I am doing Azure administration and some cybersecurity related functions within my job currently. Without diving into the details of it, a user quit and held onto a company owned Windows laptop for several months. Upon getting it back, that user had either swapped the SSD or reimaged the drive to be used for other purposes. While attempting to do forensics on the drive, I was running into Bitlocker being an issue. The underlying issue is that we have all the key IDs and recovery keys in Entra, but this one did not match due to the previously mentioned issue with swapping or reimaging the drive.
Is there a way to:
- bypass the Bitlocker (there isn't and shouldn't be to my knowledge) to get a forensic image?
- reimage the drive, remove Bitlocker, and view the previous versions in the Volume Shadow Copies? Be it directly or using ShadowExplorer or something.
- Is there a way to prevent users from reimaging or restoring a drive without an administrator account?
- Is there a way to prevent the swapping of HDD or SSD on a laptop within Azure? Like a way to link the serial number of the drive to the serial number of the device so if a user attempts to swap the drive out, the device locks up.
I know that is a lot, but they are all interconnected. Please advise and thank you.