Category:Digital-Forensics/Bitlocker

From aldeid
Jump to navigation Jump to search

What is Bitlocker?

BitLocker is a full volume encryption (FVE) feature included with Microsoft Windows versions starting with Windows Vista. It is designed to protect data by providing encryption for entire volumes.

Identify a Bitlocker volume

Use fdisk to determine the partition layout:

$ /usr/sbin/fdisk -l image.dd
Disk image.dd: 75 MiB, 78643200 bytes, 153600 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x0a152bd9

Device     Boot Start    End Sectors Size Id Type
image.dd1         128 147583  147456  72M  7 HPFS/NTFS/exFAT

The string -FVE-FS- is found in volumes encrypted with Bitlocker:

$ hexdump -C -s $((512*128)) -n 16 image.dd
00010000  eb 58 90 2d 46 56 45 2d  46 53 2d 00 02 08 00 00  |.X.-FVE-FS-.....|
00010010

Here is the output with bdeinfo:

$ bdeinfo -o $((512*128)) image.dd 
bdeinfo 20190102

BitLocker Drive Encryption information:
	Encryption method		: AES-CBC 128-bit with Diffuser
	Volume identifier		: 79925644-bf5d-4511-84e8-3616a1eade58
	Creation time			: Jun 27, 2016 18:37:03.015429000 UTC
	Description			: PCTEST challs 27/06/2016
	Number of key protectors	: 2

Key protector 0:
	Identifier			: 422fd812-9592-4a24-a459-ae480bbc541a
	Type				: Password

Key protector 1:
	Identifier			: a03c7675-afcd-4981-8216-f2033e5938cb
	Type				: Recovery password

Unable to unlock volume.

Find keys in memory

If you have a memory dump, you can use the bitlocker plugin for Volatility to find the key (FVEK and TWEAK Key) in memory:

$ wget https://raw.githubusercontent.com/tribalchicken/volatility-bitlocker/master/bitlocker.py -O /opt/volatility/plugins/bitlocker.py
$ volatility -f memory.dmp --profile=Win7SP1x64 memory.dmp bitlocker
Volatility Foundation Volatility Framework 2.6
Address            Cipher                           FVEK                                                             TWEAK Key                                                       
------------------ -------------------------------- ---------------------------------------------------------------- ----------------------------------------------------------------
0x0000fa80018be720 AES 128-bit with Diffuser        e7e57****************e711c778da2                                 b72f4e075edb****************9652

Mount an image

You can mount the Bitlocker partition with bdemount, available in the libbde-utils package

$ sudo apt install libbde-utils
$ sudo mkdir /mnt/bde/
$ sudo mkdir /mnt/disk/
$ sudo bdemount -k e7e57****************e711c778da2:b72f4e075edb****************9652 -o $((512*128)) image.dd /mnt/bde

Finally mount and access the filesystem:

$ sudo mount -o loop,ro /mnt/bde/bde1 /mnt/disk

Pages in category "Digital-Forensics/Bitlocker"

The following 2 pages are in this category, out of 2 total.