New Blog: Making an NTFS Volume Mountable by Tinkering with the VBR

Show left menu  
Hide left menu  
Hard drive
Our new blog shows how we were able to change an unmountable volume to a mountable one by taking a closer look at the Volume Boot Record (VBR).

In one of our recent projects we had to do disk forensics of 10 disks, each of which had a BitLocker encrypted C volume. We were working with E01s, but no real problem, the organisation's IT department provided us with recovery keys, so we mounted the E01s via Arsenal Image Mounter (AIM), unlocked the BitLocker volume and then used X-Ways Forensics (XWF) to image the un-BitLocker-ed logical volume. We could then load the images into XWF and off we go.

Unexpectedly, upon trying to mount the un-BitLocker-ed volume, Windows appeared to be unable to interpret its file system, hence showing it as RAW.

But why is the volume shown as RAW? We know it’s NTFS!
Our forensics software happily parses the MFT and shows us the correct file system.

So why  wouldn’t Windows mount the volume? Read the full blog here.

Back to Top