Features of working with images of encrypted disks in Windows
Many forensics and other experts work with disk images every day. Some of them work with images of encrypted disks. One of the most popular tasks for them is to mount disk images. After disk image mounting you can work with data than saved on it. In this article I will talk about some of the problems and specifics that you may encounter in the process of mounting images of encrypted disks.
I will use the following programs in my research for mount disk images:
And the following programs to create and open encrypted drives:
Operating system: Windows 10 v 1803.
For my experiments, I will use the two most popular among forensics format disc images:
So, let's start.
AccessData FTK Imager
FTK Imager showed not the best results. I began my experiments with an image of a disk encrypted using BitLocker. I set parameter “Mount Type” in “Physical @ Logical”. After disk image mounting FTK Imager showed in “Mapped Image List” that disk image was mounted like Physical and like Logical disks (shown in the screenshot below).
But Windows could not see the just mounted disk image as a physical disk. And the Disk Management utility did not display it. As a result, with the FTK Imager I could to mount only the logical disk of my disk image.
For BitLocker, this was not so bad. I was able to open the logical drive in Windows Explorer, decrypt and extract data using BitLocker To Go Reader. With other types of encrypted drives I was less fortunate. Symantec Encryption Desktop and VeraCrypt could not access the data without accessing the disk as if it were physical. And I could not decrypt images of disks encrypted using Symantec Encryption Desktop and VeraCrypt using FTK Imager.
When mounting a disk image, OSFMount prompts you to choose whether to use entire image file or a specific partition (window “Select a partition in image” in the screenshot below). The program can only create a logical disk from your disk image. If you choose "Use entire image file" in window “Select a partition in image” OSFMount will mount entire your disk image like logical disk. If you choose a partition OSFMount will mount the specific partition like logical disk. Windows will not be able to see disk images mounted using OSFMount as physical disks.
For unknown reasons, the image of a disk encrypted with BitLocker could not be opened. I was able to open the logical drive in Windows Explorer. But BitLocker To Go Reader showed an error and could not open the drive (shown in the screenshot below).
For Symantec Encryption Desktop and VeraCrypt, I got the same result as using FTK Imager.
Mount Image Pro
Mount Image Pro showed very good results. It allows you to mount a disk image as a physical disk. Windows sees such disks as physical and Disk Management utility displays them correctly.
The drive encrypted by BitLocker (the same happened with the Symantec Encryption Desktop drive) was recognized automatically and the system immediately offered to enter a password to unlock the drive. VeraCrypt also allowed to correctly decode the corresponding disk.
Disk Adapter For VMware Workstation + VMware Workstation Player
This way of working with disk images is non-standard compared to those described above. Disk Adapter For VMware Workstation offers an easy way to connecting RAW (.dd, .img) and EnCase (.E01) disk images to VMware Workstation Pro or(and) Player with minimum effort on your behalf. I used VMware Workstation Player for my experiments (it's free for non-commercial use).
To connect disk images to a virtual machine, just add them to the Disk Adapter For VMware Workstation and turn on the checkbox “Connect to VMware Workstation Player” (shown in the screenshot below).
After that, you need to add disk images as an existing virtual hard disk to a virtual machine (More information about this you can find here). Windows running in a virtual machine sees our encrypted disk images as physical disks. The encrypted disks of all types I checked were successfully recognized and unlocked in standard ways.
I combined all the results in one table for clarity and add information about the cost of the products described:
In this article I told about the features of working with images of encrypted disks in Windows. For example, I used three disk encryption systems most popular in my opinion and four different solutions for working with such disks. I used the two most popular among forensics format disc images: EnCase EWF (.E01) and Raw Image (.IMG, .DD).
VMware, Workstation, Pro, Player are registered trademarks of VMware, Inc. in the United States and other countries.
Other names may be trademarks of their respective owners.