Join Us!

Imaging Windows 10/...
 
Notifications
Clear all

Imaging Windows 10/Bitlocker/Dell7480 Problems  

  RSS
timtam
(@timtam)
New Member

Hello,

I seem to be running into an issue while trying to image a device and was wondering if anyone can help me figure out either what the issue might be and a solution.

I'm not sure if the model makes a different so here goes
The device is a Dell Latitude Model 7480 with an M.2 SSD ("NVMe THNSN5512GPUK NV" (pictured here
)

The system is powered off.
I have tried CAINE, Paladin, and DEFT. In all three, the hard drive does not show up in the device/disk list, nor in Guymager etc.

I purchased this adapter Amazon JSER SFF-8639 NVME U.2 to NGFF M.2 M-key

I tried removing the ssd and attaching it to a write-blocker. In this case, it shows up as an 'un-initialized disk' in the Computer Management window.

I'll have to confirm this but I believe I previously imaged an older Dell Latitude Model 7470 (Windows 10 + Bitlocker) using CAINE with no issues. the SSD on the model 7470 is a "Micron 1100 SATA 512GB" (which has the B+M key edge).

I'm listing as much detail as I can think of. I've tried searching for some insight but most results are articles on decrypting Bitlocker (which i'm still upset EnCase doesn't support yet) than imaging.
I believe I have the means to decrypt the image but first I need to be able to image the device!

Any help/insight is much appreciated.

Thank you!

Quote
Posted : 25/08/2017 9:06 am
UnallocatedClusters
(@unallocatedclusters)
Senior Member

GetData's MountImage Pro will mount a BitLocker encrypted forensic image. After MIP mounts the encrypted image, a Windows dialogue box will popup asking for the BitLocker encryption key.

To image the computer itself, try Parrot Security's Linix distro (https://www.parrotsec.org/download.fx).

ReplyQuote
Posted : 25/08/2017 5:32 pm
timtam
(@timtam)
New Member

Thanks for the input. I downloaded and tried Parrot and run into the same issue with CAINE.

The only devices listed are the USB i'm booting Parrot from, and a "loop0" at mountpoint "/lib/live/mount/rootfs/filesystem.squashfs" (approx 3GB in size)

I'm still unable to image the device. Any idea why the device would not show up?

ReplyQuote
Posted : 25/08/2017 10:56 pm
AmNe5iA
(@amne5ia)
Active Member

Bitlocker only encrypts a volume on a disk not the whole disk so it shouldn't be preventing you from seeing the disk. In Paladin etc. what does the terminal command 'lsblk' report?

I have known devices not show up in the GUI disk/device lists on Paladin etc even though they are there. I can usually find them and image using command line tools though.

ReplyQuote
Posted : 26/08/2017 10:35 am
passcodeunlock
(@passcodeunlock)
Senior Member

It sounds like an adapter issue, the connector is the same, but for some chipsets the adapters don't have the support. Try various M.2 SSD adapters…

I'm not related to none of these vendors, but I suggest you to start with DeLock or Gembird adapters.

ReplyQuote
Posted : 28/08/2017 6:57 pm
bytethese
(@bytethese)
New Member

Hello,

I seem to be running into an issue while trying to image a device and was wondering if anyone can help me figure out either what the issue might be and a solution.

I'm not sure if the model makes a different so here goes
The device is a Dell Latitude Model 7480 with an M.2 SSD ("NVMe THNSN5512GPUK NV" (pictured here
)

The system is powered off.
I have tried CAINE, Paladin, and DEFT. In all three, the hard drive does not show up in the device/disk list, nor in Guymager etc.

I purchased this adapter Amazon JSER SFF-8639 NVME U.2 to NGFF M.2 M-key

I tried removing the ssd and attaching it to a write-blocker. In this case, it shows up as an 'un-initialized disk' in the Computer Management window.

I'll have to confirm this but I believe I previously imaged an older Dell Latitude Model 7470 (Windows 10 + Bitlocker) using CAINE with no issues. the SSD on the model 7470 is a "Micron 1100 SATA 512GB" (which has the B+M key edge).

I'm listing as much detail as I can think of. I've tried searching for some insight but most results are articles on decrypting Bitlocker (which i'm still upset EnCase doesn't support yet) than imaging.
I believe I have the means to decrypt the image but first I need to be able to image the device!

Any help/insight is much appreciated.

Thank you!

I'm not sure about EnCase v5 and previous, but I've been decrypting BitLocker in V6, v7 and v8. If it is encrypted with BitLocker, Windows will should identify it as such and prompt for opening.

Personally I image a few Dell Latitude 7400 Series laptops a week, removing the M2 and putting on my Tableau write blocker for imaging. We don't use BitLocker but something else, but similar idea. Does EnCase detect the drive at all? Maybe a bad adapter?

ReplyQuote
Posted : 28/08/2017 7:10 pm
timtam
(@timtam)
New Member

Here is the lsblk output

I've imaged other Dell's 7450's, 7470's without any issue. Its this 7480 and M2 that doesn't seem to want to work.

I will order a DeLock or Gembird adapter and see if it works and post an update once they come in.

Thanks for the replies!

ReplyQuote
Posted : 29/08/2017 1:32 am
thefuf
(@thefuf)
Active Member

Here is the lsblk output

I've imaged other Dell's 7450's, 7470's without any issue. Its this 7480 and M2 that doesn't seem to want to work.

I will order a DeLock or Gembird adapter and see if it works and post an update once they come in.

Thanks for the replies!

It seems that the drive is not detected by Linux, this issue would be hard to debug over the forum. But if the drive is recognized by BIOS, it would be possible to acquire the image using DOS or a custom GRUB image (this will be very slow, but no native drivers will be required, because all read requests are going to be served by BIOS). The "ls" command in the GRUB shell will show you a list of detected devices. After this, if you see an unencrypted boot partition on one of these devices (by typing something like "ls (hd0,msdos1)/"), it will be possible to acquire the image correctly. You can find GRUB in some of the live distributions (for example, it is available in grml, see the "Addons" section in its boot loader).

ReplyQuote
Posted : 29/08/2017 12:58 pm
Bulldawg
(@bulldawg)
Active Member

Sorry for the late reply, but you're dealing with an NVMe drive, and you seem to be trying to connect it via a SATA adapter. There's no way that will work. Although the M.2 connectors are often keyed the same for SATA and NVMe SSDs, they are not compatible. NVMe and SATA are two completely different protocols. NVMe is also often referred to as PCIe since it is a direct connection to the PCIe bus and many vendors use the terms interchangeably.

You'll find adapters for Tableau products, the new Tableau TX1 supports NVMe natively as does the Tableau t356789iu, and the Forensic Falcon can connect via an adapter. I'm sure there are others, but they're all relatively new.

https://www.guidancesoftware.com/tableau/hardware/tda7-2
https://www.guidancesoftware.com/tableau/hardware/tx1
https://www.guidancesoftware.com/tableau/hardware//t356789iu
https://www.logicube.com/shop/falcon/?v=7516fd43adaa

If you want to use a software product to create the image by booting the laptop with the drive installed, it will need to support NVMe drives. I haven't personally investigated which tools will work, but I'm sure something out there does.

ReplyQuote
Posted : 31/08/2017 7:46 pm
timtam
(@timtam)
New Member

Thanks all for the replies.
I went ahead and purchased the Tableau adapter and bridge
https://www.guidancesoftware.com/tableau/hardware/tda7-2
https://www.guidancesoftware.com/tableau/hardware//t7u

I have 3 NVMe SSDs. 2 are Toshiba brand and 1 is Samsung.

When I connect the Samsung SSD, the bridge is able to read it and give me all the device info and so forth.

When I connect the two Toshiba SSDs, both show up as "not connected" on the bridge.

Any thoughts? An SSD issue or Tableau issue? (Costed ~ $600 so I hope not a Tableau issue!)
Has anyone had success with Toshiba NVMe SSDs?

ReplyQuote
Posted : 13/09/2017 1:11 am
timtam
(@timtam)
New Member

After contacting the supplier for a firmware update, my device was finally able to read the Samsung NVMe SSD.

My follow up question is, has anyone successful decrypted a Windows 10 Bitlocker image (I imaged to E01) using the recovery key??

I know EnCase only supports up to Windows 7 Bitlocker. If you have a Windows 10 Bitlocker image, EnCase will recognize the drive and that it is Bitlocker but when you enter the Recovery Key, it loads the drives but it is no encrypted because it is not yet supported. (I don't know why it would even accept it and return you to the evidence screen if it doesn't work.)

I also have two separate Windows 10 w/ Bitlocker SSDs (not NVMe) and when plugged into my host (via a write blocker), my host picks it up and sees it and prompts for the Recovery Key. For both devices, it keeps telling me the key is wrong. I've double checked the identifier. I remember having issues with entering a recovery key on the host device itself and a Dell support guy told me there was some hardware+ssd combo type issue that prevents/allows decryption. Does this make sense to anyone familiar with Bitlocker, how it works with hardware and so forth?

The Dell support guy had no idea what i was referring to when I said 'forensic image' so they are of no help.

ReplyQuote
Posted : 18/09/2017 10:21 pm
Share: