This plugin finds and extracts Full Volume Encryption Key (FVEK) from memory dumps and/or hibernation files using the following methods to locate FVEK:

• Windows 7: searching for the FVEc pool tag
• Windows 8/8.1 and 10: analysing memory after finding the Cngb pool tag (experimental)

This allows rapid unlocking of systems that had BitLocker encrypted volumes mounted at the time of acquisition. Works on Windows 7 through to Windows 10. The full article is availabe here

Update 2016-04-06: Applied a hacky fix for 32-bit windows. I've realised that I need a more robust solution to handle slight differences in Windows 8 and 32-bit Windows... That will happen soon and will include full Windows 8 support. Until then, Win8 is not currently supported ( 8.1 is though). Contact me if you need more info.

python3 -m venv ./venv
source ./venv/bin/activate
pip3 install git+https://github.com/volatilityfoundation/volatility3.git

bitlocker.py is a plugin for the Volatility Framework. You can either place the plugin in the plugins directory at volatility/plugins, or alternatively, you can place the plugin in a separate directory and point volatility to it with --plugins

For example, using a directory called "Plugins":

ls plugins
bitlocker.py
volatility --plugins=plugins/ --profile=Win81U1x64 -f WIN81X64-20160916-061911.raw bitlocker

Volatility doesn't know about the plugin. Check the location of the plugin, and run volatility --info to determine if it is detected

There could be many causes.

• The drive is not bitlocker encrypted
• The memory image does not contain the key (Image captured after key is evicted from memory, overwritten during acquisition, etc)
• The key exists but the plugin doesn't find it.

If you suspect the plugin isn't working for you then I would love to know.