Cloning a LOCKED encrypted non-system partition to an external USB drive. "Exact copy" or...


Author
Message
dyhs
dyhs
Proficient Member
Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)
Group: Forum Members
Posts: 164, Visits: 640
Hi,

Question for the experts: should I set Forensic copy when cloning a locked BitLocker partition (non-system, just data there) to an external USB drive?

I tried, in Windows, without the "exact copy" setting. MR6.3 performed an Intelligent sector copy, and--to my surprise--the cloned disk was encrypted already, ready to go as a "BitLocker To Go" unit.

That's all very well and good, but I was under the impression that an encrypted drive needed to be unlocked before cloning, otherwise MR couldn't perform an Intelligent sector copy but only a Forensic copy and, anyway, BitLocker would have to encrypt the target drive again after cloning.

According to the KB article about encrypted partitions
It isn't absolutely necessary to unlock a BitLocker encrypted drive when restoring an image of the encrypted partition. The partition will restore without problems but will require re-encrypting on reboot.
Unlocking the drive in Windows PE enables intelligent sector copy imaging and cloning


Does that apply to Windows PE but not to regular Windows?

Sorry if I'm missing something, I'm just trying to understand how it works.

I am positive the BL partition was still locked.
I don't know if it matters, I do not use TPM with BL.


Edited 11 July 2017 12:02 PM by dyhs
jphughan
jphughan
Most Valuable Professional
Most Valuable Professional (3.1K reputation)Most Valuable Professional (3.1K reputation)Most Valuable Professional (3.1K reputation)Most Valuable Professional (3.1K reputation)Most Valuable Professional (3.1K reputation)Most Valuable Professional (3.1K reputation)Most Valuable Professional (3.1K reputation)Most Valuable Professional (3.1K reputation)Most Valuable Professional (3.1K reputation)
Group: Forum Members
Posts: 2.2K, Visits: 14K
My only guess there is that if you set BitLocker to encrypt only the sectors in use rather than the entire partition space when you first enabled it, Reflect might have been able to use that in order to only copy sectors that appeared to have data in them, even if it couldn't tell what the data was. However, if you'd asked me to predict the outcome of this I'd have said that intelligent sector copy wouldn't have worked, so take that guess with a grain of salt.

On an unrelated note though, TPM can't be used to unlock non-system partitions to my knowledge; they use BitLocker To Go. However, if you're using regular BitLocker for your system partition and it has a TPM, you should consider using it as a protector. It would allow you to use a short PIN rather than a long password while preserving key security and would allow platform validation to take place at boot as an additional safeguard against malware loading in a way that would capture your BitLocker password while you enter it. Or if you opt not to use a PIN and go solely with TPM, you can remotely restart your PC and still have it come back up rather than getting stuck at a password prompt, even if you forget to suspend BitLocker. The only annoyance to TPM-based implementations are that BIOS updates trigger a Recovery Key if you forget to suspend it first, and accessing the disk from another system also requires a Recovery Key, but that's never been a major problem for me. Microsoft didn't choose to require a TPM for BitLocker by default for no reason. Wink
Edited 11 July 2017 3:31 PM by jphughan
dyhs
dyhs
Proficient Member
Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)
Group: Forum Members
Posts: 164, Visits: 640
Thanks jphughan.

I can't recall if that was the case, but it is entirely possible that I set BitLocker to encrypt only the sectors in use.

As to TPM, the laptop in question lacks the chip, so my choice was easy Smile


dyhs
dyhs
Proficient Member
Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)
Group: Forum Members
Posts: 164, Visits: 640
New test. Same locked non-system disk, but encrypted with VeraCrypt this time. I took care to set the "Encrypt partition in place" option: "The entire selected partition and all data on it will be encrypted in place" (see screenshot).
https://forum.macrium.com/uploads/images/6ad8864d-ae90-4629-a8b7-9a26.jpg

MR, in Windows, sees it as unformatted but clones it alright to an external USB drive, even with Intelligent sector copy = Y.

The result is a VC encrypted volume, ready to go.


p.s. I tried both Intelligent sector copy and Forensic mode. Both cloning tasks, Intelligent and Forensic, took exactly the same time.
Therefore I guess they actually did the same thing and had the same effect.
When it comes to a locked encrypted drive, you can still set the Intelligent sector copy option, but MR has to copy each and every sector anyway.
That's my understanding, at least.

Whatever copy mode I picked, the clone was encrypted and ready to be decrypted with Veracrypt.




Edited 13 July 2017 12:35 PM by dyhs
jphughan
jphughan
Most Valuable Professional
Most Valuable Professional (3.1K reputation)Most Valuable Professional (3.1K reputation)Most Valuable Professional (3.1K reputation)Most Valuable Professional (3.1K reputation)Most Valuable Professional (3.1K reputation)Most Valuable Professional (3.1K reputation)Most Valuable Professional (3.1K reputation)Most Valuable Professional (3.1K reputation)Most Valuable Professional (3.1K reputation)
Group: Forum Members
Posts: 2.2K, Visits: 14K
Nice! I'm betting in that case Reflect's intelligence concluded that it would essentially have to fall back to forensic mode for this job and did so automatically rather than failing outright simply because it couldn't make sense of the data. That's precisely what I'd have expected and hoped it would do. Smile
GO

Merge Selected

Merge into selected topic...



Merge into merge target...



Merge into a specific topic ID...




Similar Topics

Reading This Topic

Login

Explore
Messages
Mentions
Search