Hi
I have just use FTK Imager to perform imaging on some Windows 10 laptop. The image is a physical image. But when I opened it in EnCase, I found some partition with nothing in it. But when I check disk view, there's some data in it. How can I solve this issue?
Thanks,
Kenny
Hi
I have just use FTK Imager to perform imaging on some Windows 10 laptop. The image is a physical image. But when I opened it in EnCase, I found some partition with nothing in it. But when I check disk view, there's some data in it. How can I solve this issue?
Thanks,
Kenny
Should be volume with nothing in it
You have a physical image, and as such, there are likely to be partitions with "nothing" in them.
Perhaps if you could provide some information regarding what you're seeing, that might help.Â
For example, can you post a screen grab of what you're seeing, indicating your specific question?Â
Thanks.
I don't know how to post a screenshot here.
The folder setup is like below:
C
|___ Boot, EFI, System Volume Information
D
E
F
|___ $Extend, recovery, System Volume Information
Â
I don't know why there's nothing in the D and E volume. There're data in those sectors when I look into them in disk view.
I don't know how to post a screenshot here.
Which is good, since it is not possible.
Upload the screenshot *somewhere* on a free hosting site, example:
http://www.freeimagehosting.net/
and post a link to it.
jaclaz
Thank you.
View by EnCase
There is an unrecognised filesystem when viewed by FTK Imager
I guess this means it is encrypted by bitlocker?
Yep, last image, after the "jump bytes" EB5890 shows FVE-FS, which is an indicator of a bitlocker encrypted volume.
No idea why "phantom" drive letter are created.
Very likely the laprop uses TPM so you will probably need to decrypt it and image it booted.
jaclaz
Â
Some of the laptop are Microsoft surface while some are normal laptop.
I am curious, can the images be decrypted byÂ
- mounting it with Arsenal Image Mounter in a Windows 10 environment and then image the logical volume
- or decrypted it using dislocker in Linux
Thanks,
Kenny
Â
Some of the laptop are Microsoft surface while some are normal laptop.
I am curious, can the images be decrypted byÂ
- mounting it with Arsenal Image Mounter in a Windows 10 environment and then image the logical volume
- or decrypted it using dislocker in Linux
Thanks,
Kenny
Â
Yes and no.
You need to have a memory dump or - in some cases - an unencrypted hibernation file. one way or the other you need to get the FVEK:
https://github.com/elceef/bitlocker
or, but not that easy/common you can sniff the TPM:
https://pulsesecurity.co.nz/articles/TPM-sniffing
jaclaz
Some of the laptop are Microsoft surface while some are normal laptop.
I am curious, can the images be decrypted byÂ
- mounting it with Arsenal Image Mounter in a Windows 10 environment and then image the logical volume
- or decrypted it using dislocker in Linux
Thanks,
Kenny
Â
Hi Kenny,
It sounds like you are looking for a simple solution... if you don't already have an Arsenal license, get one and use Arsenal Image Mounter's (AIM's) Professional Mode to:
1.) Mount a BitLocker-protected disk image using AIM's read-only mode (optionally provide the BitLocker password or recovery key at this point)
2.) Go to AIM's "BitLocker" drop-down menu and select "Save as fully decrypted image file"
3.) If you have not already in the first step, provide the BitLocker password or recovery key
It's that simple, and it's reliable. We are the AIM developers and we also use it in our casework to (among many other things) manage BitLocker within disk images.
Mark
