±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36459
New Yesterday: 3 Visitors: 126

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Encrypted NTFS Images - Or Not????

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

UnallocatedClusters
Senior Member
 

Encrypted NTFS Images - Or Not????

Post Posted: Aug 27, 19 21:21

Colleagues,

We used FTK Imager Lite 3.1.1 to create full physical images of multiple Dell laptops.

The full physical image creation completed and verified successfully.

** However, when one views the resulting E01 images in FTK Imager, the main "User" partition is encrypted "Unrecognized File System".

We then created "logical" drive images of the laptops' C partitions using FTK Imager Lite 3.1.1 and were able to get unencrypted physical images of the C partitions.

This is where things get weird.........

The corporate client claims (I believe them) that they never encrypted the Dell laptops' C partitions.

My research shows that Microsoft is shipping laptop hard drives in an encrypted state, but without Bitlocker being initialized:

superuser.com/question...ted-or-not

On the original Dell laptops, one can choose the C partition and "turn on Bitlocker" and save a recovery key to a text file. Corporate users can also use Active Directory to ingest and maintain the Bitlocker recovery keys.

So, it appears that "encryption" and "BitLocker encryption" are two different subjects; Bitlocker appears to be Microsoft's encryption management system.

1) When we mount the FTK Imager created full physical disk images using FTK Imager, the C partition is encrypted and not accessible.

2) When we mount the FTK Imager created full physical disk images using Arsenal Image Mounter, the C partition is encrypted and not accessible.

3) When we mount the FTK Imager created full physical disk images using GetData's Mount Image Pro v6, the C partition is accessible!!!!!!


Any ideas why Mount Image Pro is the only tool that can mount and make available for use the C partition as un-encrypted but none of the other tools can???

I also tried Passmark's OSForensics to mount the full disk image in the hopes that OSForensics would prompt for the BitLocker recovery key, but OSForensics did not; OSForensics mounts the full disk image as encrypted.

So, our new standard operating procedure is to first preview hard drives using FTK Imager to determine if the C partition is encrypted even if the corporate client tells us they never encrypted the hard drives; if we see that the C partition is encrypted, we will create a logical image of the C partition and check other partitions to see if there is other user generated data to collect. We also create a full disk physical image in addition to the C partition logical image so that we have both.

Kudos to GetData and Mount Image Pro for being the only tool able to decrypt these images without even asking for the Bitlocker recovery key.

Any ideas what is going on with this encryption / not-encrypted issue????  
 
  

thefuf
Senior Member
 

Re: Encrypted NTFS Images - Or Not????

Post Posted: Aug 27, 19 22:05

When mounting a physical image using FTK Imager and/or Arsenal Image Mounter, do you see the "-FVE-FS-" signature in the first sector of the encrypted partition?  
 
  

Passmark
Senior Member
 

Re: Encrypted NTFS Images - Or Not????

Post Posted: Aug 28, 19 01:48

I suspect there is more going on.
With modern encryption you can't just decrypt it without the password or they key. The 256-bit AES encryption is just too solid for that.
Either it was never actually encrypted or the key was available (somehow).

Initially you said the "user" partition was encrypted. But then said it was the "c partitions". Maybe it was EFS file level encryption, not partition encryption? So just some selected files in the file system (e.g. the User folder) were encrypted?

Or it might just be an unexpected partition type. See this list here.
en.wikipedia.org/wiki/...ition_type
There are some pretty strange ones out there.

So it would also be good to see the dump of the partition table (and the 1st sector of the partition).  
 
  

jaclaz
Senior Member
 

Re: Encrypted NTFS Images - Or Not????

Post Posted: Aug 28, 19 07:08

More loosely, "Unrecognized File System" does not really mean in itself that the volume is encrypted, it means "Unrecognized File System" (that could be caused by encryption of by other reasons)

As an example, not your case of course, but I seem to remember similar issues years ago with a Partition ID of 42 which was "Dynamic Disk", the volume was unaccessible and simply editing the partition ID to 07 (which is commonly thought as meaning NTFS, but isn't[1]) allowed access to data.

I would check both the partition table (MBR or GPT) and the first few sectors of the volume.

It could also be some sort of "special case" connected to FTK (though I doubt it):
is the behaviour the same with a plain dd-like copy (both of the whole disk and of only the volume)?

jaclaz

[1] 07 is actually a "protective" partition ID to mean to non-NT systems "ignore this", it may mean HPFS (rare) or nowadays increasingly common exFAT/TexFAT
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

athulin
Senior Member
 

Re: Encrypted NTFS Images - Or Not????

Post Posted: Aug 28, 19 10:17

- UnallocatedClusters
My research shows that Microsoft is shipping laptop hard drives in an encrypted state, but without Bitlocker being initialized:


Sounds like you may be talking about Bitlocker pre-provisioning. Pre-provisioning may be enabled, but that does not necessarily mean that encryption is done to any degree of normal security.  
 
  

passcodeunlock
Senior Member
 

Re: Encrypted NTFS Images - Or Not????

Post Posted: Aug 28, 19 11:41

Just check the image file header and footer and you will get your answers.

I think of an error when mounting the partitions based on the MBR / GPT.

Do you have log files of the failure ?!
_________________
Apple passcode unlock + decrypted filesystem dump, Android user locks unlock + physical dump with decrypted userdata partition. We provide our services world-wide, but we reserve the right for choosing which tasks we take and which we deny! 
 
  

dandaman_24
Senior Member
 

Re: Encrypted NTFS Images - Or Not????

Post Posted: Aug 28, 19 19:35

Bitlocker Clearkey  
 

Page 1 of 2
Page 1, 2  Next