privacynsa.blogg.se - Ftk imager lite

Ftk imager lite password#
Ftk imager lite Offline#

You are capturing evidence from a shared computer and are only allowed to extract files specific to a user account due to legal privilege.

You might only have legal permission to or have been asked to only extract specific files types.

You have strict instructions on what to acquire.

In the law enforcement world, there are any other numbers of reasons why you may be tight on time.

You could have been given a computer with no PSU and need to acquire evidence from it before the battery dies (as I once had to do in the back of a $380 taxi journey).

This may not be lawfully permitted in your country.

This could involve accessing a users laptop remotely while it is only attached to the network for a short time.

Perhaps time to capture evidence is limited.

Now, I’m not saying FTK Imager is about to answer either of those questions for you but there are some handy functions which I had never used until recently.Ĭustom content images in FTK Imager allow the analyst to add an evidence item and build a logical image (AD1… sorry XWF users) containing only files of their choosing. Whether it’s management in Law Enforcement looking for the silver bullet ‘Find Evidence’ button in Axiom (no digs at Magnet but please put that back in :)) or the large corporations incident responder needing to analyse hundreds of endpoints for one specific artefact. This is mainly due to the issue that most units have backlogs, lack of time and urgency to produce results. Quick!Īs we all know, things have moved on quite rapidly from grabbing an image of a dead box and leaving it processing in your tool of choice over the weekend. Modern day forensics and IR require answers. While working in law enforcement I was always obsessed with ensuring I had captured the ‘golden forensic image’ which for obvious reasons, is still ideal and gives you all that unallocated spacey goodness. There has been atleast one report on the X-Ways forum that this feature does not work, so it may not work for all configurations of bitlocker.FTK Imager is renowned the world over as the go-to forensic imaging tool. Both existing and deleted files were available within X-Ways after processing. In at least one instance, I was able to add C: drive (not the physical disk, just the partition) and create an image that could in turn be processed by X-Ways. X-Ways support states that this should work. X-Ways support states this is not supported. This was not attempted, but it seems reasonable to assume this will collect unencrypted files. Note that the phrase "logical" here corresponds directly with FTK Imagers use of the term in their image acquire menu. I was able to add a partition and create an image in which the data was unencrypted. Note that the phrase "physical" here corresponds directly with FTK Imagers use of the term in their image acquire menu. Using FTK Imager lite, it was determined a live image of the physical system disk resulted in an image with an encrypted bitlocker container on it. Live imaging FTK Lite Imaging of a physical drive

Make sure the destination you select for your new image does not exist. You will be presented a dialog window to enter new information about the image.

After adding the encrypted image into your case, simply right click on the drive in the left panel and select acquire.

The new image will have unencrypted data.

If you prefer to have an un-encrypted image to work with other tools or share with co-workers, you can "re-acquire" the image from within EnCase.

You will be prompted for the password.

For EnCase v6 or higher with the encryption module installed.

This can also be done from the command-line.

Use the BitLocker control panel applet to display the password.

(booting from a clone has not been tested at this time.)

Recover the password, this can be done by booting the original computer, or by creating a clone and booting the clone.

Manage-bde.exe -protectors -get C: -Type recoverypassword

Ftk imager lite password#

The recovery password can be recovered from a BitLocker enabled computer provided it can be logged into e.g. EnCase does not accept the recovery password if there is trailing white space. Note that there is no white space in the recovery password including not at the end, e.g.

EnCase (as of version 6) with the (optional) encryption module.

Ftk imager lite Offline#

Multiple options to offline decrypt the information, provided the password or recovery password is available, are available.

One can make an offline image with the image containing encrypted information. There are multiple ways to image a computer with BitLocker security in place, namely: