**Approach summary**Capture volatile evidence first (keys in RAM), then a forensically-sound disk image while system remains powered and unlocked. Maintain chain-of-custody, take photos, note time, user, running processes, network connections. Use well-known, court-accepted tools and calculate hashes immediately.**Tools**- WinPMEM (Rekall) or Magnet RAM Capture / Belkasoft Live RAM Capturer - Volatility or Rekall for key extraction and analysis - FTK Imager (Evidence Acquirer) or RawCopy / dd for Windows for live disk imaging to E01 or raw - manage-bde, sysinternals (pslist, netstat) for live documentation - Hashing: sha256sum or CertUtil**Live acquisition sequence**1. Document & preserve: photos, labels, time, witness. Note that live acquisition is exception to bitlocked disk seizure.2. Elevate & prepare: gain local admin, enable SeDebugPrivilege if needed. Record output of:powershell
whoami /all
manage-bde -status C:
tasklist /v > C:\temp\tasklist.txt
netstat -ano > C:\temp\netstat.txt
3. Acquire memory (first priority). Run WinPMEM to AFF or raw:powershell
winpmem.exe --format raw --output \\forensic-workstation\share\case123\memory.raw
Verify SHA256:powershell
certutil -hashfile \\share\case123\memory.raw SHA256
4. Extract BitLocker keys from memory image (offline analysis). Example with Rekall/Volatility:bash
volatility -f memory.raw --plugin=bitlocker -p bitlocker
rekall -f memory.raw -r plugins/bitlocker
Also run mimikatz on live system to dump DPAPI/LSA secrets (if legal/authorized):powershell
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit
Document outputs and hash result files.5. Acquire disk image while unlocked (live). Use FTK Imager Evidence Acquirer -> Create Disk Image -> Physical Drive -> E01 or RAW -> set MD5/SHA1/SHA256. Or use RawCopy:powershell
rawcopy.exe \\.\PhysicalDrive0 \\share\case123\disk.dd
certutil -hashfile \\share\case123\disk.dd SHA256
**Verification & documentation**- Record and store hashes (SHA256) for memory and disk immediately; include hashes in Chain-of-Custody log.- Keep tool versions, command outputs, timestamps, operator signatures.- Verify extracted BEK / Full Volume Master Key by attempting to mount image offline with BitLocker key using libbde / Dislocker or Windows:powershell
manage-bde -unlock C: -rp <recovery_password>
or
dislocker -V /dev/sdx --recovery-password=... -f
- Corroborate key: decrypt a small file or mount image and verify filesystem contents match live observations.**Chain-of-evidence**Seal original device if required after live acquisition. Preserve copies with hashes; log all actions, witnesses. Note legal authorization for live forensics and memory/key capture.