±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 32893
New Yesterday: 9 Visitors: 151

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

Imaging Windows 10/Bitlocker/Dell7480 Problems

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

Imaging Windows 10/Bitlocker/Dell7480 Problems

Post Posted: Fri Aug 25, 2017 2:06 am

Hello,

I seem to be running into an issue while trying to image a device and was wondering if anyone can help me figure out either what the issue might be and a solution.

I'm not sure if the model makes a different so here goes:
The device is a Dell Latitude Model 7480 with an M.2 SSD ("NVMe THNSN5512GPUK NV" (pictured here:
)

The system is powered off.
I have tried CAINE, Paladin, and DEFT. In all three, the hard drive does not show up in the device/disk list, nor in Guymager etc.

I purchased this adapter Amazon JSER SFF-8639 NVME U.2 to NGFF M.2 M-key

I tried removing the ssd and attaching it to a write-blocker. In this case, it shows up as an 'un-initialized disk' in the Computer Management window.

I'll have to confirm this but I believe I previously imaged an older Dell Latitude Model 7470 (Windows 10 + Bitlocker) using CAINE with no issues. the SSD on the model 7470 is a "Micron 1100 SATA 512GB" (which has the B+M key edge).

I'm listing as much detail as I can think of. I've tried searching for some insight but most results are articles on decrypting Bitlocker (which i'm still upset EnCase doesn't support yet) than imaging.
I believe I have the means to decrypt the image but first I need to be able to image the device!

Any help/insight is much appreciated.

Thank you!  

timtam
Newbie
 
 
  

Re: Imaging Windows 10/Bitlocker/Dell7480 Problems

Post Posted: Fri Aug 25, 2017 10:32 am

GetData's MountImage Pro will mount a BitLocker encrypted forensic image. After MIP mounts the encrypted image, a Windows dialogue box will popup asking for the BitLocker encryption key.

To image the computer itself, try Parrot Security's Linix distro (https://www.parrotsec.org/download.fx).  

UnallocatedClusters
Senior Member
 
 
  

Re: Imaging Windows 10/Bitlocker/Dell7480 Problems

Post Posted: Fri Aug 25, 2017 3:56 pm

Thanks for the input. I downloaded and tried Parrot and run into the same issue with CAINE.

The only devices listed are the USB i'm booting Parrot from, and a "loop0" at mountpoint "/lib/live/mount/rootfs/filesystem.squashfs" (approx 3GB in size)

I'm still unable to image the device. Any idea why the device would not show up?  

timtam
Newbie
 
 
  

Re: Imaging Windows 10/Bitlocker/Dell7480 Problems

Post Posted: Sat Aug 26, 2017 3:35 am

Bitlocker only encrypts a volume on a disk not the whole disk so it shouldn't be preventing you from seeing the disk. In Paladin etc. what does the terminal command 'lsblk' report?

I have known devices not show up in the GUI disk/device lists on Paladin etc even though they are there. I can usually find them and image using command line tools though.  

AmNe5iA
Member
 
 
  

Re: Imaging Windows 10/Bitlocker/Dell7480 Problems

Post Posted: Mon Aug 28, 2017 11:57 am

It sounds like an adapter issue, the connector is the same, but for some chipsets the adapters don't have the support. Try various M.2 SSD adapters...

I'm not related to none of these vendors, but I suggest you to start with DeLock or Gembird adapters.
_________________
Passcodeunlock - mobile/tablet screen unlocking
passcodeunlock.com 

passcodeunlock
Senior Member
 
 
  

Re: Imaging Windows 10/Bitlocker/Dell7480 Problems

Post Posted: Mon Aug 28, 2017 12:10 pm

- timtam
Hello,

I seem to be running into an issue while trying to image a device and was wondering if anyone can help me figure out either what the issue might be and a solution.

I'm not sure if the model makes a different so here goes:
The device is a Dell Latitude Model 7480 with an M.2 SSD ("NVMe THNSN5512GPUK NV" (pictured here:
)

The system is powered off.
I have tried CAINE, Paladin, and DEFT. In all three, the hard drive does not show up in the device/disk list, nor in Guymager etc.

I purchased this adapter Amazon JSER SFF-8639 NVME U.2 to NGFF M.2 M-key

I tried removing the ssd and attaching it to a write-blocker. In this case, it shows up as an 'un-initialized disk' in the Computer Management window.

I'll have to confirm this but I believe I previously imaged an older Dell Latitude Model 7470 (Windows 10 + Bitlocker) using CAINE with no issues. the SSD on the model 7470 is a "Micron 1100 SATA 512GB" (which has the B+M key edge).

I'm listing as much detail as I can think of. I've tried searching for some insight but most results are articles on decrypting Bitlocker (which i'm still upset EnCase doesn't support yet) than imaging.
I believe I have the means to decrypt the image but first I need to be able to image the device!

Any help/insight is much appreciated.

Thank you!


I'm not sure about EnCase v5 and previous, but I've been decrypting BitLocker in V6, v7 and v8. If it is encrypted with BitLocker, Windows will should identify it as such and prompt for opening.

Personally I image a few Dell Latitude 7400 Series laptops a week, removing the M2 and putting on my Tableau write blocker for imaging. We don't use BitLocker but something else, but similar idea. Does EnCase detect the drive at all? Maybe a bad adapter?  

bytethese
Member
 
 
  

Re: Imaging Windows 10/Bitlocker/Dell7480 Problems

Post Posted: Mon Aug 28, 2017 6:32 pm

Here is the lsblk output:

I've imaged other Dell's 7450's, 7470's without any issue. Its this 7480 and M2 that doesn't seem to want to work.

I will order a DeLock or Gembird adapter and see if it works and post an update once they come in.

Thanks for the replies!  

timtam
Newbie
 
 

Page 1 of 2
Go to page 1, 2  Next