Bitlocker Image mount

Discuss new features that you would like to see in Autopsy. Consider creating a github issue instead of this forum, as we review those more when adding features and many of the discussions ultimately end up as github issues.

https://github.com/sleuthkit/autopsy/issues

Moderator: carrier

Bitlocker Image mount

Postby OliverH » Sun Sep 28, 2014 8:14 pm

I'm using occasionally bitlocker protected images which I need to mount first to analyze them. Is it possible using libbde to mount a partition/ an Image with bitlocker partition using the bitlocker recovery key inside autopsy?
OliverH
 
Posts: 8
Joined: Sun Sep 28, 2014 8:06 pm

Re: Bitlocker Image mount

Postby OliverH » Sat Feb 28, 2015 7:49 am

I've played this days again with Bitlocker stuff. I compiled libbde but ended up having problems mounting the image. The Dokan libraries (backend for libbde as a file system mounter) won't work for me.

But what's the problem and why use libbde, windows has Bitlocker support?
Bitlocker on Windows only support volumes mounted as data volumes. Having a HDD connected with a write blocker you can access the data instantly after unlocking it with the protection method if you have the credentials. Creating an image and try to mount it doesn't let pickup Bitlocker on Windows to unlock it. The mounting method (tried FTK Imager and OSFmount) is different.
There're three possibilities:
Restore the image on a different HDD and run it with a write blocker
Mount the image in a proper way to use it like a real harddrive (e.g. iSCSI mount, not followed this track right now)
Mount the image with libbde and the subsystem. But libbde needs an additional part as a subsystem/ backend to mount the drive. On Linux you use a user space tool like fuse. On Windows there's Dokan and Eldos (not sure about Eldos right now). Dokan libraries can be found here http://dokan-dev.net/en/. Can be installed on Win 8 if you change it to win7 compatibility mode in properties, But it won't let me install the file system driver.

I think that libbde (like on Linux) is the best solution.

Looks like libbde is on the right track for the Autopsy/ Sleuthkit world:
https://github.com/libyal/libbde/wiki/Development

Does anyone had more progress on libbde and windows? Currently I switch back to Linux to run through a Bitlocker image.

/edit
There's a fork of the Dokan 0.6.0 version called DokanX which is still in support:
https://github.com/BenjaminKim/dokanx
alternatively maybe:
http://www.ltr-data.se/opencode.html/#ImDisk
OliverH
 
Posts: 8
Joined: Sun Sep 28, 2014 8:06 pm

Re: Bitlocker Image mount

Postby jasmyndube » Wed Oct 25, 2017 2:12 pm

It will allow you to diagnose directly without that mounting image
jasmyndube
 
Posts: 1
Joined: Wed Oct 25, 2017 2:05 pm


Return to Autopsy Feature Requests

Who is online

Users browsing this forum: No registered users and 1 guest

cron