FTK Imager Windows 10 with bitlocker


enigmazn

New Member
Mar 29, 2019
3
1
#1
New to forensics and would like some help. I have captured an image of a windows 10 SSD and this is my issue.
The device is a laptop with bitlocker enabled I did log into the laptop with local admin access. I have captured an image using FTK imager (ran as admin) the image capture was successful 100+GB. Now the issue is when I go back to ftk imager to check and add evidence image file while all loads up the main partition is showing up as "Unrecognized file system [Data]". I am unable to view anything. Am I doing anything wrong is there something I can do to view the partition the image is not corrupted. I would be grateful for ay help. Please let me know if you have additional questions I can give.
 
Mar 29, 2019
2
1
#2
FTK Imager will not be able to decrypt the image. In order to see the partition, you will need the forensic suite. AD Enterprise, Lab etc., Encase 8, or XWays will start to look at the drive and let you know you will need the password to proceed in the process. The image you have will work, however not without the suite. If you want to use imager, you will need to make the logical image of the partition or user's folder
 

enigmazn

New Member
Mar 29, 2019
3
1
#3
FTK Imager will not be able to decrypt the image. In order to see the partition, you will need the forensic suite. AD Enterprise, Lab etc., Encase 8, or XWays will start to look at the drive and let you know you will need the password to proceed in the process. The image you have will work, however not without the suite. If you want to use imager, you will need to make the logical image of the partition or user's folder
Thank you I thought so however was not 100% sure. I am in the process of getting FTK Toolkit. So I shouldnt be worried? The image file is roughly the same size as the SSD on the device just because its encrypted by bitlocker that is causing it to show as Unrecognized file system. Correct me if anything I said is wrong. Again thank you!
 

mjpetersen

New Member
Mar 29, 2019
2
1
#4
Really depends on how you made the image. If you selected to make the physical image, you should be good, however if you made the logical image, you may have issue. I use May, because until you see the device, you won't know, I have had Imager report a good image, but did not give me the logical partition because I did not capture the header of the encrypted partition, therefore missed getting the correct data.
 

enigmazn

New Member
Mar 29, 2019
3
1
#5
Really depends on how you made the image. If you selected to make the physical image, you should be good, however if you made the logical image, you may have issue. I use May, because until you see the device, you won't know, I have had Imager report a good image, but did not give me the logical partition because I did not capture the header of the encrypted partition, therefore missed getting the correct data.
Thank you for your input. Yes captured using physical.
 
Oct 22, 2018
6
Ratings
9
3
Greater Chicago Area
#6
If you have the BitLocker credentials, you can connect mount the image in a Linux workstation, decrypt using Dislocker, and reimage . It is a pretty straightforward process and the steps can be found with a quick Google search.

Another method that is a little messier is to restore the image to a disk, attach that disk to a Windows computer, and unlock using BitLocker. I would only suggest this to take a quick look/triage while waiting for the license of the forensic tools as some timestamps could be accidentally updated.

On a side note, if you took a logical image while the computer was on, the image should not have encryption enabled. By getting the physical image, the encryption is included. At least that is how I learned it.
 

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu