to unmount run 'sudo umount /mnt/ewf_2018_02_09-18_49'

[+] Processing Bitlocked Drive

bdemount 20170902
Unable to open /mnt/ewf_2018_02_09-18_49/ewf1.

libbde_io_handle_read_volume_header invalid volume signature.

libbde_volume_open_read unable to read volume header.

libbde_volume_open_file_io_handle unable to read from file IO handle.

mount_handle_open_input unable to open input volume.

# file /mnt/ewf_2018_02_09-18_49/ewf1 /mnt/ewf_2018_02_09-18_49/ewf1 DOS/MBR boot sector MS-MBR Windows 7 english at offset 0x163 "Invalid partition table" at offset 0x17b "Error loading operating system" at offset 0x19a "Missing operating system", disk signature 0x3804abbe; partition 1 ID=0x7, active, start-CHS (0x0,32,33), end-CHS (0xc,223,19), startsector 2048, 204800 sectors; partition 2 ID=0x7, start-CHS (0xc,223,20), end-CHS (0x3ff,254,63), startsector 206848, 488188272 sectors

Quote

jaclaz

(@jaclaz)

Illustrious Member

Joined: 18 years ago

Posts: 5133

09/02/2018 7:51 pm

After imaging, I tried following the steps in this tutorial video from Rob Lee using SANS SIFT in VMWare Workstation Pro as guest under a Windows 10 host to mount the E01 image but it's not working. Any suggestions would be greatly appreciated.

In the video seemingly the -s option is used in imageMounter.py, maybe the issue is with the -o (offset) parameter in the later call to bdemount?

The kind of errors you have in libbde seem all linked to a "wrong" address for the beginning of a volume.

Or maybe the partition table of the image contains a not listed partition ID?
Is it GPT or MBR?

First thing try this alternative
https://github.com/sans-dfir/sift/issues/131
https://github.com/ralphje/imagemounter

jaclaz

ReplyQuote

Forenguy

(@forenguy)

New Member

Joined: 8 years ago

Posts: 2

Topic starter 09/02/2018 8:10 pm

Or maybe the partition table of the image contains a not listed partition ID?
Is it GPT or MBR?

First thing try this alternative
https://github.com/sans-dfir/sift/issues/131
https://github.com/ralphje/imagemounter

jaclaz

It is MBR with a 100MB "System Reserved" partition and a C partition both in NTFS on a 250GB SSD. Only the C partition seems to be Bitlocker Encrypted

I'll try the alternative, thanks.

ReplyQuote

jaclaz

(@jaclaz)

Illustrious Member

Joined: 18 years ago

Posts: 5133

09/02/2018 8:30 pm

It is MBR with a 100MB "System Reserved" partition and a C partition both in NTFS on a 250GB SSD. Only the C partition seems to be Bitlocker Encrypted

Only for the record, and maybe related, maybe not, in some cases/installs the "System Reserved" partition on MBR is 0x27 , though cannot say if this could (if verified) cause that error.

To be picky (as I am) the "C partition" doesn't actually exist, in the sense that a second partition, NTFS, 0x07 does exist and originally (when booted) the OS would have given to the volume inside it the drive letter C, but that drive letter attribution is "volatile" and only valid on the original system.

jaclaz

ReplyQuote

Gridlock777

(@gridlock777)

New Member

Joined: 7 years ago

Posts: 1

02/03/2018 6:09 pm

Since you have the key why not use Arsenal Image mounter?

https://arsenalrecon.com/weapons/image-mounter/

After the drive is unlocked you can reacquire just the partition to have an unencrypted image.

ReplyQuote

Podcast: Well-Being In Digital Forensics And Policing: Insights From Hannah Bailey

Hannah Bailey shares her journey from frontline policin...

By Zoe , 4 days ago
RE: Android Forensics

Hi, Try decompressing the file using zlib in python. ...

By Dexter4n6 , 5 days ago
Interview: Neal Ysart, Co-Founder, The Coalition of Cyber Investigators

Neal Ysart shares how The Coalition of Cyber Investigat...

By Zoe , 5 days ago

8 Forums
15.7 K Topics
92.3 K Posts
24 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed