Volatility Framework plugin for extracting BitLocker FVEK (Full Volume Encryption Key)
Switch branches/tags
Nothing to show
Clone or download
Latest commit d1c1790 May 16, 2016
Permalink
Failed to load latest commit information.
README.md Updated README.md May 16, 2016
bitlocker.py Fixed memory pool tag selection May 16, 2016

README.md

Volatility Framework: bitlocker

This plugin finds and extracts Full Volume Encryption Key (FVEK) from memory dumps and/or hibernation files. This allows rapid unlocking of systems that had BitLocker encrypted volumes mounted at the time of acquisition.

Supported memory images:

  • Windows 10 (work in progress)
  • Windows 8.1
  • Windows Server 2012 R2
  • Windows 8
  • Windows Server 2012
  • Windows 7
  • Windows Server 2008 R2
  • Windows Server 2008
  • Windows Vista

Example case - Windows 7 SP1 x64

Evidence: Raw HDD image

1) Determine partition layout and identify BitLocker volume

elceef@cerebellum:~$ fdisk -l john_win7_x64.dd
Disk john_win7_x64.dd: 298.1 GiB, 320072933376 bytes, 625142448 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x51c47769

Device                    Boot     Start       End   Sectors   Size Id Type
john_win7_x64.dd1 *         2048   1050623   1048576   512M  7 HPFS/NTFS/exFAT
john_win7_x64.dd2        1050624 316475391 315424768 150.4G  7 HPFS/NTFS/exFAT
john_win7_x64.dd3      316475392 625137663 308662272 147.2G  7 HPFS/NTFS/exFAT

The last one starting from sector 316475392 is BitLocker protected. It can be verified by lookig at the filesystem header. Volumes encrypted with BitLocker will have a different signature than the standard NTFS header. A BitLocker encrypted volume starts with the "-FVE-FS-" signature.

elceef@cerebellum:~$ hexdump -C -s $((512*316475392)) -n 16 john_win7_x64.dd
25ba100000  eb 58 90 2d 46 56 45 2d  46 53 2d 00 02 08 00 00  |.X.-FVE-FS-.....|

2) Locate and convert hibernation file

Mount the system volume starting from sector 1050624 in read-only mode.

elceef@cerebellum:~$ sudo mount -o loop,ro,offset=$((512*1050624)) john_win7_x64.dd /mnt/1

Convert hibernation file hiberfil.sys for further forensic analysis.

elceef@cerebellum:~$ vol -f /mnt/1/hiberfil.sys --profile Win7SP1x64 imagecopy -O hiberfil.raw

3) Use the bitlocker plugin to extract FVEK

The plugin scans the memory image for BitLocker cryptographic allocations (memory pools) and extracts AES keys (FVEK).

elceef@cerebellum:~$ vol -f hiberfil.raw --profile Win7SP1x64 bitlocker
Volatility Foundation Volatility Framework 2.5

Address : 0xfa8009958c10
Cipher  : AES-256
FVEK    : d5b6e71adb0c2e2d38dafdcedade8fc11e8be631b9fed5b2ba5b51ba32a57cd1
TWEAK   : 49f9ecd5ddffcae44cde7f7a578b9a3ca5e79087826779e147de89423ebdf3f3

4) Decrypt and access the volume

Decrypt the volume on-the-fly using previously extracted FVEK.

elceef@cerebellum:~$ sudo bdemount -k d5b6e71adb0c2e2d38dafdcedade8fc11e8be631b9fed5b2ba5b51ba32a57cd1:49f9ecd5ddffcae44cde7f7a578b9a3ca5e79087826779e147de89423ebdf3f3 -o $((512*316475392)) john_win7_x64.dd /crypt/1

Finally mount and access the filesystem.

elceef@cerebellum:~$ sudo mount -o loop,ro /crypt/1/bde1 /mnt/2
elceef@cerebellum:~$ ls /mnt/2
CONFIDENTIAL

Example case - Windows 8.1 x86

Evidence: Raw memory image

Windows 8 and newer versions use Cryptography API: Next Generation (CNG) which creates a lot of dynamically allocated memory pools. For this reason, the keys are often located in several places in the memory.

elceef@cerebellum:~$ vol -f john_win81_x86.raw --profile Win81U1x86 bitlocker
Volatility Foundation Volatility Framework 2.5

Address : 0x872db068
Cipher  : AES-128
FVEK    : 48286dcd34d3ff215d705d68c5df4f08

Address : 0x9ef55b08
Cipher  : AES-128
FVEK    : 48286dcd34d3ff215d705d68c5df4f08

Address : 0xa4748b08
Cipher  : AES-128
FVEK    : 48286dcd34d3ff215d705d68c5df4f08

Contact

To send questions, comments or a chocolate, just drop an e-mail at marcin@ulikowski.pl

You can also reach me via: