Category:Encryption/Bitlocker
Jump to navigation
Jump to search
What is Bitlocker?
BitLocker is a full volume encryption (FVE) feature included with Microsoft Windows versions starting with Windows Vista. It is designed to protect data by providing encryption for entire volumes.
Identify a Bitlocker volume
Use fdisk to determine the partition layout:
$ /usr/sbin/fdisk -l image.dd
Disk image.dd: 75 MiB, 78643200 bytes, 153600 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x0a152bd9
Device Boot Start End Sectors Size Id Type
image.dd1 128 147583 147456 72M 7 HPFS/NTFS/exFAT
The string -FVE-FS- is found in volumes encrypted with Bitlocker:
$ hexdump -C -s $((512*128)) -n 16 image.dd
00010000 eb 58 90 2d 46 56 45 2d 46 53 2d 00 02 08 00 00 |.X.-FVE-FS-.....|
00010010
Here is the output with bdeinfo:
$ bdeinfo -o $((512*128)) image.dd bdeinfo 20190102 BitLocker Drive Encryption information: Encryption method : AES-CBC 128-bit with Diffuser Volume identifier : 79925644-bf5d-4511-84e8-3616a1eade58 Creation time : Jun 27, 2016 18:37:03.015429000 UTC Description : PCTEST challs 27/06/2016 Number of key protectors : 2 Key protector 0: Identifier : 422fd812-9592-4a24-a459-ae480bbc541a Type : Password Key protector 1: Identifier : a03c7675-afcd-4981-8216-f2033e5938cb Type : Recovery password Unable to unlock volume.
Find keys in memory
If you have a memory dump, you can use the bitlocker plugin for Volatility to find the key (FVEK and TWEAK Key) in memory:
$ wget https://raw.githubusercontent.com/tribalchicken/volatility-bitlocker/master/bitlocker.py -O /opt/volatility/plugins/bitlocker.py $ volatility -f memory.dmp --profile=Win7SP1x64 memory.dmp bitlocker Volatility Foundation Volatility Framework 2.6 Address Cipher FVEK TWEAK Key ------------------ -------------------------------- ---------------------------------------------------------------- ---------------------------------------------------------------- 0x0000fa80018be720 AES 128-bit with Diffuser e7e57****************e711c778da2 b72f4e075edb****************9652
Mount an image
You can mount the Bitlocker partition with bdemount, available in the libbde-utils package
$ sudo apt install libbde-utils $ sudo mkdir /mnt/bde/ $ sudo mkdir /mnt/disk/ $ sudo bdemount -k e7e57****************e711c778da2:b72f4e075edb****************9652 -o $((512*128)) image.dd /mnt/bde
Finally mount and access the filesystem:
$ sudo mount -o loop,ro /mnt/bde/bde1 /mnt/disk
Pages in category "Encryption/Bitlocker"
The following 3 pages are in this category, out of 3 total.