Windows 10 Partitio...
 
Notifications
Clear all

Windows 10 Partition Issue?

15 Posts
5 Users
0 Reactions
3,337 Views
(@ckwongkennyw)
Posts: 16
Active Member
Topic starter
 

Hi

I have just use FTK Imager to perform imaging on some Windows 10 laptop. The image is a physical image. But when I opened it in EnCase, I found some partition with nothing in it. But when I check disk view, there's some data in it. How can I solve this issue?

Thanks,

Kenny

 
Posted : 14/08/2020 12:45 pm
(@ckwongkennyw)
Posts: 16
Active Member
Topic starter
 
Posted by: @ckwongkennyw

Hi

I have just use FTK Imager to perform imaging on some Windows 10 laptop. The image is a physical image. But when I opened it in EnCase, I found some partition with nothing in it. But when I check disk view, there's some data in it. How can I solve this issue?

Thanks,

Kenny

Should be volume with nothing in it

 
Posted : 14/08/2020 1:13 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

You have a physical image, and as such, there are likely to be partitions with "nothing" in them.

Perhaps if you could provide some information regarding what you're seeing, that might help. 

For example, can you post a screen grab of what you're seeing, indicating your specific question? 

Thanks.

 
Posted : 14/08/2020 2:57 pm
(@ckwongkennyw)
Posts: 16
Active Member
Topic starter
 

I don't know how to post a screenshot here.

The folder setup is like below:

C

|___ Boot, EFI, System Volume Information

D

E

F

|___ $Extend, recovery, System Volume Information

 

I don't know why there's nothing in the D and E volume. There're data in those sectors when I look into them in disk view.

 
Posted : 14/08/2020 3:58 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 
Posted by: @ckwongkennyw

I don't know how to post a screenshot here.

Which is good, since it is not possible.

Upload the screenshot *somewhere* on a free hosting site, example:

http://www.freeimagehosting.net/

and post a link to it.

jaclaz

 
Posted : 14/08/2020 4:11 pm
(@ckwongkennyw)
Posts: 16
Active Member
Topic starter
 

Thank you.

https://imgur.com/0gZiqSD

View by EnCase

https://imgur.com/2T6Cojd

There is an unrecognised filesystem when viewed by FTK Imager

https://imgur.com/hbwFkYY

I guess this means it is encrypted by bitlocker?

 
Posted : 14/08/2020 6:02 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Yep, last image, after the "jump bytes" EB5890 shows FVE-FS, which is an indicator of a bitlocker encrypted volume.

No idea why "phantom" drive letter are created.

Very likely the laprop uses TPM so you will probably need to decrypt it and image it booted.

jaclaz

 

 
Posted : 15/08/2020 8:49 am
(@ckwongkennyw)
Posts: 16
Active Member
Topic starter
 

Some of the laptop are Microsoft surface while some are normal laptop.

I am curious, can the images be decrypted by 

  • mounting it with Arsenal Image Mounter in a Windows 10 environment and then image the logical volume
  • or decrypted it using dislocker in Linux

Thanks,

Kenny

 

This post was modified 4 years ago 2 times by ckwongkennyw
 
Posted : 17/08/2020 4:18 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 
Posted by: @ckwongkennyw

Some of the laptop are Microsoft surface while some are normal laptop.

I am curious, can the images be decrypted by 

  • mounting it with Arsenal Image Mounter in a Windows 10 environment and then image the logical volume
  • or decrypted it using dislocker in Linux

Thanks,

Kenny

 

Yes and no.

https://support.passware.com/hc/en-us/articles/360024316834-How-to-decrypt-BitLocker-using-Passware-Kit

You need to have a memory dump or - in some cases - an unencrypted hibernation file. one way or the other you need to get the FVEK:

https://github.com/elceef/bitlocker

or, but not that easy/common you can sniff the TPM:

https://pulsesecurity.co.nz/articles/TPM-sniffing

jaclaz

 
Posted : 17/08/2020 9:08 am
ArsenalConsulting
(@arsenalconsulting)
Posts: 49
Eminent Member
 
Posted by: @ckwongkennyw

Some of the laptop are Microsoft surface while some are normal laptop.

I am curious, can the images be decrypted by 

  • mounting it with Arsenal Image Mounter in a Windows 10 environment and then image the logical volume
  • or decrypted it using dislocker in Linux

Thanks,

Kenny

 

Hi Kenny,

It sounds like you are looking for a simple solution... if you don't already have an Arsenal license, get one and use Arsenal Image Mounter's (AIM's) Professional Mode to:

1.) Mount a BitLocker-protected disk image using AIM's read-only mode (optionally provide the BitLocker password or recovery key at this point)

2.) Go to AIM's "BitLocker" drop-down menu and select "Save as fully decrypted image file"

3.) If you have not already in the first step, provide the BitLocker password or recovery key

It's that simple, and it's reliable. We are the AIM developers and we also use it in our casework to (among many other things) manage BitLocker within disk images.

Mark

 
Posted : 17/08/2020 12:17 pm
Page 1 / 2
Share: