October 14th, 2018, 14:40
October 14th, 2018, 15:15
October 14th, 2018, 21:57
October 15th, 2018, 2:52
COD wrote:Is it ssd drive? You can use DMDE fir example to clone the drive over the W10
October 15th, 2018, 3:32
October 15th, 2018, 4:41
dick wrote:So who enabled bitlocker on the original drive?
Do you have the user account password?
Do you have a copy of the recovery key which was generated when the original drive was encrypted?
A copy of the recovery key is stored in the user Microsoft account (if they have one).
October 15th, 2018, 4:42
abolibibelot wrote:Won't DMDE make a sector-level clone, which will be encrypted and won't be recognized either, just like with R-Studio & File Scavenger ?
On the other hand, it may be possible that doing a full backup with something like Acronis True Image or Macrium Reflect would reproduce the contents as they are seen from within the Win10 system, and then, after mounting the backup, recovery softwares could run a scan successfully and retrieve the wanted data. The problem is that, based on a few tests I've made with Macrium Reflect, even in “exact copy” mode, which is supposed to preserve all the data from the source including the free space and deleted files, there can be discrepancies between the source volume and the mounted backup (some areas identified as free space appear different when examined side by side in WinHex), based on the fact that such backup softwares rely on shadow copies (apparently even for non-system drives, for which that shouldn't be necessary, and there doesn't seem to be an option to control that behaviour). Here is a reply I got from Macrium support on the subject :
“An image is created from a VSS snapshot. When VSS takes a snapshot it modifies your file system a little bit and this is why you're seeing small differences when comparing the structure. For a different result please create an image from the Rescue Media without the use of VSS.”
Otherwise, I'd be curious to know if there's a possibility to retrieve the encryption key from within the system used to encrypt the volume, and use that to decrypt it with a third-party tool.
October 15th, 2018, 8:16
October 15th, 2018, 19:46
Voji wrote:When i connect drive to my Win10 machine, it can access the partitions without problem
Voji wrote:This drive is a part of a forensic investigation
October 16th, 2018, 3:27
jermy wrote:something doesn't add up
firrs, when you can access the bitlocker partitionVoji wrote:When i connect drive to my Win10 machine, it can access the partitions without problem
the drive is decrypted on the fly
then why can't you get A sector by sector clone
jermy wrote:second, forensically speakingVoji wrote:This drive is a part of a forensic investigation
I think you should have a sector by sector clone as is
I.e. encrypted and not Decrypted
October 16th, 2018, 3:48
What are you trying to do here? It makes no forensic sense!!!I enabled Bitlocker on the drive (through Win10), and then performed decryption, however, no deleted data is visible after scan.
October 16th, 2018, 8:23
Voji wrote:Is there a way to make a bit-to-bit image/clone of the drive through Windows10 (since the drive is normally accessible from OS), or any other suggestions how to solve this problem?
October 16th, 2018, 12:28
It is WD5000LPLX, so it's not SSD
Thank you for reply. I don't think Acronis is doing anything different, since i need exactly bit-to-bit clone if i want to look for deleted data. Anyway, i'll try both Acronis and Macrium Reflect, won't hurt Thank you for suggestion.
October 16th, 2018, 13:29
dick wrote:We are still unclear!When mounted on the win10 machine can you browse the system folders and user data?
I can browse drive without a problem. Check attachment(hdd2.PNG)
On windows 7, this is the case(hdd3.PNG)I'm not a forensics guy but surely you would mount a sector cloned copy of the drive in a pc and unlock it with the known password or the recovery key. If you don't have either then the data is lost!
I don't need to unlock the drive on my Windows10, because Bitlocker is not currently activated (as shown in settings).I think it would be a good idea to check the partition information with a hex editor to see if it really is a Bitlocker partition. You can use Dmde to do that.
Thank you for advice, i will try it as soon as possible.Or is it a Bitlocker protected folder?
Nope. The whole partition. (hdd1.PNG)Or is it using some other method of protection?
Nope. No other methods.Also in your first post you mentioned....What are you trying to do here? It makes no forensic sense!!!I enabled Bitlocker on the drive (through Win10), and then performed decryption, however, no deleted data is visible after scan.
I am trying to recover deleted data from the drive. For forensic investigation purposes, i am using another intact clone which i can access.
October 17th, 2018, 3:56
October 18th, 2018, 9:24
dick wrote:Thanks for the updated info!
So you are able to scan the mounted volume with recovery tools but you don't find any user deleted files?
dick wrote:You mention about connecting to a domain so maybe you are looking in the wrong place. I don't know what type of user files you are looking for but maybe they are/were on the server?
Powered by phpBB © phpBB Group.