Brand new to Autopsy (And Forensics in general), any help greatly appreciated retrieving lost files or observations about process followed if i’ve missed something obvious.
TL:DR;
- Staff member wiped a VIP’s laptop without backing up files first
- Drive is encrypted with BitLocker but i’ve got recovery password
- We don’t zero the drive during the process (as best i’m aware), so I believe there’s a chance to salvage something from it
- Stopped all use of machine & used FTK Imager to create a Raw (dd) image
- Loaded it into Autopsy, ingesting all modules available
- It indicated the presence of an encrypted volume, and appeared to complete within 30 seconds, but it’s now hanging at “75% - Analysing Files” 3 hours later. Screenshot attached.
- The machine has not yet been re-encrypted with Bitlocker, so this implies that it has managed to find something prior to wipe that might be salvageable?
Is this delay expected and I just need to be patient?
Because I have the BL key, is there a way for me to use it to decrypt the drive and potentially recover the files?
If not, is there an alternate method or tool out there that might help with this set of circumstances?
