FTK Imager Windows 10 with bitlocker


enigmazn

New Member
Mar 29, 2019
3
1
#1
New to forensics and would like some help. I have captured an image of a windows 10 SSD and this is my issue.
The device is a laptop with bitlocker enabled I did log into the laptop with local admin access. I have captured an image using FTK imager (ran as admin) the image capture was successful 100+GB. Now the issue is when I go back to ftk imager to check and add evidence image file while all loads up the main partition is showing up as "Unrecognized file system [Data]". I am unable to view anything. Am I doing anything wrong is there something I can do to view the partition the image is not corrupted. I would be grateful for ay help. Please let me know if you have additional questions I can give.
 
Mar 29, 2019
4
1
#2
FTK Imager will not be able to decrypt the image. In order to see the partition, you will need the forensic suite. AD Enterprise, Lab etc., Encase 8, or XWays will start to look at the drive and let you know you will need the password to proceed in the process. The image you have will work, however not without the suite. If you want to use imager, you will need to make the logical image of the partition or user's folder
 

enigmazn

New Member
Mar 29, 2019
3
1
#3
FTK Imager will not be able to decrypt the image. In order to see the partition, you will need the forensic suite. AD Enterprise, Lab etc., Encase 8, or XWays will start to look at the drive and let you know you will need the password to proceed in the process. The image you have will work, however not without the suite. If you want to use imager, you will need to make the logical image of the partition or user's folder
Thank you I thought so however was not 100% sure. I am in the process of getting FTK Toolkit. So I shouldnt be worried? The image file is roughly the same size as the SSD on the device just because its encrypted by bitlocker that is causing it to show as Unrecognized file system. Correct me if anything I said is wrong. Again thank you!
 

mjpetersen

New Member
Mar 29, 2019
4
1
#4
Really depends on how you made the image. If you selected to make the physical image, you should be good, however if you made the logical image, you may have issue. I use May, because until you see the device, you won't know, I have had Imager report a good image, but did not give me the logical partition because I did not capture the header of the encrypted partition, therefore missed getting the correct data.
 

enigmazn

New Member
Mar 29, 2019
3
1
#5
Really depends on how you made the image. If you selected to make the physical image, you should be good, however if you made the logical image, you may have issue. I use May, because until you see the device, you won't know, I have had Imager report a good image, but did not give me the logical partition because I did not capture the header of the encrypted partition, therefore missed getting the correct data.
Thank you for your input. Yes captured using physical.
 

JLowery

New Member
Oct 22, 2018
6
Ratings
10
3
Greater Chicago Area
#6
If you have the BitLocker credentials, you can connect mount the image in a Linux workstation, decrypt using Dislocker, and reimage . It is a pretty straightforward process and the steps can be found with a quick Google search.

Another method that is a little messier is to restore the image to a disk, attach that disk to a Windows computer, and unlock using BitLocker. I would only suggest this to take a quick look/triage while waiting for the license of the forensic tools as some timestamps could be accidentally updated.

On a side note, if you took a logical image while the computer was on, the image should not have encryption enabled. By getting the physical image, the encryption is included. At least that is how I learned it.
 
Mar 29, 2019
4
1
#7
Another method you could try is by connecting the drive to your forensic system using a write blocker, and open a command prompt and enter the following: manage-bde -unlock I: -RecoveryPassword ######-######-######-######-######
Where the I drive is the drive to be unlocked and the ### is the Bitlocker key
From there you can open FTK Imager and image the logical partition of the Bitlocker device
 

Lids

Member
Experienced Member
Oct 23, 2018
30
Ratings
28
18
#8
I'm intrigued that you mentioned you logged into the laptop as local admin and then imaged -- so you imaged whilst logged into the machine? In this instance, the physical image won't be complete ... if you still have the laptop I would recommend either removing the hard drive or booting into a Linux based imaging suite such as Paladin, Helix, Raptor, etc and performing a physical image acquisition through that.

As referenced by @mjpetersen, to decrypt you would need either EnCase with the decryption module or the full FTK forensic suite -- unless you decide to mount (with FTK Imager) as read-only then attempt to access the disk partition, you should then be asked for the BitLocker key (unless the FTK mounting does not emulate encryption)
 
Last edited:

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu