Handling BitLocker and FileVault 2: Evimetry and Mount Image Pro

During the course we will collect a FileVault 2 encrypted MacBook Air in minutes without breaking a sweat using Evimetry. Once we have a series of fully encrypted forensic images will use GetData Mount Image Pro to decrypt our forensic images and make the data available for further forensic analysis.

Prerequisites

• Before any forensic acquisition you must document the evidence
• See my Cybrary course: “Evidence Handling: Do it the Right Way”
• See my Cybrary course: “Basic Evimetry Deadboot Forensic Acquisition: Wired & Local”
• A full-featured, evaluation copy of Evimetry
• An evaluation copy of Mount Image Pro
• Internet connected computer
• An encrypted Mac computer
• A USB thumbdrive for dead booting
• A storage drive (USB3 External)

Course Goals

By the end of this course, students should be able to:

• How to identify a BitLocker’d or FileVault’d disk by signature
• Acquire a FileVault’d Mac with Evimetry
• Use Mount Image Pro to decrypt Windows and Mac encrypted volumes

• Introduction
• Introduction
• Getting the Bitlocker Recovery Key
• Handling BitLocker and FileVault 2: Evimetry and Mount Image Pro
• Evimetry for a Filevault'd Mac
• Decrypting an Image Using Mount Image Pro
• Mount Image Pro Decryption Summary
• Conclusion
• Course Summary