Difference between pages "Tools:Data Recovery" and "BitLocker: how to image"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Added Magic Rescue File Carver and MBR extraction info.)
 
(Traditional Imaging)
 
Line 1: Line 1:
= Partition Recovery =
 
  
*[http://www.ptdd.com/index.htm Partition Table Doctor]
+
= Imaging Options =
: Recover deleted or lost Partitions (FAT16/FAT32/NTFS/NTFS5/EXT2/EXT3/SWAP).
+
  
*[http://www.diskinternals.com/ntfs-recovery/ NTFS Recovery]
+
There are multiple ways to image a computer with bitlocker security in place.
: DiskInternals NTFS Recovery is a fully automatic utility that recovers data from damaged or formatted disks.
+
  
*[http://www.stud.uni-hannover.de/user/76201/gpart/ gpart]
+
== Traditional Imaging ==
: Gpart is a tool which tries to guess the primary partition table of a PC-type hard disk in case the primary partition table in sector 0 is damaged, incorrect or deleted.
+
  
*[http://www.cgsecurity.org/wiki/TestDisk Testdisk]
+
One can make a traditional image with the image containing encrypted information.
: TestDisk is OpenSource software and is licensed under the GNU Public License (GPL).  
+
  
== See Also ==
+
Options to offline decrypt the information, provided the password or recovery password is available, exists some are:
 +
* [http://www.hsc.fr/ressources/outils/dislocker/ dislocker]
 +
* [[EnCase]] (as of version 6) with the (optional) encryption module
 +
* [[libbde]]
  
* [http://support.microsoft.com/?kbid=166997 Using Norton Disk Edit to Backup Your Master Boot Record]
+
The recovery password is a long series of digits broken up into 8 segments.
 +
<pre>
 +
123456-123456-123456-123456-123456-123456-13456-123456
 +
</pre>
  
== Notes ==
+
Note that there is no white space in the recovery password including not at the end, e.g. EnCase does not accept the recovery password if there is trailing white space.
  
* "fdisk /mbr" restores the boot code in the [[Master boot record]], but not the partition itself. On newer versions of Windows you should use fixmbr, bootrec or mbrfix. You can also extract a copy of the specific standard MBR code from tools like bootrec.exe and diskpart.exe in Windows (from various offsets) and copy it to disk with dd (Use bs=446 count=1). For Windows XP SP2 c:\%WINDIR%\System32\diskpart.exe the MBR code is found between offset 1b818h and 1ba17h.
+
The recovery password can be recovered from a BitLocker enabled computer provided it can be logged into or if stored in escrow.
  
= Data Recovery =
+
The basic steps are:
  
*[http://www.toolsthatwork.com/bringback.htm BringBack]
+
# Make a "traditional" full disk image.
: BringBack offers easy to use, inexpensive, and highly successful data recovery for Windows and Linux (ext2) operating systems and digital images stored on memory cards, etc.
+
# Recover the password, this can be done by booting the original computer, or by creating a clone and booting the clone. (booting from a clone has not been tested at this time.)
 +
## Once booted log into the computer
 +
## Use the BitLocker control panel applet to display the password.  This can also be done from the command-line.
 +
## record the password
 +
#:
 +
# For EnCase v6 or higher with the encryption module installed
 +
## Load the image into EnCase
 +
## You will be prompted for the password.  Simply enter it and continue.
 +
## If you prefer to have an un-encrypted image to work with other tools or share with co-workers, you can "re-acquire" the image from within EnCase.  The new image will have unencrypted data.
 +
## After adding the encrypted image into your case, simply right click on the drive in the left panel and select acquire.  Select "do not add to case".  You will be presented a dialog window to enter new information about the image.  Make sure the destination you select for your new image does not exist.
  
*[http://www.runtime.org/raid.htm RAID Reconstructor]
+
== Live Imaging ==
: Runtime Software's RAID Reconstructor will reconstruct RAID Level 0 (Striping) and RAID Level 5 drives.
+
  
*[http://www.salvationdata.com Salvation Data]
+
=== FTK Live Imaging of a physical drive ===
: Claims to have a program that can read the "bad blocks" of Maxtor drives with proprietary commands.
+
  
* [http://www.e-rol.com/en/ e-ROL]
+
Using FTK Imager lite, it was determined a live image of the physical system disk resulted in an image with an encrypted bitlocker container on it.
: Erol allows you to recover through the internet files erased by mistake. Recover your files online for free.
+
  
* [http://www.recuva.com/ Recuva]
+
Note that the phrase "physical" here corresponds directly with FTK Imagers use of the term in their image acquire menu.
: Recuva is a freeware Windows tool that will recover accidentally deleted files.
+
  
* [http://www.snapfiles.com/get/restoration.html Restoration]
+
=== FTK Live Imaging of a logical partition ===
: Restoration is a freeware Windows software that will allow you to recover deleted files
+
  
* [http://www.undelete-plus.com/ Undelete Plus]
+
This has not been verified to work or fail at this time.
: Undelete Plus is a free deleted file recovery tool that works for all versions of Windows (95-Vista), FAT12/16/32, NTFS and NTFS5 filesystems and can perform recovery on various solid state devices.
+
  
* [http://www.data-recovery-software.net/ R-Studio]
+
Note that the phrase "logical" here corresponds directly with FTK Imagers use of the term in their image acquire menu.
: R-Studio is a data recovery software suite that can recover files from FAT(12-32), NTFS, NTFS 5, HFS/HFS+, FFS, UFS/UFS2 (*BSD, Solaris), Ext2/Ext3 (Linux) and so on.
+
  
=Carving=
+
=== FTK Live Files and Folders collections ===
*[http://www.datalifter.com/products.htm DataLifter® - File Extractor Pro]
+
: Data carving runs on multiple threads to make use of modern processors
+
  
*[http://foremost.sourceforge.net/ Foremost]
+
This was not attempted, but it seems reasonable to assume this will collect unencrypted files.
: Foremost is a console program to recover files based on their headers, footers, and internal data structures.  
+
  
*[http://www.digitalforensicssolutions.com/Scalpel/ Scalpel]
+
== See Also ==
: Scalpel is a fast file carver that reads a database of header and footer definitions and extracts matching files from a set of image files or raw device files. Scalpel is filesystem-independent and will carve files from FATx, NTFS, ext2/3, or raw partitions.
+
* [[BitLocker Disk Encryption]]
 
+
* [[Defeating Whole Disk Encryption]]
*[[EnCase]]
+
: EnCase comes with some eScripts that will do carving.
+
 
+
*[http://ocfa.sourceforge.net/libcarvpath/ CarvFs]
+
: A virtual filesystem (fuse) implementation that can provide carving tools with the posibility to do recursive multi tool zero-storage carving (also called in-place carving). Patches and scripts for scalpel and foremost are provided. Works on raw and encase images.
+
 
+
*[http://ocfa.sourceforge.net/libcarvpath/ LibCarvPath]
+
: A shared library that allows carving tools to use zero-storage carving on carvfs virtual files.
+
 
+
*[http://www.cgsecurity.org/wiki/PhotoRec PhotoRec]
+
: PhotoRec is file data recovery software designed to recover lost files including video, documents and archives from Hard Disks and CDRom and lost pictures (thus, its 'Photo Recovery' name) from digital camera memory.
+
 
+
*[http://www.datarescue.com/photorescue/ PhotoRescue]
+
: Datarescue PhotoRescue Advanced is picture and photo data recovery solution made by the creators of IDA Pro. PhotoRescue will undelete, unerase and recover pictures and files lost on corrupted, erased or damaged compact flash (CF) cards, SD Cards, Memory Sticks, SmartMedia and XD cards.
+
 
+
* [https://www.uitwisselplatform.nl/projects/revit RevIt]
+
: RevIt (Revive It) is an experimental carving tool, initially developed for the DFRWS 2006 carving challenge. It uses 'file structure based carving'. Note that RevIt currently is a work in progress.
+
  
* [http://jbj.rapanden.dk/magicrescue/ Magic Rescue]
+
[[Category:Disk encryption]]
: Magic Rescue is a file carving tool that uses "magic bytes" in a file contents to recover data.
+
[[Category:Windows]]

Revision as of 02:03, 15 July 2013

Imaging Options

There are multiple ways to image a computer with bitlocker security in place.

Traditional Imaging

One can make a traditional image with the image containing encrypted information.

Options to offline decrypt the information, provided the password or recovery password is available, exists some are:

The recovery password is a long series of digits broken up into 8 segments.

123456-123456-123456-123456-123456-123456-13456-123456

Note that there is no white space in the recovery password including not at the end, e.g. EnCase does not accept the recovery password if there is trailing white space.

The recovery password can be recovered from a BitLocker enabled computer provided it can be logged into or if stored in escrow.

The basic steps are:

  1. Make a "traditional" full disk image.
  2. Recover the password, this can be done by booting the original computer, or by creating a clone and booting the clone. (booting from a clone has not been tested at this time.)
    1. Once booted log into the computer
    2. Use the BitLocker control panel applet to display the password. This can also be done from the command-line.
    3. record the password
  3. For EnCase v6 or higher with the encryption module installed
    1. Load the image into EnCase
    2. You will be prompted for the password. Simply enter it and continue.
    3. If you prefer to have an un-encrypted image to work with other tools or share with co-workers, you can "re-acquire" the image from within EnCase. The new image will have unencrypted data.
    4. After adding the encrypted image into your case, simply right click on the drive in the left panel and select acquire. Select "do not add to case". You will be presented a dialog window to enter new information about the image. Make sure the destination you select for your new image does not exist.

Live Imaging

FTK Live Imaging of a physical drive

Using FTK Imager lite, it was determined a live image of the physical system disk resulted in an image with an encrypted bitlocker container on it.

Note that the phrase "physical" here corresponds directly with FTK Imagers use of the term in their image acquire menu.

FTK Live Imaging of a logical partition

This has not been verified to work or fail at this time.

Note that the phrase "logical" here corresponds directly with FTK Imagers use of the term in their image acquire menu.

FTK Live Files and Folders collections

This was not attempted, but it seems reasonable to assume this will collect unencrypted files.

See Also