Image of bitlocker ...
 
Notifications
Clear all

Image of bitlocker HDD

9 Posts
5 Users
0 Likes
5,574 Views
(@adamlawler)
Posts: 28
Eminent Member
Topic starter
 

Hello, 

I have the PC secured in drugs case. The pc has two hard drives. I did the binary copy of HDD with Windows system, then use Axiom to succesfully parse data. 

The second HDD drive has bitlocker encryption.

What can I do assuming I will get the password to the encrypted drive?

I cant turn on the pc and decrypt the seceond drive in Windows with given password because it's evidence.

I can create binary copy of the encrypted second hdd and then what?

How can I decrypt binary copy with given password?

 

Thanks in advance for any clue.

 
Posted : 07/07/2020 5:48 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

A dd image is a byte-by-byte (or sector by sector) copy of the original.

So you image the encrypted disk normally, then, it depends on the specific type of protectors in use, see here:

https://www.forensicfocus.com/articles/how-to-decrypt-bitlocker-volumes-with-passware/

but if you have the password or recovery key you can decrypt it (the mounted image or a clone) normally just fine with manage-bde:

https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker

 

https://www.top-password.com/blog/decrypt-bitlocker-encrypted-drive-from-command-line/

jaclaz

 

 
Posted : 07/07/2020 6:34 pm
watcher
(@watcher)
Posts: 125
Estimable Member
 
Posted by: @adamlawler

..I cant turn on the pc and decrypt the seceond drive in Windows with given password because it's evidence....

As Jaclaz said, image normally and decrypt with the password/recovery key if you can.

However if TPM was used, you will have to turn on the evidence PC and decrypt live. This is a perfectly normal thing to do as long as it's documented, just like pulling live RAM or capturing live network connections. The days of pristine dead drive only evidence is long gone.

Document ... Document ... Document!

 
Posted : 07/07/2020 7:21 pm
(@rich2005)
Posts: 535
Honorable Member
 

I can't remember, does would BitLocker + the TPM have anything in it ties it to a particular drive (rather than just the machine), preventing cloning of the drive first, and then using that for imaging?

Obviously I ask, as that way you could still preserve the original without making any changes, and use the clone to work on live and decrypt the data. As, whilst a bit more laborious, would achieve the aim of making no changes to the data if possible.

 
Posted : 08/07/2020 7:47 am
(@rich2005)
Posts: 535
Honorable Member
 

"does would" = does

 
Posted : 08/07/2020 8:21 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

@Rich2005

I don't think there is any such limit for a full "disk" (the whole thing) clone.

It is IMHO the usual mess about the definition of "clone", "disk", and "volume" or "partition" or "drive" (i.e. the whatever the Windows assigns a drive letter to).

A clone is by definition something that is not distinguishable from the original (at least for a given set of tests).

Bitlocker (widely called "full-disk encryption") is actually a "volume only encryption", as an example the good Acronis guys detail the difference, and then (admittedly) use the "wrong" terms for the article, in order to be more similar (allegedly) to the MS "lingo":

https://kb.acronis.com/content/56619

whilst actually the good MS guys use extensively "drive" and "volume":


https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831507(v=ws.11)

So even a volume/partition copy would do, normally:

https://www.diskgenius.com/how-to/clone-bitlocker-drive.php

With TPM maybe there are restrictions in the case of a volume/partition copy/image/clone, but I doubt even there.

jaclaz

 

 

 
Posted : 08/07/2020 9:13 am
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 
Posted by: @watcher

However if TPM was used, you will have to turn on the evidence PC and decrypt live. This is a perfectly normal thing to do as long as it's documented, just like pulling live RAM or capturing live network connections. The days of pristine dead drive only evidence is long gone.

Document ... Document ... Document!

+1
You cannot repeat this often enough!
The integrity of evidence is very important, but not a religion! Keep an untouched copy (better: 2) dry and safe and start up that thing. Do it with a witness on your side and make pics or videos, if u work on the original evidence. If there are good technical reasons to do so, every judge will understand that.

As watcher said: Document it and give a good technical explanation/ reason for working on the original devices.

regards, 

Robin

 
Posted : 09/07/2020 9:57 am
(@rich2005)
Posts: 535
Honorable Member
 

It's not a religion but arguably in this instance, if an exact copy of the original could be made, relatively easily, and a copy worked on and decrypted, then it should be done to preserve best evidence.

I'm not saying you definitely should but I could see the other side making that argument in court and life being more difficult than it should be as a result.

 
Posted : 09/07/2020 3:09 pm
(@adamlawler)
Posts: 28
Eminent Member
Topic starter
 

THank you for answers. Will try

 
Posted : 09/07/2020 6:01 pm
Share: