2

To ensure that cloned or image disks remain secure and are not accessible by others, there is a requirement to have these stored on encrypted drives.

When attempting to use tools such as Macrium Reflect, Acronis, O&O Software, there doesn't appear to be an option to mount an encrypted volume.

The primary tool of choice is O&O DiskImage as it supports cloning or imaging disks that are encrypted via BitLocker.

Since disks are often cloned or image in locations with no network connectivity, the only option is to use encrypted external hard drives. The devices are booted using a bootable CD as this negates the need to install the software e.g. O&O DiskImage.

How can disks be imaged or cloned to encrypted external drives?

Motivated
  • 1,493
  • 1
  • 14
  • 25
  • How do you define "secure" in this context? – forest Dec 23 '18 at 03:04
  • @forest - Updated the context of securing the images. – Motivated Dec 23 '18 at 03:09
  • So integrity is not important, or are you going to store a hash of the data as well? – forest Dec 23 '18 at 03:10
  • @forest - It is. When imaging the drive, the option to verify the integrity is selected. – Motivated Dec 23 '18 at 03:12
  • I can write an answer for how to use Linux to clone a disk to an encrypted drive, but you should keep a hash of the data somewhere secure. That's the only way to keep integrity. – forest Dec 23 '18 at 03:14
  • @forest - Sure. If you can include in the answer to image/clone a disk that has been encrypted via Bitlocker to an external drive that is encrypted using Veracrypt, that would be useful. I have assumed when you refer to hash you mean a hash output of the image once it has been written to the encrypted drive. – Motivated Dec 23 '18 at 03:16
  • Oh via Bitlocker? That's something I don't know, unfortunately. My answer was essentially going to be to set up dm-crypt with a block device at `/dev/mapper/sdx_crypt`, allowing you to directly copy the data to that, instead of to the unencrypted block device at `/dev/sdx`. By hash, I mean getting the hash of the image _as_ it is being sent over, e.g. via forensic cloners like `dcfldd`. – forest Dec 23 '18 at 03:19
  • Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/87416/discussion-between-motivated-and-forest). – Motivated Dec 23 '18 at 03:20

1 Answers1

2

You can boot into a live Linux CD to do this. The drive encrypted with Bitlocker will be exposed as a regular block device which you can access like any other. If the destination drive is already encrypted with VeraCrypt, you will need to first open it and map it to a block device that you can mount. This can be doing with using a modern version of the cryptsetup utility like so:

cryptsetup open --type tcrypt --veracrypt /dev/sda veracrypt
mount /dev/mapper/veracrypt /mnt

This creates a new block device at /dev/mapper/veracrypt from an already encrypted VeraCrypt filesystem from /dev/sda, and mounts it. Assuming the Bitlocker drive you want to image is located at /dev/sdb, you can then directly copy it to the encrypted block device's mount point as a file:

pv /dev/sdb | tee /mnt/bitlocker.img | sha256sum >/mnt/bitlocker.img.sha256

This will create a bitwise image of the encrypted Bitlocker drive and put it on a file on your VeraCrypt filesystem, while simultaneously generating a SHA-256 hash and writing it to a text file. Make sure to save the hash it generates to a safe place, as it is necessary to use to prove the integrity of the encrypted Bitlocker drive if it becomes necessary.

If you want to copy the Bitlocker image back to the drive, you can write it directly back:

pv /mnt/bitlocker.img > /dev/sdb

Naturally, this will overwrite the drive with the disk image.

forest
  • 64,616
  • 20
  • 206
  • 257
  • To clarify, what do you mean by "overwrite any existing filesystem on the VeraCrypt drive"? – Motivated Dec 23 '18 at 04:05
  • 1
    @Motivated If you have any existing data on the external VeraCrypt drive (e.g. a bunch of files), they will be destroyed. This will copy the image _directly_ to the drive, but encrypted. I suppose you could also mount `/dev/mapper/veracrypt` and then write the image as a file, if you wanted. – forest Dec 23 '18 at 04:06
  • In that case, is there option to avoid that since the external drive stores other images? – Motivated Dec 23 '18 at 04:07
  • 1
    @Motivated Edited, is that better? – forest Dec 23 '18 at 04:08