±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 34825
New Yesterday: 11 Visitors: 151

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Need advice re: obtaining BitLocker recovery key

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Need advice re: obtaining BitLocker recovery key

Post Posted: Tue Apr 10, 2018 8:30 pm

I am a novice and am seeking to expand my knowledge. Here is an overview of the issue:

The device is a Dell Inspiron 15 3000 series with 1TB HDD volume with a C-drive BitLocker partition. Windows 10 is installed, and the user (admin privileges) can’t get past the login screen. If entered, the user’s credentials are accepted, and Windows 10 partially loads but then warns that a reboot will be done in 1 minute and proceeds to do so without me being able to interrupt anything. The rebooting happens if the login screen is left alone, too, resulting in a reboot loop.

There is no BitLocker recovery key available and thus I’m unable to use the Microsoft recovery tools, like starting Windows 10 in safe mode and uninstalling problematic software.

I have yet to verify a working backup image.

My current course of action is to retrieve the BitLocker recovery key by using forensic tools to access the dd image (I have the laptop and can create more images). I was able to get a Guymager image, albeit in multiple files and so I can’t seem to load it into using Passware Kit to attempt a brute force attack.

When I load the split raw image in OSFMount, it tells me about the 6 partitions on the drive, and partition 1 (128MB) and 2 (917.9GB) are both showing as (Empty Partition). When I mount the whole image, or just partition 2 (the C-drive encrypted with BitLocker), my Windows workstation prompts me to format the empty drive. In OSFMount, the File System columns show N/A.

I am hoping for help from the community regarding what to do next. I'm going to see if I can join the dd image files into 1 file that would open in Passware Kit.  

JimDandy
Newbie
 
 
  

Re: Need advice re: obtaining BitLocker recovery key

Post Posted: Wed Apr 11, 2018 1:56 am

OFSMount is not suitable for mounting those files, it is essentially a "volume" driver, it simpoly skips the "hidden sectors" in a "whole disk" image trying to access the volume(s), since the volumes are encrypted, it cannot obviously find a filesystem (the partition table in the MBR or GPT is not encrypted, so OFSmount can detect the extents of the volume(s), but the PBR or VBR or bootrecord is encrypted and so no filesystem can be found/detected, hence the N/A and the prompt to format the volume).

But if you can make a "monolithic image" it will be easier to use in other tools.

You don't need to image the whole disk (if it is divided in 6 partitions), you can image just the (I presume initial) part from sector 0 to the end of the 917 GB partition (that will comprise also the 128 GB partition).

To access a "disk" (the "whole thing") image you could use the Arsenal Recon driver:
arsenalrecon.com/weapo...e-mounter/

The Author is the same of IMDISK (which is the "base" from which OFSMount was derived) Olof Lagerkvist.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Need advice re: obtaining BitLocker recovery key

Post Posted: Wed Apr 11, 2018 4:17 pm

Thank you, jaclaz! I was able to mount the dd image so that it is now a recognizable drive in Windows. It shows as Local Disk and it is recognize that it is BitLocker encrypted.

I assume Passware would let me access a drive like a volume but it isn't (it wants a raw image file so I may still need to join those dd.xxx ones, but I haven't worked past the memory error I got when I tried it). I am researching what to do next and I am liking that Arsenal has at least gotten me this far.

As time permits my research, I will hopefully find a way to hack the BitLocker key. I was contemplating putting a PC together with an on-board IEEE port so that I could attempt capturing a physical memory dump. I'm checking if there's a way to get what Passware needs without going that route. I'm also looking at Passware alternatives to get the BitLocker key.

I've come across many interesting posts here and I wish I had multiple workstations set up to try different paths at the same time (especially when I was trying to join those dd image files).  

JimDandy
Newbie
 
 
  

Re: Need advice re: obtaining BitLocker recovery key

Post Posted: Thu Apr 12, 2018 2:28 am

- JimDandy

I've come across many interesting posts here and I wish I had multiple workstations set up to try different paths at the same time (especially when I was trying to join those dd image files).

Well, I don't know which issues you may have with simply joining a bunch of dd files, the operation is normally very high demanding in terms of disk activity but shouldn't really need that much of memory as you seem to report.

I mean, if you are on windows even
COPY /B File1.dd + File2.dd Combined12.dd
would (should) work.

To minimize disk usage and time you could use:
COPY /B File1.dd Combined1.dd
COPY /B Combined1.dd + file2.dd
COPY /B Combined1.dd + file3.dd
COPY /B Combined1.dd + file4.dd
...

I would prefer using a dd port or (still on windows) personally I would try using the DSFOK toolkit (old, maybe a tad bit on the slow side in terms of performance but that never failed me in many years):

members.ozemail.com.au...index.html

Of course you need some space (possibly in a contiguous chunk) on some mass storage device.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Need advice re: obtaining BitLocker recovery key

Post Posted: Fri Aug 10, 2018 2:40 pm

Jim did you have any luck with this drive?  

Kenobyte
Member
 
 

Page 1 of 1