Open an encrypted Bitlocker volume
This section explains how to find the key and open an encrypted Bitlocker volume.
Identify a partition encrypted with Bitlocker
$ fdisk -l image.dd
Disk image.dd: 298.1 GiB, 320072933376 bytes, 625142448 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x51c47769
Device Boot Start End Sectors Size Id Type
image.dd1 * 2048 1050623 1048576 512M 7 HPFS/NTFS/exFAT
image.dd2 1050624 316475391 315424768 150.4G 7 HPFS/NTFS/exFAT
image.dd3 316475392 625137663 308662272 147.2G 7 HPFS/NTFS/exFAT
We have 3 partitions. Moreover, the length of sectors is 512 bytes.
A partition encrypted with Bitlocker can be found with : hexdump -C -s $((512*[start_partition])) -n 16 image.dd
$ hexdump -C -s $((512*316475392)) -n 16 image.dd
25ba100000 eb 58 90 2d 46 56 45 2d 46 53 2d 00 02 08 00 00 |.X.-FVE-FS-.....|
This signature indicates the last partition of ìmage.dd
is a bitlocker volume.
Find the key
If you have a live memory dump, you can find a plugin to extract the bitlocker key with Volatility:
$ vol -f mem.dmp --profile Win7SP1x64 bitlocker
Volatility Foundation Volatility Framework 2.5
Address : 0xfa8009958c10
Cipher : AES-256
FVEK : d5b6e71adb0c2e2d38dafdcedade8fc11e8be631b9fed5b2ba5b51ba32a57cd1
TWEAK : 49f9ecd5ddffcae44cde7f7a578b9a3ca5e79087826779e147de89423ebdf3f3
Mount a Bitlocker volume
Now, you can mount the bitlocker volume with :
$ sudo bdemount -k [FVEK]:[TWEAK] -o $((512*[start_partition]])) image.dd /tmp/
For example :
$ sudo bdemount -k d5b6e71adb0c2e2d38dafdcedade8fc11e8be631b9fed5b2ba5b51ba32a57cd1:49f9ecd5ddffcae44cde7f7a578b9a3ca5e79087826779e147de89423ebdf3f3 -o $((512*316475392)) image.dd /tmp/
$ mount -t auto /tmp/my_volume mount/
Written on June 7, 2020