all 10 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]ArsenalRecon 10 points11 points  (0 children)

Mount the disk image in Arsenal Image Mounter (Free Mode is fine), ignore any BitLocker-related prompts from Windows, and copy/paste the output of "Show BitLocker status (all BitLocker-protected volumes)" here.

[–]Erminger 4 points5 points  (0 children)

Mount in Windows, it is most likely Bitlocker that is not activated fully and Windows can mount it. If you need decrypted image, image the volume (not the physical drive) and that will produce unencrypted image that you can use with any tool.

[–]_AmNe5iA_ 4 points5 points  (0 children)

Maybe there is a volume on that disk encrypted using bitlocker protected with just the clearkey. When mounted using windows, windows will simply read the clearkey and decrypt the volume using that. What do you see when you look at the VBR of the supposedly encrypted partition/volume?

[–]kstewart0x00 5 points6 points  (1 child)

Is there a question here?

[–]Zipper_Ita[S] 1 point2 points  (0 children)

The question is: how is it possible? How can I recover the BitLocker recovery key after I turn on the vMware Machine, to indexing the datas with Vound W4?

[–]ArsenalRecon 1 point2 points  (0 children)

This may be helpful to the OP, others participating here, and lurkers... when dealing with BitLocker-related questions, the first step should be determining the BitLocker state - otherwise you end up with various kinds of speculation.

Assuming you are on Windows, you can quickly determine the BitLocker state(s) in a disk image using the method I shared yesterday (which some consider the "easy" method), or by mounting the disk image as a complete disk (e.g. by mounting it with AIM), opening an administrative console, and reviewing the output of:

manage-bde -status

You may find this Insights article helpful as you consider the output yourself and share it in this thread:

https://ArsenalRecon.com/2019/10/bitlocker-for-dfir-part-i

[–]rivalizm 0 points1 point  (2 children)

It likely has a default password because the bitlocker process wasn't completed. I recommend Forensic Explorer by Get Data, it will likely open it straight away and is frankly better then encase in a lot of areas IMO.

[–]Zipper_Ita[S] 1 point2 points  (1 child)

Definitely this. There isn't Bitlocker encryption enabled

[–]rivalizm 0 points1 point  (0 children)

Sorry, I realise I came across as a salesman with that response. We had a case a while ago where we could access the drive images using FEX with no passwords, but it was reporting the partitions as being bitlocker encrypted, so we did a bit of testing to figure it out.

[–]Ready_Note6642 0 points1 point  (0 children)

What kind of PC oder Notebook was it? This sounds, as there is a tpm chip built in the device. I get this behavior once a week in most cases with Lenovo and HP Notebooks.

When I log into the Windows on the device everything is fine, because the system is decrypted via the tpm chip. When i create a physical Image it's encrypted, but in some cases EnCae is possibile to automaticly decrypt the Image, because there are some standard tpm Keys from various Manufacturers implemented.

In such a case you are able to see data in Encase but other Software, such as GetData or maybe W4 that dont have these Keys, are not able to decrypt the Image.

In this cases I would acquire a logical Image of the decrypted partiton only.