I'm not sure if anyone else has run into this issue before, but I have at times needed to recover deleted and/or orphaned files from whole disk images that are encrypted with BitLocker. I don't have any commercial products and only have open source tools at my disposal.
The issue I always ran into with Autopsy, is that it never recognized the "mounted" image as a local disk, and only logical files. This did not allow me to recover deleted/orphaned data, so I did some research and came up with a solution using Autopsy and Paladin Forensics Suite.
Here is a
I'd love to get feedback on it too!
Nice, thanks. )
If I may, these are not explained very well (only trying to avoid possible misunderstandings)
1. /dev/sdh is the device name. I chose sdh because I already had sda, sdb and sdc used.
2. b specifies this is a block device, or disk drive.
3. 7 is the major device number (see reference for more info).
4. 500 is the minor device number (see reference for more info). You will need to change this number in the highly unlikely event /dev/loop500 already exists.
1. What about /dev/sdd, /dev/sde, /dev/sdf. /dev/sdg? And also /dev/sdc does not appear in the Paladin Disk Manager screenshots.
2. OK.
3. Why 7? and not another number? (the reference man does not explain it beyond stating it must be an integer)
4. Same as above, why 500? Only because it is a high number and it is improbable that a same numbered loop device exists?
Also /dev/sdb2 is not seemingly a 1 Tb disk, but rather a 2 Tb one.
jaclaz
Nice, thanks. )
If I may, these are not explained very well (only trying to avoid possible misunderstandings)
1. /dev/sdh is the device name. I chose sdh because I already had sda, sdb and sdc used.
2. b specifies this is a block device, or disk drive.
3. 7 is the major device number (see reference for more info).
4. 500 is the minor device number (see reference for more info). You will need to change this number in the highly unlikely event /dev/loop500 already exists.1. What about /dev/sdd, /dev/sde, /dev/sdf. /dev/sdg? And also /dev/sdc does not appear in the Paladin Disk Manager screenshots.
2. OK.
3. Why 7? and not another number? (the reference man does not explain it beyond stating it must be an integer)
4. Same as above, why 500? Only because it is a high number and it is improbable that a same numbered loop device exists?Also /dev/sdb2 is not seemingly a 1 Tb disk, but rather a 2 Tb one.
jaclaz
Great catches! I made some changes based on your feedback. I appreciate that!
Has anyone else run into this issue that this post addresses? Or am I the only one using all open-source and free tools? Haha. P
In editing the blog you appear to have copied details about the flags used with dislocker command to the explanation of the flags used with mknod
500 is the minor device number (see reference for more info). You will need to change this number in the highly unlikely event /dev/loop500 already exists–likely not if using Paladin and you haven’t created other loop devices. If the number you choose already exists, you’ll get an error.
-p specifies the BitLocker Recovery Key. Make sure to leave no spaces between the flag and the key. Alternatively, if you leave off the key, it should prompt you for the recovery key after hitting Enter.
In editing the blog you appear to have copied details about the flags used with dislocker command to the explanation of the flags used with mknod
500 is the minor device number (see reference for more info). You will need to change this number in the highly unlikely event /dev/loop500 already exists–likely not if using Paladin and you haven’t created other loop devices. If the number you choose already exists, you’ll get an error.
-p specifies the BitLocker Recovery Key. Make sure to leave no spaces between the flag and the key. Alternatively, if you leave off the key, it should prompt you for the recovery key after hitting Enter.
Thanks for pointing that out! Fixed!