Difference between pages "BitLocker: how to image" and "Talk:Linux Logical Volume Manager (LVM)"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Imaging Options)
 
(Created page with "Should we change :To make the volume group known to the system :vgexport $VOLUMEGROUP to :To make the volume group known to the system :vgimport $VOLUMEGROUP ? vgexport ma...")
 
Line 1: Line 1:
 +
Should we change
  
= Imaging Options =
+
:To make the volume group known to the system
 +
:vgexport $VOLUMEGROUP
  
There are multiple ways to image a computer with BitLocker security in place, namely:
+
to
* Offline imaging
+
* Live imaging
+
  
== Offline imaging ==
+
:To make the volume group known to the system
 +
:vgimport $VOLUMEGROUP
 +
?
  
One can make an offline image with the image containing encrypted information.
+
vgexport makes volume groups ''unknown'' to the system, vgimport makes exported volumes ''known'' to the system. See also [http://www.tldp.org/HOWTO/LVM-HOWTO/recipemovevgtonewsys.html this]. You should also remember, that both vgexport/vgimport alter the data on the physical device. I also added "loop" option to the mount command example, since "-o ro" may alter the data in the file system (replay the journal, etc) [[User:.FUF|.FUF]] ([[User talk:.FUF|talk]]) 10:19, 7 May 2014 (CDT)
 
+
Options to offline decrypt the information, provided the password or recovery password is available, exists some are:
+
* [http://www.hsc.fr/ressources/outils/dislocker/ dislocker]
+
* [[EnCase]] (as of version 6) with the (optional) encryption module
+
* [[libbde]]
+
 
+
The recovery password is a long series of digits broken up into 8 segments.
+
<pre>
+
123456-123456-123456-123456-123456-123456-13456-123456
+
</pre>
+
 
+
Note that there is no white space in the recovery password including not at the end, e.g. EnCase does not accept the recovery password if there is trailing white space.
+
 
+
The recovery password can be recovered from a BitLocker enabled computer provided it can be logged into or if stored in escrow.
+
 
+
The basic steps are:
+
 
+
# Make an offline full disk image.
+
# Recover the password, this can be done by booting the original computer, or by creating a clone and booting the clone. (booting from a clone has not been tested at this time.)
+
## Once booted log into the computer
+
## Use the BitLocker control panel applet to display the password.  This can also be done from the command-line.
+
## record the password
+
#:
+
# For EnCase v6 or higher with the encryption module installed
+
## Load the image into EnCase
+
## You will be prompted for the password.  Simply enter it and continue.
+
## If you prefer to have an un-encrypted image to work with other tools or share with co-workers, you can "re-acquire" the image from within EnCase.  The new image will have unencrypted data.
+
## After adding the encrypted image into your case, simply right click on the drive in the left panel and select acquire. Select "do not add to case".  You will be presented a dialog window to enter new information about the image.  Make sure the destination you select for your new image does not exist.
+
 
+
== Live imaging ==
+
 
+
=== FTK Live Imaging of a physical drive ===
+
 
+
Using FTK Imager lite, it was determined a live image of the physical system disk resulted in an image with an encrypted bitlocker container on it.
+
 
+
Note that the phrase "physical" here corresponds directly with FTK Imagers use of the term in their image acquire menu.
+
 
+
=== FTK Live Imaging of a logical partition ===
+
 
+
This has not been verified to work or fail at this time.
+
 
+
Note that the phrase "logical" here corresponds directly with FTK Imagers use of the term in their image acquire menu.
+
 
+
=== FTK Live Files and Folders collections ===
+
 
+
This was not attempted, but it seems reasonable to assume this will collect unencrypted files.
+
 
+
== See Also ==
+
* [[BitLocker Disk Encryption]]
+
* [[Defeating Whole Disk Encryption]]
+
 
+
[[Category:Disk encryption]]
+
[[Category:Windows]]
+

Latest revision as of 10:19, 7 May 2014

Should we change

To make the volume group known to the system
vgexport $VOLUMEGROUP

to

To make the volume group known to the system
vgimport $VOLUMEGROUP

?

vgexport makes volume groups unknown to the system, vgimport makes exported volumes known to the system. See also this. You should also remember, that both vgexport/vgimport alter the data on the physical device. I also added "loop" option to the mount command example, since "-o ro" may alter the data in the file system (replay the journal, etc) .FUF (talk) 10:19, 7 May 2014 (CDT)