Windows 10 Partitio...
 
Notifications
Clear all

Windows 10 Partition Issue?

15 Posts
5 Users
0 Reactions
4,068 Views
(@ckwongkennyw)
Active Member
Joined: 5 years ago
Posts: 16
Topic starter  

Hi

I have just use FTK Imager to perform imaging on some Windows 10 laptop. The image is a physical image. But when I opened it in EnCase, I found some partition with nothing in it. But when I check disk view, there's some data in it. How can I solve this issue?

Thanks,

Kenny


   
Quote
(@ckwongkennyw)
Active Member
Joined: 5 years ago
Posts: 16
Topic starter  
Posted by: @ckwongkennyw

Hi

I have just use FTK Imager to perform imaging on some Windows 10 laptop. The image is a physical image. But when I opened it in EnCase, I found some partition with nothing in it. But when I check disk view, there's some data in it. How can I solve this issue?

Thanks,

Kenny

Should be volume with nothing in it


   
ReplyQuote
keydet89
(@keydet89)
Famed Member
Joined: 20 years ago
Posts: 3568
 

You have a physical image, and as such, there are likely to be partitions with "nothing" in them.

Perhaps if you could provide some information regarding what you're seeing, that might help. 

For example, can you post a screen grab of what you're seeing, indicating your specific question? 

Thanks.


   
ReplyQuote
(@ckwongkennyw)
Active Member
Joined: 5 years ago
Posts: 16
Topic starter  

I don't know how to post a screenshot here.

The folder setup is like below:

C

|___ Boot, EFI, System Volume Information

D

E

F

|___ $Extend, recovery, System Volume Information

 

I don't know why there's nothing in the D and E volume. There're data in those sectors when I look into them in disk view.


   
ReplyQuote
jaclaz
(@jaclaz)
Illustrious Member
Joined: 17 years ago
Posts: 5133
 
Posted by: @ckwongkennyw

I don't know how to post a screenshot here.

Which is good, since it is not possible.

Upload the screenshot *somewhere* on a free hosting site, example:

http://www.freeimagehosting.net/

and post a link to it.

jaclaz


   
ReplyQuote
(@ckwongkennyw)
Active Member
Joined: 5 years ago
Posts: 16
Topic starter  

Thank you.

https://imgur.com/0gZiqSD

View by EnCase

https://imgur.com/2T6Cojd

There is an unrecognised filesystem when viewed by FTK Imager

https://imgur.com/hbwFkYY

I guess this means it is encrypted by bitlocker?


   
ReplyQuote
jaclaz
(@jaclaz)
Illustrious Member
Joined: 17 years ago
Posts: 5133
 

Yep, last image, after the "jump bytes" EB5890 shows FVE-FS, which is an indicator of a bitlocker encrypted volume.

No idea why "phantom" drive letter are created.

Very likely the laprop uses TPM so you will probably need to decrypt it and image it booted.

jaclaz

 


   
ReplyQuote
(@ckwongkennyw)
Active Member
Joined: 5 years ago
Posts: 16
Topic starter  

Some of the laptop are Microsoft surface while some are normal laptop.

I am curious, can the images be decrypted by 

  • mounting it with Arsenal Image Mounter in a Windows 10 environment and then image the logical volume
  • or decrypted it using dislocker in Linux

Thanks,

Kenny

 

This post was modified 4 years ago 2 times by ckwongkennyw

   
ReplyQuote
jaclaz
(@jaclaz)
Illustrious Member
Joined: 17 years ago
Posts: 5133
 
Posted by: @ckwongkennyw

Some of the laptop are Microsoft surface while some are normal laptop.

I am curious, can the images be decrypted by 

  • mounting it with Arsenal Image Mounter in a Windows 10 environment and then image the logical volume
  • or decrypted it using dislocker in Linux

Thanks,

Kenny

 

Yes and no.

https://support.passware.com/hc/en-us/articles/360024316834-How-to-decrypt-BitLocker-using-Passware-Kit

You need to have a memory dump or - in some cases - an unencrypted hibernation file. one way or the other you need to get the FVEK:

https://github.com/elceef/bitlocker

or, but not that easy/common you can sniff the TPM:

https://pulsesecurity.co.nz/articles/TPM-sniffing

jaclaz


   
ReplyQuote
ArsenalConsulting
(@arsenalconsulting)
Eminent Member
Joined: 15 years ago
Posts: 49
 
Posted by: @ckwongkennyw

Some of the laptop are Microsoft surface while some are normal laptop.

I am curious, can the images be decrypted by 

  • mounting it with Arsenal Image Mounter in a Windows 10 environment and then image the logical volume
  • or decrypted it using dislocker in Linux

Thanks,

Kenny

 

Hi Kenny,

It sounds like you are looking for a simple solution... if you don't already have an Arsenal license, get one and use Arsenal Image Mounter's (AIM's) Professional Mode to:

1.) Mount a BitLocker-protected disk image using AIM's read-only mode (optionally provide the BitLocker password or recovery key at this point)

2.) Go to AIM's "BitLocker" drop-down menu and select "Save as fully decrypted image file"

3.) If you have not already in the first step, provide the BitLocker password or recovery key

It's that simple, and it's reliable. We are the AIM developers and we also use it in our casework to (among many other things) manage BitLocker within disk images.

Mark


   
ReplyQuote
Page 1 / 2
Share: