I have been working on a bitlocker encrypted system trying to find out how the encryption really works. I am currently working on live imaging and I have created a tool that will image the Bitlocker system while its live so that the encryption is no longer an issue. I have sucessfully carved the device image aswell.
What Items and thier locations would be usefull for me to implement in my program?
a rough screenshot can be seen on my website
(it can image multiple drives at the same time) D
Thanks
Ryan Manley
Xabersoft
Ryan,
How does this differ from using any other tool to acquire a live image of a system? Say, FTK Imager, or dd.exe, or EnCase in acquisition mode?
Ryan,
How does this differ from using any other tool to acquire a live image of a system? Say, FTK Imager, or dd.exe, or EnCase in acquisition mode?
I am currently designing the Live analysis to image multiple devices at the same time, aswell as have features to collect potential evidence while it is imaging the device such as cataloging, all the Thumbs.db on the system which hold thumbmails. even if the orgional has been deleted. Also I am having it obtain key Registry values that could assist in the investigation such as the Userassist keys and recent documents.
It images exactly as dd.exe does and similar to FTK. Im Not sure about Encase though as I havent had a chance to work with the acquisiton mode. I am simply working on an easier to use program that will be able to run from media on the suspect system and Obtain Evidence while the system is live with the click of a button.
Basically images just as any other imager would except it images multiple devices at once. and md5 hashes each device while imaging.
It also Collects Potential Evidence from directories and obtains the system registry for later examination.
I currently and working full time and develope these tools in my spare time, I appreciate the help and comments to create and provide these tools. I am also a full time student, Creating tools and doing research on these topics is a great way to fully understand a particaular subject. I would like to thank you all.
Ryan Manley