FORENSIC TALK

https://www.forensicfocus.com/Forums/viewtopic/t=15440/highlight=encrypted+surface/

1.Boot to CAINE (or similar) and take a physical image using Guymager

2.Boot the surface and log in (assume you have credentials since you have taken an image with FTK already)

3.open command prompt (as administrator), type

manage-bde -protectors C: -get

(I am assuming C: is the encrypted OS partition, change to the relevant drive letter if not)

This should display the bitlocker recovery password - make a note of it or take a picture or both.

Use the recovery password to decrypt the physical image you took with Caine (FTK for example will simply ask you for the recovery key when you add the image in).

https://www.forensicfocus.com/Forums/viewtopic/t=17943/

If locked with a simple PIN try asking for the PIN. Otherwise you'll need the recovery key which you'll probably have to ask for too.

If you have a RAM image you could try using volatility to extract the FVEK (Full Volume Encryption Key). Use either https://github.com/elceef/bitlocker or https://github.com/tribalchicken/volatility-bitlocker

Then using either https://github.com/libyal/libbde or https://github.com/Aorimn/dislockeryou should then be able to unlock using the recovered FVEK.

Or you could try and brute force it? https://github.com/e-ago/bitcracker

If you are lucky the clearkey may be available in which case it should unlock automatically when emulated as a physical disk to windows or by using https://github.com/libyal/libbde or https://github.com/Aorimn/dislocker.  

https://codebeautify.org/base64-decode

$ sudo apt-get install git
$ git clone https://github.com/volatilityfoundation/volatility.git
$ cd volatility/
$ sudo python setup.py install
$ sudo apt-get install yara
$ sudo apt-get install python-pip
$ sudo -H pip install --upgrade pip
$ sudo -H pip install distorm3 pycrypto openpyxl Pillow

iOS12부터는 패스코드가 키체인으로 이동했기 때문에 불가능함.

iOS7-11까지는 가능.

https://1024kb.co.nz/ios-7-8-9-10-passcode-cracker/