Creating Forensical...
 
Notifications
Clear all

Creating Forensically Sound Images using Opensource

9 Posts
6 Users
0 Likes
954 Views
(@bell_4)
Posts: 10
Active Member
Topic starter
 

Hello,

I am looking for some help to develop a process using ONLY free software that I can use to forensically create sound images of Windows 10 Bitlocker encrypted hard-drives. I will also need to be able to decrypt the hard-drives using free software. Any recommendations on the step-by-step process using free-based tools would be GREATLY appreciated.

Thanks in advance,
S P

 
Posted : 19/08/2017 12:03 am
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

Hello,

I am looking for some help to develop a process using ONLY free software that I can use to forensically create sound images of Windows 10 Bitlocker encrypted hard-drives.P

Booting from a Linux drive and imaging an underlying hard drive with "dd" is not a rocket science. Easier to use is OSFClone from https://www.osforensics.com/tools/create-disk-images.html written by this Forums regular "Passmark". It allows you to use "a free, self-booting solution which enables you to create or clone exact raw disk images quickly and independent of the installed operating system".

But there is no way to decrypt Bitlocker without the matching password and i do not know any alternative to Microsoft`s manage-bde application. Please let us know if you find or develop one. Thanks in advance!

Robin

 
Posted : 19/08/2017 3:28 am
(@bell_4)
Posts: 10
Active Member
Topic starter
 

Thanks Robin for the input.

After using the method you described below. What tool would you use to mount the image file? The bitlocker keys will be available to me to unlock.

Thanks in advance,
S P

 
Posted : 19/08/2017 3:52 am
tracedf
(@tracedf)
Posts: 169
Estimable Member
 

You can mount images in FTK Imager and map them as local drives. That should enable you to use Windows to unlock the drive. I haven't tried this with Bitlocker, but I have mounted images and mapped them.

 
Posted : 19/08/2017 5:25 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

You can mount images in FTK Imager and map them as local drives. That should enable you to use Windows to unlock the drive. I haven't tried this with Bitlocker, but I have mounted images and mapped them.

Well, then he could use FTKImager directly to make the image, point is whether FTKImager is "free", surely it is not "open source".

BTW, open source and free are NOT the same thing, and free may mean more than one thing.

@Bell_4
You can use a free and open source tool like Arsenal Image Mounter (on Windows)
https://arsenalrecon.com/apps/image-mounter/
See
http//www.hecfblog.com/2014/03/daily-blog-263-decrypting-images-with.html

There are a number of dd ports (or similar imaging tools) for Windows (though you may need to use anyway a WinFE of some kind), the question point remains about the "free" or "open source" (or both).

jaclaz

 
Posted : 19/08/2017 2:25 pm
gungora
(@gungora)
Posts: 33
Eminent Member
 

Hello,

I am looking for some help to develop a process using ONLY free software that I can use to forensically create sound images of Windows 10 Bitlocker encrypted hard-drives. I will also need to be able to decrypt the hard-drives using free software. Any recommendations on the step-by-step process using free-based tools would be GREATLY appreciated.

Thanks in advance,
S P

If you plan to decrypt and access the BitLocker encrypted partitions under Linux, you may find Dislocker helpful.

https://github.com/Aorimn/dislocker

 
Posted : 20/08/2017 8:22 am
(@bell_4)
Posts: 10
Active Member
Topic starter
 

Thank you all!!!

 
Posted : 30/08/2017 6:10 pm
(@slippery)
Posts: 4
New Member
 

You can use Guymager to image the drive, and I've used dislocker. It works great, providing you have the password or recovery key.

 
Posted : 31/08/2017 3:42 pm
(@bell_4)
Posts: 10
Active Member
Topic starter
 

Awesome. Yup I will have the passwords. Thank you!

 
Posted : 31/08/2017 3:48 pm
Share: