Unlike an Opal SED, a BitLocker drive can be physically imaged (e01, ex01, dd,
dmg) or cloned in its encrypted state. Such evidence can then be used with forensic
investigation tools such as EnCase Forensic to unencrypt and analyze the evidence.
Once unlocked, the drive/partition can be used for any supported operations
including browsing, logical imaging, and any applicable media utilities. Note that,
while TX1 cannot format media as BitLocker, any previously formatted BitLocker
drives/partitions can be unlocked and used as a destination for file-based operations
such as writing image files and exporting logs.
Note: Note:BitLocker encryption can be disabled, which is also known as Clear
Keymode. While the data at rest remains encrypted in this mode, a password
or recovery key is not required to unlock the encryption. On TX1, the method
to unlock a disabled BitLocker drive/partition is the same as described above
except that the Password/Recovery Key field will be disabled. TX1 will retrieve
the Clear Key from the BitLocker metadata and use it to unlock the encrypted
drive/partition.
When a drive/partition is BitLocker encrypted, it is assigned a Recovery ID number.
TX1 will display the assigned BitLocker Recovery ID on the Encryption
Unlockscreen, which can help to identify specific drives that require a specific
password/recovery key.
3.3.5.3 APFS encryption
Drive volumes that are encrypted with APFS can be unlocked by TX1, as described
in the beginning of Encryption unlock above. The presence of an encrypted APFS
volume is noted in any area of the user interface that shows information about the
attached drive, including drive tiles (which show in numerous locations), the Drive
Details screen, and the Content Breakdown screen.
Once unlocked, the APFS volume can be used for any supported operations
including browsing, imaging (physical or logical), and any applicable media utilities.
It is important to note that there are distinct and critical differences in how TX1
handles the various encryption methods that can be unlocked on TX1 ‒ APFS,
BitLocker, Opal, and Tableau encryption. The table below summarizes how each of
these encryption types will appear or be used in the identified TX1 operations in
both their locked and unlocked states.
APFS Bitlocker Opal Tableau
Operation Locked Unlocked Locked Unlocked Locked Unlocked Locked Unlocked
Logical
Image
(Source)
n/a (no
file-
systems to
image
from)
Selected
files/
folders
will be
imaged
n/a (no
file-
systems to
image
from)
Selected
files/
folders
will be
imaged
n/a (no
reads
possible)
Selected
files/
folders
will be
imaged
n/a (no
file-
systems to
image
from)
Selected
files/
folders
will be
imaged
Chapter 3 Configuring TX1
58
OpenText™ Tableau™ Forensic TX1 Imager
ISTX240300-UGD-EN-1
To Next Page
Loading...
