Windows 10 Partitio...
 
Notifications
Clear all

Windows 10 Partition Issue?  

  RSS
ckwongkennyw
(@ckwongkennyw)
New Member

Hi

I have just use FTK Imager to perform imaging on some Windows 10 laptop. The image is a physical image. But when I opened it in EnCase, I found some partition with nothing in it. But when I check disk view, there's some data in it. How can I solve this issue?

Thanks,

Kenny

Quote
Posted : 14/08/2020 12:45 pm
Topic Tags
ckwongkennyw
(@ckwongkennyw)
New Member
Posted by: @ckwongkennyw

Hi

I have just use FTK Imager to perform imaging on some Windows 10 laptop. The image is a physical image. But when I opened it in EnCase, I found some partition with nothing in it. But when I check disk view, there's some data in it. How can I solve this issue?

Thanks,

Kenny

Should be volume with nothing in it

ReplyQuote
Posted : 14/08/2020 1:13 pm
keydet89
(@keydet89)
Community Legend

You have a physical image, and as such, there are likely to be partitions with "nothing" in them.

Perhaps if you could provide some information regarding what you're seeing, that might help. 

For example, can you post a screen grab of what you're seeing, indicating your specific question? 

Thanks.

ReplyQuote
Posted : 14/08/2020 2:57 pm
ckwongkennyw
(@ckwongkennyw)
New Member

I don't know how to post a screenshot here.

The folder setup is like below:

C

|___ Boot, EFI, System Volume Information

D

E

F

|___ $Extend, recovery, System Volume Information

 

I don't know why there's nothing in the D and E volume. There're data in those sectors when I look into them in disk view.

ReplyQuote
Posted : 14/08/2020 3:58 pm
jaclaz
(@jaclaz)
Community Legend
Posted by: @ckwongkennyw

I don't know how to post a screenshot here.

Which is good, since it is not possible.

Upload the screenshot *somewhere* on a free hosting site, example:

http://www.freeimagehosting.net/

and post a link to it.

jaclaz

ReplyQuote
Posted : 14/08/2020 4:11 pm
ckwongkennyw
(@ckwongkennyw)
New Member

Thank you.

https://imgur.com/0gZiqSD

View by EnCase

https://imgur.com/2T6Cojd

There is an unrecognised filesystem when viewed by FTK Imager

https://imgur.com/hbwFkYY

I guess this means it is encrypted by bitlocker?

ReplyQuote
Posted : 14/08/2020 6:02 pm
jaclaz
(@jaclaz)
Community Legend

Yep, last image, after the "jump bytes" EB5890 shows FVE-FS, which is an indicator of a bitlocker encrypted volume.

No idea why "phantom" drive letter are created.

Very likely the laprop uses TPM so you will probably need to decrypt it and image it booted.

jaclaz

 

ReplyQuote
Posted : 15/08/2020 8:49 am
ckwongkennyw
(@ckwongkennyw)
New Member

Some of the laptop are Microsoft surface while some are normal laptop.

I am curious, can the images be decrypted by 

  • mounting it with Arsenal Image Mounter in a Windows 10 environment and then image the logical volume
  • or decrypted it using dislocker in Linux

Thanks,

Kenny

 

This post was modified 1 month ago 2 times by ckwongkennyw
ReplyQuote
Posted : 17/08/2020 4:18 am
jaclaz
(@jaclaz)
Community Legend
Posted by: @ckwongkennyw

Some of the laptop are Microsoft surface while some are normal laptop.

I am curious, can the images be decrypted by 

  • mounting it with Arsenal Image Mounter in a Windows 10 environment and then image the logical volume
  • or decrypted it using dislocker in Linux

Thanks,

Kenny

 

Yes and no.

https://support.passware.com/hc/en-us/articles/360024316834-How-to-decrypt-BitLocker-using-Passware-Kit

You need to have a memory dump or - in some cases - an unencrypted hibernation file. one way or the other you need to get the FVEK:

https://github.com/elceef/bitlocker

or, but not that easy/common you can sniff the TPM:

https://pulsesecurity.co.nz/articles/TPM-sniffing

jaclaz

This post was modified 1 month ago 3 times by jaclaz
ReplyQuote
Posted : 17/08/2020 9:08 am
ArsenalConsulting
(@arsenalconsulting)
Junior Member
Posted by: @ckwongkennyw

Some of the laptop are Microsoft surface while some are normal laptop.

I am curious, can the images be decrypted by 

  • mounting it with Arsenal Image Mounter in a Windows 10 environment and then image the logical volume
  • or decrypted it using dislocker in Linux

Thanks,

Kenny

 

Hi Kenny,

It sounds like you are looking for a simple solution... if you don't already have an Arsenal license, get one and use Arsenal Image Mounter's (AIM's) Professional Mode to:

1.) Mount a BitLocker-protected disk image using AIM's read-only mode (optionally provide the BitLocker password or recovery key at this point)

2.) Go to AIM's "BitLocker" drop-down menu and select "Save as fully decrypted image file"

3.) If you have not already in the first step, provide the BitLocker password or recovery key

It's that simple, and it's reliable. We are the AIM developers and we also use it in our casework to (among many other things) manage BitLocker within disk images.

Mark

ReplyQuote
Posted : 17/08/2020 12:17 pm
watcher
(@watcher)
Active Member
Posted by: @arsenalconsulting

... It's that simple, and it's reliable....

Arsenal is a great product and I've used it successfully many times. However, it does require that you already have the password or recovery key. If the image came from a system using TPM, even having the password is not enough. I know you know all that, I just didn't want the details overlooked by someone who might not.

ReplyQuote
Posted : 17/08/2020 6:14 pm
ArsenalConsulting
(@arsenalconsulting)
Junior Member
Posted by: @watcher
Posted by: @arsenalconsulting

... It's that simple, and it's reliable....

Arsenal is a great product and I've used it successfully many times. However, it does require that you already have the password or recovery key. If the image came from a system using TPM, even having the password is not enough. I know you know all that, I just didn't want the details overlooked by someone who might not.

Hello,

 

I tried to be clear in #3 about the requirement to enter a password or recovery key.

Please explain in more detail what you mean by:

"If the image came from a system using TPM, even having the password is not enough."

We frequently hear from people who think that BitLocker volumes are somehow TPM protected simply because the systems they came from contained TPM chips, when that is not the case. If TPM-related BitLocker protectors have not been set (e.g. TpmAndPinProtector), TPM is not in play in this context. Even if TPM protectors have been set, the BitLocker recovery key can be used to unlock/fully decrypt/etc. the volume.

Mark

ReplyQuote
Posted : 17/08/2020 6:39 pm
watcher
(@watcher)
Active Member
Posted by: @arsenalconsulting

... I tried to be clear in #3 about the requirement to enter a password or recovery key.

Please explain in more detail what you mean by:

"If the image came from a system using TPM, even having the password is not enough."

We frequently hear from people who think that BitLocker volumes are somehow TPM protected simply because the systems they came from contained TPM chips, when that is not the case. If TPM-related BitLocker protectors have not been set (e.g. TpmAndPinProtector), TPM is not in play in this context. Even if TPM protectors have been set, the BitLocker recovery key can be used to unlock/fully decrypt/etc. the volume.

Mark

You said:

(optionally provide the BitLocker password or recovery key at this point)

This seemed worded in a manner to suggest that neither are neccessary as opposed to one or the other is required.

My phrase of, "... using TPM ..." is meant to refer to TPM is in play, using vice having or containing

Perhaps you can school me in a misunderstanding. You said:

"Even if TPM protectors have been set, the BitLocker recovery key can be used to unlock/fully decrypt/etc. the volume."

Just to be absolutely clear. We are talking about an image, not a physical volume on the laptop. I know the password is not sufficient to decrypt an image in this circumstance. I guess I didn't address the recovery key.

 

This post was modified 1 month ago 2 times by watcher
ReplyQuote
Posted : 17/08/2020 7:14 pm
ArsenalConsulting
(@arsenalconsulting)
Junior Member
Posted by: @watcher

You said:

(optionally provide the BitLocker password or recovery key at this point)

This seemed worded in a manner to suggest that neither are neccessary as opposed to one or the other is required.

Just to be absolutely clear. We are talking about an image, not a physical volume on the laptop. I know the password is not sufficient to decrypt an image in this circumstance. I guess I didn't address the recovery key.

 

It was worded in such a manner to suggest that it is not necessary to provide the password or recovery key at that step, because it can be provided at step #3. Perhaps we are both leaving too much up to suggestion, and to a reader's familiarity with BitLocker. Step #1 could be made more clear:

1.) Mount a BitLocker-protected disk image using AIM's read-only mode (optionally provide the BitLocker password or recovery key at this point, if not, it must be provided at step #3)

The steps I provided apply to a disk image which contains one or more BitLocker-protected volumes.

Back to the OP, let's see what Kenny is able to accomplish at this point.

Mark

ReplyQuote
Posted : 17/08/2020 7:29 pm
jaclaz
(@jaclaz)
Community Legend

Maybe we are all saying the same thing with different words and with a different background/experience, leading to a different perception of the possible issues and how common they are.

The recovery key is IMHO usually a myth, something that only exists in the talks of IT specialists, no "normal" user will ever save it anywhere and even if he/she does save it (often on a USB stick), it will either be lost, overwritten or both (and this assumes someone that is cooperating).

The only (maybe) source for a recovery key in a non-corporate environment is the MS account, but having access to it is not "given".

The good guys at Elcomsoft concur with me that TPM is often the enabled protector on laptops/notebooks:

https://blog.elcomsoft.com/2020/05/unlocking-bitlocker-can-you-break-that-password/

TPM only

This is by far the most used protector type on portable devices such as notebooks, Windows tablets and two-in-ones. Your system will boot to login prompt; the VMK will be decrypted with a storage root key (SRK) that is stored in the TPM (or Intel PTT) module and only releases if the system passes the Secure Boot check. This is the most convenient option that effectively protects hard drives but offers weaker protection if the intruder has access to the whole system (computer with TPM and the hard drive).

Hence the yes and no in my previous reply, if you do have the appropriate credentials (recovery key or FVEK needed for TPM protected volumes) accessing/decrypting the image is a breeze, if you don't, you need to procure the key and it is not much straightforward and specifically in a forensics scenario, in order to procure it you need access to the original hardware AND perform on it operations that may alter the evidence, so it needs to be well documented.

jaclaz

ReplyQuote
Posted : 18/08/2020 10:38 am
Share: