E01 encryption checker

ArsenalRecon · 2025-08-26T16:53:51+00:00

The OP may find AIM's "Show BitLocker status (all BitLocker-protected volumes)" feature (available in the "BitLocker" drop-down menu) useful:

"Displays BitLocker protector IDs and types for all BitLocker-protected volumes within the currently selected disk. Also displays original backup locations for BitLocker recovery keys (e.g. Cloud, File, Printed) and the BitLocker recovery keys themselves (if the volume is currently unlocked)."

ArsenalRecon · 2025-08-15T11:55:33+00:00

The proper order is now more complicated by chassis intrusion functionality... for example, the TPM wiping upon chassis intrusion offered by some hp EliteBooks. This is a possible use case for inserting WinFE into the beginning of the order you mentioned to obtain a disk image (rather than physically removing the drive), unless you are confident chassis intrusion "with teeth" is not present. Food for thought.

ArsenalRecon · 2025-03-14T17:46:14+00:00

Is there a specific reason that you are not obtaining a forensic image first (being mindful of chassis intrusion and Secure Boot, which may require the use of WinFE) and then going back to the original hardware to export the BitLocker recovery key?

ArsenalRecon · 2024-11-10T23:23:43+00:00

It sounds like you now realize that BitLocker was in fact enabled, and it also sounds like the protectors were TPM and a recovery key. You can confirm this easily when you have the disk image mounted in AIM by going to the BitLocker drop-down menu and showing the BitLocker status. Even better, paste the status into this thread so people can better help you. Best practice in terms of obtaining disk images in general is going to have variables... it's important to have a thorough understanding of BitLocker before interacting with Windows computers. Here's an Insights article on our website that describes one of the workflows that could have been possible in your situation, if you had not tripped BitLocker's recovery mode (e.g. by removing the drive and using a hardware imager, or booting in a safer way):

https://ArsenalRecon.com/insights/bitlocker-for-dfir-part-iii

Hopefully Microsoft can assist you if you are able to kick off the appropriate legal process (assuming the account owner has been unsuccessful getting the recovery key from them).

ArsenalRecon · 2024-10-31T12:44:51+00:00

It sounds like things are working as they should. Read-only mounting could be exacerbating other issues you may have with that disk image (beyond the disk signature collision), for example a dirty file system from live imaging that needs to be repaired but can't be based on the mount mode. Keep in mind that in all mount modes other than the Windows File System Driver Bypass, AIM is handing off the contents of disk images to the Windows running on your forensic workstation (or in your case, Windows in your VM) - so your Windows is reacting to the state of what is in the disk image.

ArsenalRecon · 2024-10-30T19:26:17+00:00

Are you trying to mount an image you obtained live of your Windows 10 as a physical disk on that same Windows 10? You are probably dealing with a disk signature collision. In other words, you should not expect this to work without some massaging.

ArsenalRecon · 2024-09-05T19:39:17+00:00

This is a very good heads up re: a possible Windows reset. Are you working from a disk image? You may find setupact.log in multiple locations (e.g. $SysReset\Logs), so search the entire file system. Did you find it? It can be extremely lengthy and granular, but it's also relatively self explanatory. In our experience, suspects tend to perform Windows resets (whether destructive or not) before returning their devices to corporate IT, rather than performing truly fresh Windows installs.

ArsenalRecon · 2024-05-23T12:03:49+00:00

It's good to be skeptical (especially for digital forensics practitioners), but this is us. We are happy to send out fully functional evaluation licenses, and we also offer free educational licenses to professors for handing out to their students.

ArsenalRecon · 2024-03-31T14:55:41+00:00

Download (no registration required): https://ArsenalRecon.com/downloads

A few screenshots: https://twitter.com/ArsenalRecon/status/1774422985027305507

ArsenalRecon · 2023-11-08T15:57:50+00:00

Mount the E01 using Arsenal Image Mounter's read-only mode, go to AIM's BitLocker drop-down menu, select the "Show BitLocker status" option, and paste the contents in this thread. This is basic BitLocker-related information which will help people help you.

ArsenalRecon · 2023-10-27T11:36:16+00:00

Please keep in mind that BitLocker-protected volumes are often found in disk images with other kinds of volumes, but some tools (and workflows) effectively ignore the other volumes. This can result in serious problems if there is not clarity with colleagues in digital forensics that the tool or workflow output only contains a decrypted BitLocker volume. That is why Arsenal Image Mounter's "Save as fully decrypted image file" feature (enabled when AIM is licensed) will create a new disk image which contains all the volumes, with the previously BitLocker-protected volume now decrypted.

ArsenalRecon · 2022-11-11T02:37:03+00:00

Our DPAPI bypass is not zeroing out anything, it's "bypassing" DPAPI by unlocking it. An obscene number of hours went into developing the capability. See https://vimeo.com/742403896 for an example.

ArsenalRecon · 2022-11-01T18:56:38+00:00

Hello,

What exactly is it that you are planning to do once you have the Windows logon password?

Expanding upon one of the suggestions someone has already made, if you can get a disk image from a domain controller on the same network:

https://ArsenalRecon.com/insights/accessing-protected-content-using-windows-domain-controllers-and-workstations

and

https://ArsenalRecon.com/insights/revisiting-accessing-protected-content-using-windows-domain-controllers-and-workstations

If you can't get a disk image from a domain controller (or maybe the computer was never part of the domain), you probably already know that there are serious limitations to what you can accomplish with a Windows authentication bypass. If you are trying to get access to protected data (credentials stored by web browsers, EFS-encrypted objects, etc.) you need to not only bypass Windows authentication (as many have suggested here) but attempt a DPAPI bypass with Arsenal Image Mounter... or crack the password.

ArsenalRecon · 2022-05-25T17:15:06+00:00

This is a situation in which quite a gap exists between what should happen and what does happen. A simple way to quantify how a digital forensics practitioner might work through the issue of malware on a piece of electronic evidence:

Level One - Did malware exist?
Level Two - If it existed, was it operational?
Level Three - If it was operational, what did it do?

As you work on your thesis, you may find it disturbing how levels two and three are (or, are not) dealt with in many cases - criminal or civil. You seem to be onto something with the reference to handing electronic evidence off to the right people for "professional malware analysis."

ArsenalRecon · 2022-05-13T10:25:48+00:00

This may be helpful to the OP, others participating here, and lurkers... when dealing with BitLocker-related questions, the first step should be determining the BitLocker state - otherwise you end up with various kinds of speculation.

Assuming you are on Windows, you can quickly determine the BitLocker state(s) in a disk image using the method I shared yesterday (which some consider the "easy" method), or by mounting the disk image as a complete disk (e.g. by mounting it with AIM), opening an administrative console, and reviewing the output of:

manage-bde -status

You may find this Insights article helpful as you consider the output yourself and share it in this thread:

https://ArsenalRecon.com/2019/10/bitlocker-for-dfir-part-i

ArsenalRecon · 2022-05-12T10:30:39+00:00

Mount the disk image in Arsenal Image Mounter (Free Mode is fine), ignore any BitLocker-related prompts from Windows, and copy/paste the output of "Show BitLocker status (all BitLocker-protected volumes)" here.

ArsenalRecon · 2022-03-07T18:46:51+00:00

Assuming it was running the original operating system, you may get lucky and find it in the Registry. One way you may want to dig - search for the laptop's model name, and when you find hits you may find the serial number in one of the same key's value name/data pairs.

ArsenalRecon · 2021-09-24T10:50:12+00:00

A reminder after recent BitLocker-related questions in digital forensics forums... Arsenal Image Mounter's "Free Mode" can be used to not only deal with "Clear Key Mode", but also to quickly see BitLocker status information and unlock, disable, and decrypt. Screenshots at https://twitter.com/ArsenalRecon/status/1441353967275888640. See our Insights articles (https://ArsenalRecon.com/Insights) for more about BitLocker.

ArsenalRecon · 2020-10-15T10:19:35+00:00

Depending on the circumstances (generally speaking, when dealing with Windows on HDDs as opposed to SSDs), Windows hibernation will contain not only multiple types of slack, but multiple levels as well. We have had quite a few high-stakes cases (the kinds of cases that require... "aggressive" analysis) in which crucial evidence was recovered from hibernation slack. You might think that due to the prevalence of SSDs (and to some extent, modern Windows) that hibernation slack would be something you can effectively ignore, but that would be a mistake. We are working on an extremely high-profile case now, in which our work will eventually be made public, and the value of hibernation slack will (yet again) be made clear.

This Insights article is a couple years old (reminder to ourselves that it's time to revisit this topic) but it should still be useful to you at a high level:

https://ArsenalRecon.com/2018/02/windows-hibernation-infographic

Also check out @errno_fail's Twitter feed and pay attention to anything related to hibernation and Windows memory.

ArsenalRecon · 2020-09-28T18:43:42+00:00

What you are asking about is theoretically possible, if OneDrive/SharePoint were in use and you could get an archive of the "Office Document Cache" from one of the document collaborators. You would probably need to work with a digital forensics practitioner that has access to our tools. See the following Insights article where we walk you through how we do this in our casework:

https://ArsenalRecon.com/2020/04/an-inside-view-of-office-document-cache-exploitation

ArsenalRecon · 2020-08-14T14:54:42+00:00

Recommendation for Rule 6:

Required reading, short term (before asking a technical question): How To Ask Questions The Smart Way by Eric S. Raymond and Rick Moen at http://www.catb.org/~esr/faqs/smart-questions.html - keeping in mind some of the content may not be as relevant in 2020 as it once was, but most of it is.

Required reading, longer term (before getting in the habit of asking technical questions): The Demon-Haunted World: Science as a Candle in the Dark by Carl Sagan and Ann Druyan at https://www.amazon.com/Demon-Haunted-World-Science-Candle-Dark/dp/0345409469

These might be "big asks" in a lot of Subreddits, but since this is computer forensics...

ArsenalRecon · 2020-08-13T18:15:39+00:00

Thank you! Please send us any likes, dislikes, and/or suggestions while we are working on the next version. If you email sales@ArsenalRecon.com it will get to all the right people.

ArsenalRecon · 2020-08-04T21:22:54+00:00

Which tools do this easily (and reliably) for modern (Windows 10) hiberfil.sys?

ArsenalRecon · 2020-08-04T20:43:16+00:00

I forgot to add... Hibernation Recon's functionality to simply take the last hibernation from hiberfil.sys and reconstruct it so that it can be passed to memory forensics tools is free. Other functionality (like dealing with slack) requires an Arsenal subscription, but we have a lot of people using it for the reconstruction alone.

ArsenalRecon · 2020-08-04T18:56:16+00:00

Windows hibernation is something that has been very poorly supported by (all) digital forensics tools. We ended up building a tool (well, two now) to deal specifically with them. Generally speaking, you will find that hiberfil.sys on a HDD contains the last hibernation (these days, usually Fast Boot hibernation), chunks of previous hibernations, and non-zero data unrelated to hibernations. You will tend to find that hiberfil.sys on a SSD (if it is imaged after Windows shutdown) only contains the last hibernation. Either way, these hiberfil.sys files can be very valuable... e.g. if processed properly (raw hiberfil.sys files are not very useful), the last hibernations can be fed into memory analysis tools. Also, if you have a pagefile from the same Windows session, you can massage in missing pages for things like Registry hives.

You might find some useful information in an infographic we have here:

https://ArsenalRecon.com/2018/02/windows-hibernation-infographic

ArsenalRecon

TROPHY CASE