I am new to disk forensics, so I appreciate your patience! I am trying to operationalize the process of creating a raw (DD) image of a BitLocker encrypted disk (using TPM) and putting into Autopsy on a Linux-based machine. I have tried to use dislocker and was able to successfully unlock and mount the BitLocker encrypted partition, but it shows as a “loop” device. I found out how to run Autopsy as root in Linux so that it can scan local drives, but it doesn’t list the logical loop drives, only the physical drives (sda, sdb, etc.). Has anyone had luck with BitLocker encrypted drives in Linux? This is painfully simple in Windows (mount the DD image with FTK imager, put in the BitLocker recovery key to unlock, right-click Autopsy and run as admin, add the drive and go), but I’d prefer to use Linux-based forensic focused OS flavors such as CSI Linux, etc. Any experienced wisdom is much appreciated!
Instead of loading it as a physical disk, what happens if you load the /dev/loop* as a “Disk Image”?
Sorry, I am not sure exactly what you mean. Again, a bit inexperienced on the Linux/forensics side of things. The mounting process automatically mounts the raw image file as a loop device (assuming I’m using the right terminology here). That is my issue in that Autopsy doesn’t recognize those. I’m not sure of another way to mount it.