Imaging Windows 10/...
 
Notifications
Clear all

Imaging Windows 10/Bitlocker/Dell7480 Problems

11 Posts
7 Users
0 Likes
3,039 Views
(@timtam)
Posts: 5
Active Member
Topic starter
 

Hello,

I seem to be running into an issue while trying to image a device and was wondering if anyone can help me figure out either what the issue might be and a solution.

I'm not sure if the model makes a different so here goes
The device is a Dell Latitude Model 7480 with an M.2 SSD ("NVMe THNSN5512GPUK NV" (pictured here
)

The system is powered off.
I have tried CAINE, Paladin, and DEFT. In all three, the hard drive does not show up in the device/disk list, nor in Guymager etc.

I purchased this adapter Amazon JSER SFF-8639 NVME U.2 to NGFF M.2 M-key

I tried removing the ssd and attaching it to a write-blocker. In this case, it shows up as an 'un-initialized disk' in the Computer Management window.

I'll have to confirm this but I believe I previously imaged an older Dell Latitude Model 7470 (Windows 10 + Bitlocker) using CAINE with no issues. the SSD on the model 7470 is a "Micron 1100 SATA 512GB" (which has the B+M key edge).

I'm listing as much detail as I can think of. I've tried searching for some insight but most results are articles on decrypting Bitlocker (which i'm still upset EnCase doesn't support yet) than imaging.
I believe I have the means to decrypt the image but first I need to be able to image the device!

Any help/insight is much appreciated.

Thank you!

 
Posted : 25/08/2017 8:06 am
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

GetData's MountImage Pro will mount a BitLocker encrypted forensic image. After MIP mounts the encrypted image, a Windows dialogue box will popup asking for the BitLocker encryption key.

To image the computer itself, try Parrot Security's Linix distro (https://www.parrotsec.org/download.fx).

 
Posted : 25/08/2017 4:32 pm
(@timtam)
Posts: 5
Active Member
Topic starter
 

Thanks for the input. I downloaded and tried Parrot and run into the same issue with CAINE.

The only devices listed are the USB i'm booting Parrot from, and a "loop0" at mountpoint "/lib/live/mount/rootfs/filesystem.squashfs" (approx 3GB in size)

I'm still unable to image the device. Any idea why the device would not show up?

 
Posted : 25/08/2017 9:56 pm
AmNe5iA
(@amne5ia)
Posts: 173
Estimable Member
 

Bitlocker only encrypts a volume on a disk not the whole disk so it shouldn't be preventing you from seeing the disk. In Paladin etc. what does the terminal command 'lsblk' report?

I have known devices not show up in the GUI disk/device lists on Paladin etc even though they are there. I can usually find them and image using command line tools though.

 
Posted : 26/08/2017 9:35 am
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

It sounds like an adapter issue, the connector is the same, but for some chipsets the adapters don't have the support. Try various M.2 SSD adapters…

I'm not related to none of these vendors, but I suggest you to start with DeLock or Gembird adapters.

 
Posted : 28/08/2017 5:57 pm
bytethese
(@bytethese)
Posts: 12
Active Member
 

Hello,

I seem to be running into an issue while trying to image a device and was wondering if anyone can help me figure out either what the issue might be and a solution.

I'm not sure if the model makes a different so here goes
The device is a Dell Latitude Model 7480 with an M.2 SSD ("NVMe THNSN5512GPUK NV" (pictured here
)

The system is powered off.
I have tried CAINE, Paladin, and DEFT. In all three, the hard drive does not show up in the device/disk list, nor in Guymager etc.

I purchased this adapter Amazon JSER SFF-8639 NVME U.2 to NGFF M.2 M-key

I tried removing the ssd and attaching it to a write-blocker. In this case, it shows up as an 'un-initialized disk' in the Computer Management window.

I'll have to confirm this but I believe I previously imaged an older Dell Latitude Model 7470 (Windows 10 + Bitlocker) using CAINE with no issues. the SSD on the model 7470 is a "Micron 1100 SATA 512GB" (which has the B+M key edge).

I'm listing as much detail as I can think of. I've tried searching for some insight but most results are articles on decrypting Bitlocker (which i'm still upset EnCase doesn't support yet) than imaging.
I believe I have the means to decrypt the image but first I need to be able to image the device!

Any help/insight is much appreciated.

Thank you!

I'm not sure about EnCase v5 and previous, but I've been decrypting BitLocker in V6, v7 and v8. If it is encrypted with BitLocker, Windows will should identify it as such and prompt for opening.

Personally I image a few Dell Latitude 7400 Series laptops a week, removing the M2 and putting on my Tableau write blocker for imaging. We don't use BitLocker but something else, but similar idea. Does EnCase detect the drive at all? Maybe a bad adapter?

 
Posted : 28/08/2017 6:10 pm
(@timtam)
Posts: 5
Active Member
Topic starter
 

Here is the lsblk output

I've imaged other Dell's 7450's, 7470's without any issue. Its this 7480 and M2 that doesn't seem to want to work.

I will order a DeLock or Gembird adapter and see if it works and post an update once they come in.

Thanks for the replies!

 
Posted : 29/08/2017 12:32 am
(@thefuf)
Posts: 262
Reputable Member
 

Here is the lsblk output

I've imaged other Dell's 7450's, 7470's without any issue. Its this 7480 and M2 that doesn't seem to want to work.

I will order a DeLock or Gembird adapter and see if it works and post an update once they come in.

Thanks for the replies!

It seems that the drive is not detected by Linux, this issue would be hard to debug over the forum. But if the drive is recognized by BIOS, it would be possible to acquire the image using DOS or a custom GRUB image (this will be very slow, but no native drivers will be required, because all read requests are going to be served by BIOS). The "ls" command in the GRUB shell will show you a list of detected devices. After this, if you see an unencrypted boot partition on one of these devices (by typing something like "ls (hd0,msdos1)/"), it will be possible to acquire the image correctly. You can find GRUB in some of the live distributions (for example, it is available in grml, see the "Addons" section in its boot loader).

 
Posted : 29/08/2017 11:58 am
Bulldawg
(@bulldawg)
Posts: 190
Estimable Member
 

Sorry for the late reply, but you're dealing with an NVMe drive, and you seem to be trying to connect it via a SATA adapter. There's no way that will work. Although the M.2 connectors are often keyed the same for SATA and NVMe SSDs, they are not compatible. NVMe and SATA are two completely different protocols. NVMe is also often referred to as PCIe since it is a direct connection to the PCIe bus and many vendors use the terms interchangeably.

You'll find adapters for Tableau products, the new Tableau TX1 supports NVMe natively as does the Tableau t356789iu, and the Forensic Falcon can connect via an adapter. I'm sure there are others, but they're all relatively new.

https://www.guidancesoftware.com/tableau/hardware/tda7-2
https://www.guidancesoftware.com/tableau/hardware/tx1
https://www.guidancesoftware.com/tableau/hardware//t356789iu
https://www.logicube.com/shop/falcon/?v=7516fd43adaa

If you want to use a software product to create the image by booting the laptop with the drive installed, it will need to support NVMe drives. I haven't personally investigated which tools will work, but I'm sure something out there does.

 
Posted : 31/08/2017 6:46 pm
(@timtam)
Posts: 5
Active Member
Topic starter
 

Thanks all for the replies.
I went ahead and purchased the Tableau adapter and bridge
https://www.guidancesoftware.com/tableau/hardware/tda7-2
https://www.guidancesoftware.com/tableau/hardware//t7u

I have 3 NVMe SSDs. 2 are Toshiba brand and 1 is Samsung.

When I connect the Samsung SSD, the bridge is able to read it and give me all the device info and so forth.

When I connect the two Toshiba SSDs, both show up as "not connected" on the bridge.

Any thoughts? An SSD issue or Tableau issue? (Costed ~ $600 so I hope not a Tableau issue!)
Has anyone had success with Toshiba NVMe SSDs?

 
Posted : 13/09/2017 12:11 am
Page 1 / 2
Share: