Difference between revisions of "BitLocker: how to image"

From ForensicsWiki
Jump to: navigation, search
(Traditional Imaging)
(FTK Live Imaging)
Line 32: Line 32:
 
== FTK Live Imaging ==
 
== FTK Live Imaging ==
  
=== Live Imaging of a physical drive ===
+
=== FTK Live Imaging of a physical drive ===
  
 
Using FTK Imager lite, it was determined a live image of the physical system disk resulted in an image with an encrypted bitlocker container on it.
 
Using FTK Imager lite, it was determined a live image of the physical system disk resulted in an image with an encrypted bitlocker container on it.
Line 38: Line 38:
 
Note that the phrase "physical" here corresponds directly with FTK Imagers use of the term in their image acquire menu.
 
Note that the phrase "physical" here corresponds directly with FTK Imagers use of the term in their image acquire menu.
  
=== Live Imaging of a logical partition ===
+
=== FTK Live Imaging of a logical partition ===
  
 
This has not been verified to work or fail at this time.
 
This has not been verified to work or fail at this time.
Line 44: Line 44:
 
Note that the phrase "logical" here corresponds directly with FTK Imagers use of the term in their image acquire menu.
 
Note that the phrase "logical" here corresponds directly with FTK Imagers use of the term in their image acquire menu.
  
=== Live Files and Folders collections ===
+
=== FTK Live Files and Folders collections ===
  
 
This was not attempted, but it seems reasonable to assume this will collect unencrypted files.
 
This was not attempted, but it seems reasonable to assume this will collect unencrypted files.

Revision as of 18:28, 2 March 2012

Imaging Options

There are multiple ways to image a computer with bitlocker security in place.

Traditional Imaging

One can make a traditional image with the image containing encrypted information.

EnCase v6 has an optional encryption module which can decrypt the information provided the password is available.

The password is a long series of digits broken up into 8 segments.

123456-123456-123456-123456-123456-123456-13456-123456

There is no whitespace in the password including not at the end.

The password is easily recovered from a Bitlocked computer provided it can be logged into.

Thus the basic steps are:

1) Make a tradition image
2) Recover the password, this can be done by booting the original computer, or by creating a clone and booting the clone.  (booting from a clone has not been tested at this time.)
2.1) Once booted log into the computer
2.2) Use the bitlocker control panel applet to display the password.  This can also be done from the command-line.
2.3) record the password
3) Load the image into EnCase v6 or higher with the Encryption module installed
4) You will be prompted for the password.  Simply enter it and continue.
5) If you prefer to have an un-encrypted image to work with other tools or share with co-workers, you can "re-acquire" the image from within EnCase.  The new image will have unencrypted data.
5.1) After adding the encrypted image into your case, simply right click on the drive in the left panel and select acquire.  Select "do not add to case".  You will be presented a dialog window to enter new information about the image.  Make sure the destination you select for your new image does not exist.

FTK Live Imaging

FTK Live Imaging of a physical drive

Using FTK Imager lite, it was determined a live image of the physical system disk resulted in an image with an encrypted bitlocker container on it.

Note that the phrase "physical" here corresponds directly with FTK Imagers use of the term in their image acquire menu.

FTK Live Imaging of a logical partition

This has not been verified to work or fail at this time.

Note that the phrase "logical" here corresponds directly with FTK Imagers use of the term in their image acquire menu.

FTK Live Files and Folders collections

This was not attempted, but it seems reasonable to assume this will collect unencrypted files.