Nowadays, it does not uncommonly see Windows OS enabled with Bitlocker to protect laptops of frequent travellers. To acquire Windows OS with Bitlocker is not a difficult task. Refer to my blog about acquiring hard drive encrypted by McAfee Endpoint (formerly Safeboot) by FTK imager, the procedure is similar. However, creating E01 image on live Windows using FTK imager must take a caution. When you add local hard drive as a physical device, you won't see a file structure in FTK imager except unallocated clusters. The E01 image is still bitlocker protected. If you add the image to a case on EnCase v7, with EnCase Decryption Suite, it prompts to ask for bitlocker recovery key or passphrase. Therefore, you must export the bitlocker recovery key after you receive a credential with local administrative right. Keep in mind that the md5 hash is different if you use the same way to acquire the hard drive in live mode.
Using FTK imager is one of the way. On the other way, asking IT administrator to provide a recovery key, you do not need to login the Windows but take the hard drive out of the computer, connect it as a local device to EnCase v7 via write-blocker, hardware is better. EDS detects bitlocker and asks for recovery key/passphrase. Once you input the key provided by IT administrator, the data of the hard drive is shown on Tree pane that is in decrypted state. You right-click the physical hard drive icon and select acquire to create another E01 image. The final E01 image is in decrypted state that you can mount it to forensic tools.
If you want to keep the encrypted state of the hard drive into E01, you may connect to Tableau TD2 duplicator and simply create E01. You then don't have to build an encrypted target hard drive to store the image. Of course, do remember to store the recovery key separately.
No comments:
Post a Comment