libyal / libbde Goto Github PK
View Code? Open in Web Editor NEWLibrary and tools to access the BitLocker Drive Encryption (BDE) encrypted volumes
License: GNU Lesser General Public License v3.0
Library and tools to access the BitLocker Drive Encryption (BDE) encrypted volumes
License: GNU Lesser General Public License v3.0
The name libyal was initially a pun on the naming theme of the various library projects. Now it serves the purpose of providing an overview of the available projects in a single location and as a home for scripts to help maintain the projects. For more information see: * Project documentation: https://github.com/libyal/libyal/wiki/Home * Overiew of available projects: https://github.com/libyal/libyal/wiki/Overview
Add offset for volume tests. When volume is set use file IO handle open
Hello,
it seems that the current version of synclibs.sh misses the two libs libcsystem and libcstring inside the LOCAL_LIBS parameter. That causes autogen.sh and configure to fail.
By the way: I can confirm that libbde supports BDE partitions made with Windows 8.1 too.
Hi,
Excuse me, I have a question:
when running program, it prompts me “unable to read from file IO handle”. then I find that The version of FVE metadata entry is 3 by debugging code. Is this version not supported?
thanks.
Hi,
I am using libbde DLL (version 20190701) to decrypt a 1.8 TB bitlocker partition (1984698515456 bytes).
When the libbde_volume_read_buffer method arrives at offset 1099511627776 (0x10000000000), an error occurs as follows:
--------------------------------------------------------------------------------------------
error_backtrace:
libfdata_vector_get_element_index_at_offset: invalid element index value exceeds maximum.
libfdata_vector_get_element_value_at_offset: unable to retrieve element index at offset: 0x10000000000.
libbde_internal_volume_read_buffer_from_file_io_handle: unable to retrieve sector data at offset: 1099511627776.
libbde_volume_read_buffer: unable to read buffer.
debug:
libfdata_vector_get_element_value_by_index: cache: 0x4569dc98 hit
libfdata_vector_get_element_index_at_offset: requested offset: 0x10000000000
libfdata_vector_get_element_index_at_offset: segment: 000 mapped range: 0x00000000 - 0x1ce19400000 (size: 1984698515456)
libfdata_vector_get_element_index_at_offset: segment: 000 file index: 000 offset: 0x00000000 - 0x1ce19400000 (size: 1984698515456)
-------------------------------------------------------------------------------------------
The 'element index' has value of 0x80000000
Is there a limitation to read bytes at addresses above 1099511627776 bytes? Is there any alternative configuration?
Thanks!
libbde_io_handle.c:685:4: warning: implicit declaration of function 'libbde_debug_print_guid_value' [-Wimplicit-function-declaration]
if( libbde_debug_print_guid_value(
Hello having difficulty using bdemount, and I am new to Unix like systems, so if this is due to inability on my part I appologize .If you can help me to gain access to bitlocker It would be greatly appreciated; this is what I get from:
root@home:/usr/home/bitlocker # sudo dd if=/dev/da0s1 bs=4096 count=1 | hexdump -Cv
1+0 records in
1+0 records out
4096 bytes transferred in 0.001828 secs (2241307 bytes/sec)
00000000 eb 58 90 2d 46 56 45 2d 46 53 2d 00 02 08 00 00 |.X.-FVE-FS-.....|
00000010 00 00 00 00 00 f8 00 00 3f 00 ff 00 00 08 00 00 |........?.......|
00000020 00 00 00 00 e0 1f 00 00 00 00 00 00 00 00 00 00 |................|
00000030 01 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000040 80 00 29 00 00 00 00 4e 4f 20 4e 41 4d 45 20 20 |..)....NO NAME |
00000050 20 20 46 41 54 33 32 20 20 20 33 c9 8e d1 bc f4 | FAT32 3.....|
00000060 7b 8e c1 8e d9 bd 00 7c a0 fb 7d b4 7d 8b f0 ac |{......|..}.}...|
00000070 98 40 74 0c 48 74 0e b4 0e bb 07 00 cd 10 eb ef |[email protected]..........|
00000080 a0 fd 7d eb e6 cd 16 cd 19 00 00 00 00 00 00 00 |..}.............|
00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000000a0 3b d6 67 49 29 2e d8 4a 83 99 f6 a3 39 e3 d0 01 |;.gI)..J....9...|
000000b0 00 00 2c c0 00 00 00 00 00 00 2d c0 00 00 00 00 |..,.......-.....|
000000c0 00 00 2e c0 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000000d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000000e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000000f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000100 0d 0a 52 65 6d 6f 76 65 20 64 69 73 6b 73 20 6f |..Remove disks o|
00000110 72 20 6f 74 68 65 72 20 6d 65 64 69 61 2e ff 0d |r other media...|
00000120 0a 44 69 73 6b 20 65 72 72 6f 72 ff 0d 0a 50 72 |.Disk error...Pr|
00000130 65 73 73 20 61 6e 79 20 6b 65 79 20 74 6f 20 72 |ess any key to r|
00000140 65 73 74 61 72 74 0d 0a 00 00 00 00 00 00 00 00 |estart..........|
00000150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000190 00 00 00 00 00 00 00 00 78 78 78 78 78 78 78 78 |........xxxxxxxx|
000001a0 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 |xxxxxxxxxxxxxxxx|
000001b0 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 |xxxxxxxxxxxxxxxx|
000001c0 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 |xxxxxxxxxxxxxxxx|
000001d0 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 |xxxxxxxxxxxxxxxx|
000001e0 78 78 78 78 78 78 78 78 ff ff ff ff ff ff ff ff |xxxxxxxx........|
000001f0 ff ff ff ff ff ff ff ff ff ff ff 00 1f 2c 55 aa |.............,U.|
00000200 f1 3d c8 34 a3 18 d1 77 d9 84 31 ca c4 89 1c 33 |.=.4...w..1....3|
00000210 82 09 cf ec 37 d5 49 f7 ee 18 58 ea 4c 73 0d d4 |....7.I...X.Ls..|
00000220 ea 2c 8c 08 54 a7 41 e9 99 68 2a df 40 73 3c e8 |.,..T.A..h*.@s<.|
00000230 8a b9 c6 21 5a ef 45 76 5c 77 06 11 2b e7 8f 9e |...!Z.Ev\w..+...|
00000240 c8 55 e3 82 54 7d e4 6e 36 6a 79 f0 95 eb 35 5c |.U..T}.n6jy...5\|
00000250 80 ab ba a1 3a c4 37 23 0d 8c c6 e3 bd b2 d8 24 |....:.7#.......$|
00000260 1a 35 51 8a 89 b1 a1 6a d4 c9 69 d4 4c 2b ef 28 |.5Q....j..i.L+.(|
00000270 f3 7e 91 3a 93 4f 16 71 22 95 b7 70 0a 99 37 74 |.~.:.O.q"..p..7t|
00000280 13 d7 68 ea 0b 31 8e e0 0f 7a 1f 6c ea f0 1f 95 |..h..1...z.l....|
00000290 1f d5 c9 83 51 d8 c5 f5 72 4b 22 89 2c 3d 63 d5 |....Q...rK".,=c.|
000002a0 b8 7e 41 a1 c4 40 e1 76 bf f0 20 b2 19 ed f0 2b |[email protected].. ....+|
000002b0 f9 5d 18 b2 9d 91 9f af 87 b8 66 7d 50 82 1d a6 |.]........f}P...|
000002c0 d8 2f d2 47 72 44 4c 9a 56 d6 12 46 e0 1a db 6e |./.GrDL.V..F...n|
000002d0 98 0f 72 17 d9 63 81 33 40 05 f4 4b 30 14 c1 1f |[email protected]...|
000002e0 75 0c 85 df 9c 99 74 8a 5f 46 60 b4 2e 43 8a 3e |u.....t._F`..C.>|
000002f0 3a 49 e6 c5 73 95 86 99 a4 bd f2 7e 91 f0 c0 45 |:I..s......~...E|
00000300 60 1e 38 98 07 fd 31 b8 89 b9 c2 4f 23 55 ff 2f |`.8...1....O#U./|
00000310 fe a9 67 5f 2d b4 2a 7c 05 75 99 62 b6 8b e7 61 |..g_-.*|.u.b...a|
00000320 23 d3 de 66 b8 b4 33 7e b6 2c 7b 4b de 66 0c 11 |#..f..3~.,{K.f..|
00000330 a1 91 0f 5d 0b 45 11 c5 0c 86 23 2e b5 a9 2f fa |...].E....#.../.|
00000340 7a 27 aa c9 4e b6 08 dc e8 65 0a f8 01 82 c9 8c |z'..N....e......|
00000350 9b 66 0c dc a0 80 60 8b f1 67 56 35 86 ef 1b a1 |.f....`..gV5....|
00000360 a0 42 bf 13 6f 04 7e 74 ec 89 42 25 cf 06 95 9b |.B..o.~t..B%....|
00000370 93 65 16 b1 b5 e9 87 db f0 70 a1 0c b7 a4 7a 56 |.e.......p....zV|
00000380 20 cd 7f 62 a4 3f c9 a4 f6 89 80 40 97 fc 2b 41 | ..b.?.....@..+A|
00000390 89 f4 e9 26 06 ca fa f1 1a b6 1b a6 01 22 04 37 |...&.........".7|
000003a0 0a e7 43 77 f0 22 7c f2 0a 4d dd 78 99 36 6f a6 |..Cw."|..M.x.6o.|
000003b0 98 18 94 0f 86 4d dd f9 b7 e5 1c e9 9c 23 e5 26 |.....M.......#.&|
000003c0 3e 1c bb 56 bc 97 fd 0e fe e4 6b fe cf 1b 18 fe |>..V......k.....|
000003d0 16 92 aa 72 11 81 ba f9 5e fb ab a8 f8 64 bb 01 |...r....^....d..|
000003e0 78 d3 e4 5f 97 c1 84 75 a3 3f fc ae 91 40 2e 8b |x.._...u.?...@..|
000003f0 a0 9f ad 7f 00 73 28 8b 3b 04 0f e5 65 ce 68 de |.....s(.;...e.h.|
00000400 91 ab c9 30 2c 59 f9 78 ca 56 8b 04 c1 54 0f e6 |...0,Y.x.V...T..|
00000410 26 91 6a 64 8e 05 67 43 b8 d8 cc 39 3e 5d 94 e2 |&.jd..gC...9>]..|
00000420 c4 f5 95 03 13 72 8c 7d 24 03 c4 06 8b 6c 11 5f |.....r.}$....l._|
00000430 b7 c2 a6 d0 c2 ce 7a 69 f0 2a f8 4c 7c 70 6a ec |......zi.*.L|pj.|
00000440 3f 8c 8d 17 7c cd 53 78 2b 3b da 9a 4b c2 f6 2c |?...|.Sx+;..K..,|
00000450 04 c6 de 59 83 43 cc 79 2a ed 38 ac 4e 72 14 c6 |...Y.C.y*.8.Nr..|
00000460 cf c3 7b 69 b2 bb a8 88 db a3 75 cd ee 66 d0 a9 |..{i......u..f..|
00000470 db 65 6f c7 be 3e 25 1d 87 80 94 50 16 c0 77 86 |.eo..>%....P..w.|
00000480 b5 6d ec 99 d3 e7 a7 25 68 d9 92 ba f4 c9 7c de |.m.....%h.....|.|
00000490 a0 b3 21 16 bd f7 60 1a 6d 8f 55 da 87 62 cd 43 |..!...`.m.U..b.C|
000004a0 a2 f8 3d 6b 0f 69 cd 80 ee 7c 6e e2 c1 1b fe fe |..=k.i...|n.....|
000004b0 37 57 ab b0 62 d7 83 a8 f6 b3 5a 55 73 a7 24 a6 |7W..b.....ZUs.$.|
000004c0 d3 9d 3d 44 a0 4d 46 59 96 0f d8 c9 5b 26 c1 a9 |..=D.MFY....[&..|
000004d0 16 24 0c 51 56 b3 c3 bd 9e e7 bc 83 9c 63 09 b0 |.$.QV........c..|
000004e0 13 8c f9 e9 0f f7 81 f0 5f 2b be 6f e5 9d 15 fb |........_+.o....|
000004f0 fc 3a a1 ea d5 c2 93 83 68 a0 ba 3c b1 1c 80 bc |.:......h..<....|
00000500 7c d8 78 b6 4b 35 68 ba 32 ac 5b 8e 6e 35 c8 05 ||.x.K5h.2.[.n5..|
00000510 d9 48 a0 bd f9 fb e6 3a 46 7a d9 67 b9 0e 85 83 |.H.....:Fz.g....|
00000520 1a 6d ce fb 7e 46 a4 33 a1 0a ed bb 78 70 0b 76 |.m..~F.3....xp.v|
00000530 16 d6 48 31 8e 2a f4 d9 f7 f7 50 12 e0 29 20 a0 |..H1.*....P..) .|
00000540 71 46 87 37 d4 a5 3c c4 82 d4 48 58 e3 17 88 71 |qF.7..<...HX...q|
00000550 e3 f5 cd 1c 11 99 96 3f 7e f0 cf bc 63 28 44 a4 |.......?~...c(D.|
00000560 ca 8e 06 dd 28 47 95 20 84 65 e8 f4 2d 39 2b 9e |....(G. .e..-9+.|
00000570 44 5f 94 dc db ee 50 b6 82 08 43 79 ab 7c 02 6c |D_....P...Cy.|.l|
00000580 7a ee b7 e2 75 83 bc d4 e3 85 81 a6 9a 83 52 e9 |z...u.........R.|
00000590 81 00 60 ad ee 9c 92 f0 f4 12 fd ba 97 89 74 73 |..`...........ts|
000005a0 f7 d1 74 6c c3 ab 86 2c a7 61 7d bb aa 97 78 aa |..tl...,.a}...x.|
000005b0 ad 6d 7a c3 d2 c0 6b ff 7a d2 b0 d0 03 c9 83 e5 |.mz...k.z.......|
000005c0 25 92 0b e0 b6 39 6c e4 79 94 ef 0f b7 2a e3 d7 |%....9l.y....*..|
000005d0 63 f1 c7 6b f1 b2 1e 0e 33 6d ea 57 43 3b e7 ee |c..k....3m.WC;..|
000005e0 3b 24 13 70 91 17 5d 0b 0c 75 bc 41 bb 78 b8 04 |;$.p..]..u.A.x..|
000005f0 69 6d d8 0d 52 ec 3f 34 76 fc 12 c5 72 7f e5 75 |im..R.?4v...r..u|
00000600 f5 a0 e1 d3 68 08 e3 b5 54 85 aa 42 bf da 4d cd |....h...T..B..M.|
00000610 ce d6 af ed 97 22 ef 51 4a 13 d1 4b 61 e1 89 34 |.....".QJ..Ka..4|
00000620 5f 52 6c ea 3a 32 59 66 ff 76 1d 9f ea 37 96 7d |_Rl.:2Yf.v...7.}|
00000630 c8 38 7f 54 29 1f 43 b9 7d 2d 3d d5 69 eb 69 17 |.8.T).C.}-=.i.i.|
00000640 a4 2d 27 63 40 9a d4 93 e9 07 5d 6d 6e bf 40 58 |.-'c@.....]mn.@X|
00000650 8f fd 88 c2 90 ef 67 6f c7 d5 78 e8 46 55 97 bf |......go..x.FU..|
00000660 52 67 83 78 4d e6 8a 2c 6d d3 ca 24 63 7e b0 60 |Rg.xM..,m..$c~.`|
00000670 63 b3 52 87 8c 79 9b 4e 83 2a 1c 73 07 75 72 26 |c.R..y.N.*.s.ur&|
00000680 0c 70 44 f5 c4 3e 82 aa f0 03 8b e8 db b2 31 2e |.pD..>........1.|
00000690 de 39 e9 0a 30 98 16 2a e2 16 bd 78 51 c9 eb 32 |.9..0..*...xQ..2|
000006a0 1b c2 9a 6f 8c 4f 45 4e f2 ca f4 ec b7 0c 87 49 |...o.OEN.......I|
000006b0 4b 38 3f ac c4 ca 0d 7c 81 7f 8a 01 9f da a6 78 |K8?....|.......x|
000006c0 35 eb 06 7b 4f f3 e9 06 08 4b d4 d7 96 b7 19 ac |5..{O....K......|
000006d0 bd e2 84 eb 1a 11 84 e9 3a 7a 46 1b 80 c5 72 ad |........:zF...r.|
000006e0 96 d6 b3 91 e6 ca c1 49 07 da ca 36 61 3f 8c e1 |.......I...6a?..|
000006f0 c9 7e d4 fb 7c c2 31 50 11 4f 3d cf 1f 1a 34 b1 |.~..|.1P.O=...4.|
00000700 c0 ec 09 40 fd 7d 5c df 20 4d 72 19 08 9f fe bf |...@.}\. Mr.....|
00000710 95 ff 7c e9 92 2e 53 d9 14 c4 de 61 13 4c a4 f6 |..|...S....a.L..|
00000720 aa e1 29 90 3e 96 6d 72 99 b5 3a 79 00 4f 13 33 |..).>.mr..:y.O.3|
00000730 dd ab ea 12 2c f7 3d 96 cb 7a c7 1c f3 2c 15 5d |....,.=..z...,.]|
00000740 7d da 43 70 2f 2c d2 a5 6f e8 03 62 ac 31 fa 72 |}.Cp/,..o..b.1.r|
00000750 b6 e9 ca e9 ae d0 06 26 02 15 47 52 b9 3d 88 4a |.......&..GR.=.J|
00000760 e7 3b 73 40 97 d8 fe 91 2f f5 0e 0e 96 9b b7 c1 |.;s@..../.......|
00000770 16 5a b8 57 c8 ad 3b 8b 58 7b 1a 35 ce 4f 2a 7d |.Z.W..;.X{.5.O*}|
00000780 ac 63 6f 74 c0 34 00 18 8e cd 22 92 b7 e6 0d d8 |.cot.4....".....|
00000790 bb c0 bc 12 e2 93 ef 7a ef bf b3 4d db 1f b6 2a |.......z...M...*|
000007a0 22 8c a7 57 5b fa 5e 02 5a 80 40 6c 4f fb 31 59 |"..W[.^[email protected]|
000007b0 62 4a 96 4c 5b 52 a9 f3 e4 05 9f 1e 8b aa 2d e0 |bJ.L[R........-.|
000007c0 5a 19 25 c0 91 45 ec 3a bc 0d 24 cd a2 b3 66 1b |Z.%..E.:..$...f.|
000007d0 ff b8 81 e5 7b 82 f5 0a 91 45 47 02 3b aa 39 84 |....{....EG.;.9.|
000007e0 c3 82 50 14 00 59 e1 1c e1 d4 90 9a 0f 45 d5 22 |..P..Y.......E."|
000007f0 42 1b da b8 c3 68 43 48 12 e8 55 02 90 8a 9d 08 |B....hCH..U.....|
00000800 31 05 67 3d d8 83 d2 67 ff 8e da 3d 1b 51 7e 18 |1.g=...g...=.Q~.|
00000810 7f 51 60 22 65 5a 0c 50 75 c2 8c 18 16 64 12 b1 |.Q`"eZ.Pu....d..|
00000820 37 32 70 77 a5 46 df 17 ba 2d 80 80 a5 b1 1a da |72pw.F...-......|
00000830 db 08 25 6f d8 20 82 b1 9e f7 a6 84 6e c0 2e c1 |..%o. ......n...|
00000840 53 ae 58 74 e1 e8 f9 74 54 41 7d 76 da da dc 59 |S.Xt...tTA}v...Y|
00000850 f8 e8 2c 73 4a 36 aa 27 39 54 88 4e db 03 2b 3e |..,sJ6.'9T.N..+>|
00000860 76 a3 ff 21 25 8c 6b 17 23 df 71 cf 92 d7 a9 b8 |v..!%.k.#.q.....|
00000870 9f 60 a3 9f 25 67 7d 33 26 68 cf e8 34 ea 1a 02 |.`..%g}3&h..4...|
00000880 70 17 49 35 84 a3 1a f9 15 3c 59 38 6f 75 2f 31 |p.I5.....<Y8ou/1|
00000890 e5 50 2a 13 58 29 00 6c 59 a5 d8 d1 85 32 a0 0b |.P*.X).lY....2..|
000008a0 59 4f ce ed 0d 93 5b da 91 6d 9a 11 41 28 cc a5 |YO....[..m..A(..|
000008b0 7d c4 7f ce 71 c0 f1 f6 30 62 db 34 d0 77 2a 09 |}...q...0b.4.w*.|
000008c0 f7 78 cf 27 e2 e5 39 d5 b6 7a 4c 73 28 7a 69 09 |.x.'..9..zLs(zi.|
000008d0 90 87 99 be 1b dc 61 0f 92 53 3b d1 23 95 7c 40 |......a..S;.#.|@|
000008e0 b6 3f 8c b7 d5 ae fc 6d 8e 2f ce 84 7b 27 12 38 |.?.....m./..{'.8|
000008f0 25 07 f7 d5 7e 58 58 bf 46 d4 f4 b4 20 1b 41 18 |%...~XX.F... .A.|
00000900 b9 36 c3 4d 89 77 03 63 69 ac 70 5d ea d9 30 b4 |.6.M.w.ci.p]..0.|
00000910 cd 3a 47 12 97 9a c9 4b c1 21 3a 49 84 98 e9 5f |.:G....K.!:I..._|
00000920 c1 31 a4 b8 54 ce a3 b7 e7 af 00 6c 99 ac 86 25 |.1..T......l...%|
00000930 9d 3d 17 56 65 bd d6 d1 46 6b b5 39 bf 07 70 cd |.=.Ve...Fk.9..p.|
00000940 19 11 9a 48 fb 4a f2 28 79 78 12 d7 d0 9d 6e 1f |...H.J.(yx....n.|
00000950 b7 79 47 fc 7b 3f 1a fc 1f 8e e6 e0 c6 c0 f2 96 |.yG.{?..........|
00000960 9d 3a cf b6 eb ce 80 3c 88 30 61 b0 bf 53 45 6d |.:.....<.0a..SEm|
00000970 ba b9 4c 11 d6 39 fa 8c 2a 39 26 2f 84 3b eb b2 |..L..9..*9&/.;..|
00000980 0f df fc 1d 13 70 d7 42 13 52 15 fa c7 b5 c2 e0 |.....p.B.R......|
00000990 d3 c4 2e 6e 9f fd b1 15 09 65 76 a5 f3 dd 44 9b |...n.....ev...D.|
000009a0 cf 5e bb 81 8a 2a 75 13 68 c7 fa 8f 02 49 05 13 |.^...*u.h....I..|
000009b0 1a e2 e0 56 19 2e 16 11 2a 3b 61 81 a9 31 f7 e3 |...V....*;a..1..|
000009c0 ed 02 45 a4 77 c6 57 12 cd 63 6f 64 84 6a 99 72 |..E.w.W..cod.j.r|
000009d0 0f 44 bc dc 69 bf f7 2e c0 f2 a0 03 82 0c 9c 41 |.D..i..........A|
000009e0 0e 01 1f 6c e3 d1 53 72 01 52 64 c8 6e 0f ff a9 |...l..Sr.Rd.n...|
000009f0 82 56 97 01 1f 1d a7 fe dd bf 05 20 bd cb 26 d7 |.V......... ..&.|
00000a00 35 84 8d e2 08 20 20 48 c3 41 8e 46 80 fc 65 b9 |5.... H.A.F..e.|
00000a10 2f ae bc 94 c5 f5 e5 e8 8f 96 96 27 e8 55 cf d7 |/..........'.U..|
00000a20 fc e8 a3 fc 0d cb 93 c1 3d 9c 3c ac 82 a3 ff 2c |........=.<....,|
00000a30 37 b9 1c ed b1 f6 b3 f7 1b ce 0a 50 49 df c7 78 |7..........PI..x|
00000a40 31 03 54 cc 02 9c e3 a1 79 59 bf a4 db ec 91 98 |1.T.....yY......|
00000a50 5d 05 47 17 62 b0 fd 20 4b b2 6d 86 c5 b1 02 ee |].G.b.. K.m.....|
00000a60 2a 2f b0 ca 20 7f 42 ac 2b 73 b9 cb 2d 26 5a cf |*/.. .B.+s..-&Z.|
00000a70 99 e5 4f 3a fa 96 36 20 cf 16 be 4a 59 ee a9 c6 |..O:..6 ...JY...|
00000a80 41 8f 65 a5 ac 1e 9f 0c c8 83 fc c6 97 26 1d c9 |A.e..........&..|
00000a90 2c 1d 0d 14 f6 22 8d 84 c8 4c ec a8 42 83 20 0e |,...."...L..B. .|
00000aa0 00 c5 09 3d 93 32 30 8b aa e1 b9 f5 c5 f8 e9 bc |...=.20.........|
00000ab0 34 23 c1 c3 48 4c 8b 1e 68 f9 22 0b b5 ee af 8d |4#..HL..h.".....|
00000ac0 b0 a5 18 52 d2 2d 78 d5 0f c5 81 96 8f 4d 6b 0c |...R.-x......Mk.|
00000ad0 a1 fa 5c b8 e9 52 4e af 76 29 9e a8 be b5 06 3b |..\..RN.v).....;|
00000ae0 69 1e 40 18 43 2a 4d ed 2e d6 51 e7 53 23 f7 05 |[email protected]*M...Q.S#..|
00000af0 ca cc 57 fe 2a 80 13 fd 52 89 31 37 3f 93 f1 5f |..W.*...R.17?.._|
00000b00 7c 9e 51 48 a4 56 26 cd 30 2e 66 d2 ff 22 df 9d ||.QH.V&.0.f.."..|
00000b10 62 0e 75 e0 51 7c d8 d1 41 20 e3 58 a3 58 69 4b |b.u.Q|..A .X.XiK|
00000b20 3d f6 57 f6 ba 19 64 64 1d db 1c a0 40 98 24 bb |=.W...dd....@.$.|
00000b30 5c 69 61 32 0a e7 47 7a be bf f1 2a f4 c1 69 c3 |\ia2..Gz...*..i.|
00000b40 c5 2b 41 a6 3a ff 52 0c 86 8c fe 83 ac 7f 55 ec |.+A.:.R.......U.|
00000b50 8f e8 ac 72 2b 43 3c fa 32 9b 9f f0 7b 30 70 84 |...r+C<.2...{0p.|
00000b60 2e 2f 9f 53 a8 1b 9e b4 81 f1 a9 46 a0 94 ba ef |./.S.......F....|
00000b70 7e 64 31 6d 80 d9 51 fe 93 31 18 c0 10 6d 64 4e |~d1m..Q..1...mdN|
00000b80 af e8 2b d3 ef 9e 3e 22 80 11 13 09 7f 69 fd e9 |..+...>".....i..|
00000b90 bc d0 9d 55 55 18 36 99 b3 b7 a1 6b 9c 8b 26 cf |...UU.6....k..&.|
00000ba0 e0 c5 e8 8d 5b 6a f4 9f 20 99 9d 3b 9c 30 c4 37 |....[j.. ..;.0.7|
00000bb0 3c c5 4f 6b 8d 17 1e 85 ae d9 1f 78 2a 6e 6c 88 |<.Ok.......x*nl.|
00000bc0 2b 2f 8b e9 46 3e 6d 1c 81 d7 7d 3d 69 06 d5 ae |+/..F>m...}=i...|
00000bd0 4d d8 02 20 b1 b4 b5 dc d8 e1 27 4e 59 22 aa 2f |M.. ......'NY"./|
00000be0 d7 f0 71 a5 25 c2 1a a6 8c 53 20 47 49 7c 34 8f |..q.%....S GI|4.|
00000bf0 eb dd 44 72 97 8e 35 9a 21 8e 03 2a e0 05 92 43 |..Dr..5.!..*...C|
00000c00 6e 95 9d 7e 30 8b bd d8 d5 67 2c e8 9f 3b 30 3d |n..~0....g,..;0=|
00000c10 d8 8d 2a 31 8f ac ed d0 be 29 83 ab 94 28 31 6c |..*1.....)...(1l|
00000c20 30 6e bb c0 7f a9 0d 7c c2 38 b6 70 f8 27 9d da |0n.....|.8.p.'..|
00000c30 99 d3 64 14 72 90 32 41 a0 ec 5b 64 4a 28 64 89 |..d.r.2A..[dJ(d.|
00000c40 64 ea dc f9 d9 0b a5 b4 31 5a e8 cc fc 3b db b1 |d.......1Z...;..|
00000c50 2b 0a 6a 6e a3 88 95 60 bc 04 7c 6e da f2 32 28 |+.jn...`..|n..2(|
00000c60 e1 18 6d b6 e5 3f 2b e1 70 82 1e 4c 03 db df 1d |..m..?+.p..L....|
00000c70 c6 99 0c e6 30 ba 90 c7 60 8d fb 2c 07 5a 1d 0e |....0...`..,.Z..|
00000c80 75 4e de 2f 14 89 b2 12 23 4f 41 c1 6d 8c 21 72 |uN./....#OA.m.!r|
00000c90 60 8a 33 e7 1b 1e 6b 8c d3 43 ad a8 c2 4a f8 58 |`.3...k..C...J.X|
00000ca0 70 fd 26 5d cb 5a cd dd 6b 03 82 e0 b2 cd c3 ca |p.&].Z..k.......|
00000cb0 d1 3c 66 88 3f ef 1f 1d 43 be 2b f3 73 28 71 b0 |.<f.?...C.+.s(q.|
00000cc0 20 f7 a2 7f ce ce a8 8e 59 90 93 db 1a ef cc 5b | .......Y......[|
00000cd0 44 dc 43 46 22 e4 8d bf 06 b4 3e c8 bd 44 ac ca |D.CF".....>..D..|
00000ce0 cd 7b 46 c1 27 b4 71 e0 e0 dd 89 12 6d 4e ca e6 |.{F.'.q.....mN..|
00000cf0 3f 1d a1 3b 55 62 cf 4a ea 99 19 3a e9 e3 66 71 |?..;Ub.J...:..fq|
00000d00 19 98 45 28 2a 04 c0 44 f7 d8 3d 5f a0 be ec f6 |..E(*..D..=_....|
00000d10 e3 a7 ef be f0 1d cc d6 37 fe 41 fc c7 0a e0 24 |........7.A....$|
00000d20 97 d1 b4 22 e4 5c 84 c5 2b e3 8e c4 9a ad c7 fa |...".\..+.......|
00000d30 ab 3d 0e 4e 43 43 f8 33 92 6b 66 52 24 65 b1 a8 |.=.NCC.3.kfR$e..|
00000d40 21 cb 5b e6 97 28 b7 70 0e ce a6 97 45 ba 0c 07 |!.[..(.p....E...|
00000d50 50 98 97 01 f8 82 68 47 cc ff 5f 74 48 13 85 45 |P.....hG.._tH..E|
00000d60 b4 ee 37 7b 3f 11 5e 8f db 15 88 bd 60 87 ac 37 |..7{?.^.....`..7|
00000d70 57 c1 1e 35 a9 65 df 91 5d 15 bb 93 fb a0 96 06 |W..5.e..].......|
00000d80 7b 0e 54 75 7f b9 2f bf a0 a3 d8 9b 14 be a8 fb |{.Tu../.........|
00000d90 31 60 c9 93 28 2c 6a d7 52 a1 b6 81 06 d9 7e bb |1`..(,j.R.....~.|
00000da0 42 9e f3 06 9b 48 f8 63 20 d8 eb 7a 82 30 85 f3 |B....H.c ..z.0..|
00000db0 0b ca 1d 68 24 01 ce 38 dc 62 6b a2 14 64 36 e3 |...h$..8.bk..d6.|
00000dc0 69 bd 70 4f be 57 d0 26 c7 6c 22 b1 62 99 28 90 |i.pO.W.&.l".b.(.|
00000dd0 df aa 4e 8b 8b 0b 4d 4a 0e 27 10 3d 35 e9 47 4e |..N...MJ.'.=5.GN|
00000de0 53 7f 2f 88 53 83 18 47 9b 00 fe 58 4a 87 c7 4b |S./.S..G...XJ..K|
00000df0 45 05 87 a5 50 d9 25 e4 80 9f 60 41 2c 06 b5 33 |E...P.%...`A,..3|
00000e00 f7 5f f3 5b 3d 6e e0 d5 6d 37 42 a9 4b fd f7 d2 |._.[=n..m7B.K...|
00000e10 53 6f 05 90 b7 63 5f 0b 4c be 7f 12 1a d9 42 8e |So...c_.L.....B.|
00000e20 63 54 48 99 b0 55 f3 02 15 14 ab ef 51 53 9c 06 |cTH..U......QS..|
00000e30 4a 95 7f 51 ae 39 c7 34 c2 ca fd 01 76 1c 15 a3 |J..Q.9.4....v...|
00000e40 b7 32 a0 e2 8e 22 4a da db 1e 31 a2 d3 39 64 2a |.2..."J...1..9d*|
00000e50 3a 69 f6 90 f9 c0 94 5b 38 5c 69 de 78 1d 1b 95 |:i.....[8\i.x...|
00000e60 72 c6 a4 65 76 2d 8f c5 4a c5 9a 67 df 11 9d 4d |r..ev-..J..g...M|
00000e70 ab 0c 41 0b 12 68 0a a3 aa f5 b4 ac 9e 9b dd ea |..A..h..........|
00000e80 e5 10 6c 76 89 70 ed d7 97 93 81 65 a1 68 51 a2 |..lv.p.....e.hQ.|
00000e90 f0 99 7e 4c 52 6c 2c 50 19 1c 12 e4 41 11 24 bf |..~LRl,P....A.$.|
00000ea0 e9 f5 30 03 2f 78 cf dd c6 e1 a3 db bd 4e 76 88 |..0./x.......Nv.|
00000eb0 76 2e 45 70 13 ef 50 31 96 84 67 7f 88 7c 5c e1 |v.Ep..P1..g..|\.|
00000ec0 ef 72 bb 73 e4 6e 90 0c e1 2a fd c8 4c 6a 66 e1 |.r.s.n...*..Ljf.|
00000ed0 ea 86 a6 48 6c 34 de d1 91 40 f6 ac 7e da 7d 94 |...Hl4...@..~.}.|
00000ee0 9e 96 df 55 ca 82 2d 63 07 4b ee dc d4 76 ed 2e |...U..-c.K...v..|
00000ef0 70 ea 40 72 37 88 67 61 7f 02 74 8c f1 ac bb 76 |[email protected]|
00000f00 75 1b d4 6b 8e 47 68 ac 71 7e 75 f9 54 3f 56 2a |u..k.Gh.q~u.T?V*|
00000f10 e4 9e 5c c2 21 df 18 d3 2c 4a bd 0f 91 0b f0 4f |..\.!...,J.....O|
00000f20 6f b7 ad 38 8a bd d9 c3 da c3 69 ff ac 2c 3c 6b |o..8......i..,<k|
00000f30 76 fa 1f eb e6 a5 b2 60 e0 a3 12 ab d6 4f 05 a4 |v......`.....O..|
00000f40 e9 f7 7f bc 14 60 19 e0 a2 07 60 61 eb 47 24 09 |.....`....`a.G$.|
00000f50 45 34 1e 08 d6 f6 4f 83 62 81 91 27 8f c1 e9 10 |E4....O.b..'....|
00000f60 60 20 7c 69 e2 c3 fb 76 3b fb ff a9 f9 48 e2 20 |` |i...v;....H. |
00000f70 cd 5f 05 82 ab d7 f9 04 30 d7 f9 5a 50 18 e1 3e |._......0..ZP..>|
00000f80 17 92 8e 86 4a 83 bd ef 45 5a 05 0e 8d 4e 44 fa |....J...EZ...ND.|
00000f90 38 57 61 6b ce 4c 90 34 bd 72 85 84 fc 83 05 ef |8Wak.L.4.r......|
00000fa0 e4 ec 95 7d 62 da 7f 21 b3 d9 39 6d 75 75 69 1b |...}b..!..9muui.|
00000fb0 e9 4f ed eb dd ee 77 be 82 1f b0 00 4a f2 a4 7a |.O....w.....J..z|
00000fc0 16 9e df 29 a8 bb 98 32 3a d3 0f 54 45 d1 c4 9a |...)...2:..TE...|
00000fd0 fe 16 0c 13 8f 8d ee 54 34 56 f6 91 2c fe e5 be |.......T4V..,...|
00000fe0 d0 81 4c 0e 56 43 56 b8 17 63 0b 07 22 a7 b9 87 |..L.VCV..c.."...|
00000ff0 b8 f8 30 50 43 21 a1 16 a0 2e d8 fb 19 28 15 0b |..0PC!.......(..|
00001000
and this is typical of the output I get when trying bdemount:
root@home:/usr/home # bdemount -p ******** /dev/da0s1 /media/da0s1/
bdemount 20191221
Unable to open source volume
libbde_io_handle_read_volume_header: unsupported volume boot entry point.
libbde_volume_open_read: unable to read volume header.
libbde_volume_open_file_io_handle: unable to read from file IO handle.
mount_handle_open: unable to open volume.
Thank you for your time
On a number of architectures, libbde failed to build due to crashes in the test suite, see https://buildd.debian.org/status/logs.php?pkg=libbde&ver=20170204-1.
I decided to take a closer look on i386:
$ LD_LIBRARY_PATH=../libbde/.libs/ gdb ./.libs/bde_test_metadata
GNU gdb (Debian 7.12-6) 7.12.0.20161007-git
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./.libs/bde_test_metadata...done.
(gdb) run
Starting program: /home/bengen/p/deb/plaso/libbde/tests/.libs/bde_test_metadata
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0xb7ebfea4 in libcdata_array_free (array=0x8000608c,
entry_free_function=0xb7eb2d6a <libbde_metadata_entry_free>, error=0x0)
at libcdata_array.c:252
(gdb) p internal_array
$1 = (libcdata_internal_array_t *) 0x49
(gdb) bt
#0 0xb7ebfea4 in libcdata_array_free (array=0x8000608c,
entry_free_function=0xb7eb2d6a <libbde_metadata_entry_free>, error=0x0)
at libcdata_array.c:252
#1 0xb7eae94e in libbde_metadata_initialize (metadata=0xbfffed0c,
error=0xbfffed08) at libbde_metadata.c:145
#2 0x80001061 in bde_test_metadata_initialize () at bde_test_metadata.c:182
#3 0x80002d31 in main (argc=1, argv=0xbfffede4) at bde_test_metadata.c:1110
(gdb)
I was reminded of the bug I reported against libbfio (libyal/libbfio#2) so I just went ahead and disabled the memory tests altogether when building the Debian package.
Wish I could label this a question instead of an issue. What I have is a full disk image. While I can pull out the Bitlocker partition, I'd prefer to just hand libbde the offset. I'm actually not even trying to mount the thing in general, but just use libbde to pull out parts of Bitlocker's data that I need. Everytime I try to give libbde the full disk image, it appears to fail, thinking that it isn't the correct type. Maybe you can suggest another way? Seeking to the offset of the bitlocker partition in a file object doesn't seem to work either. I'm working on a standalone machine, so its difficult to provide much data, but I get the following error, if it helps:
OSError: pybde_volume_open_file_object: unable to open volume. libbde_volume_header_read_data: unsupported volume boot entry point. libbde_volume_header_read_file_io_handle: unable to read volume header data. libbde_internal_volume_open_read: unable to read volume header. libbde_volume_open_file_io_handle: unable to read from file IO handle.
According to that, it would seem that I can't actually read the file, but as I own the file, I'm unsure what is going on.
how to create a new bitlocker partition on linux? create ,not mount.
Dear all,
when mounting a bitlocker encrypted partition using bdemount and the correct passphrase, we would like to dump/extract/see the FVEK. The reasoning for this is that we want to have the correct FVEK as a reference when doing testing on RAM dumps.
Is there an easy way to do this using bdemount/bdeinfo?
Thank you in advance for any help.
Best Regards
Dennis
I have downloaded “libbde-alpha-20190317.tar.gz” software, and installed it through setup.py in the Kali Linux system environment. How can I use this software under Kali linux? Do you have software instructions?
I haven't done a lot of digging into the actual issue, but Bit Locker for Windows 10 is different and adjustments will need to be made to libbde. I have a rest image you can use, and will look into it soon-ish(?). What this issue lacks in detail to fix it, it makes up for in providing amble notice of a new "feature".
$ bdeinfo -r -o $((512*1411072)) desk-base.dd
bdeinfo 20160418
Unable to open: desk-base.dd.
libbde_metadata_entry_read: unsupported FVE metadata entry version.
libbde_volume_master_key_read: unable to read property metadata entry.
libbde_metadata_read_entries: unable to read volume master key.
libbde_metadata_read_block: unable to read metadata header.
libbde_volume_open_read: unable to read primary metadata block.
libbde_volume_open_file_io_handle: unable to read from file IO handle.
info_handle_open_input: unable to open input volume.
bdemount 20200724 fails to mount BitLocker volume created by Windows 10 (version 1903). Error "volume header size in FVE Volume header block does not match number of volume header sectors." (calculated volume header size = 0). See attached log.
about libbde_volume_open ,what is the filename parameter,
const char *filename="F:\\";
result = libbde_volume_open(
volume,
filename,
LIBBDE_OPEN_READ,
&error);
if (result != 1) {
libbde_error_fprint(error, stderr);
libbde_error_free(&error);
return 0;
}
been failing,libbde_volume_open: unable to set filename in file IO handle.
Use cases:
This library cost about 2 minutes to calculate the encrypted_context at the function libbde_metadata_read_volume_master_key. So is there any solutions to optimize?
Hello. My I suggest one improvement of the BDE spec?
I have recently been experimenting with BitLocker encryption of FAT32 volumes, and I found my "discovery volume" contains "COV 0001. ER" and such for encrypted data.
For example, from an ls -l
output when mounted in Linux:
...
-r--r--r-- 1 root root 32768 Mar 30 2018 COV\ 0000.\ BL*
-r--r--r-- 1 root root 4294934528 Mar 30 2018 COV\ 0000.\ ER*
-r--r--r-- 1 root root 4294934528 Mar 30 2018 COV\ 0001.\ ER*
-r--r--r-- 1 root root 4294934528 Mar 30 2018 COV\ 0002.\ ER*
-r--r--r-- 1 root root 3146153984 Mar 30 2018 COV\ 0003.\ ER*
...
It looks like each . ER
file has a maximum size of 4294934528 bytes (4 GiB - 32768 bytes).
The existence of multiple . ER
files and their size limit it not mentioned in the specification.
By the way, I encrypted this drive in Windows 10 version 1703. It's a 16 GB USB flash drive with a single FAT32 volume; partition table is MBR.
It is really a big problem for a freshman to read such a large number of codes. So would you please add some descriptions about the lib. Plz Plz Plz. Cause it's so hard to do a integration testing without knowing what does the functions means. An excessive request from a code noob. Thanks a lot.
Hi developers,
although it seems to be no bug in the proper sense, I would like you to have an eye on this case:
I have a Windows 10 SD, system partition, I am not able to mount because of the above error. Does anyone know if this is Microsofts fault? The second disc (hdd) can be decrypted just fine with this great tool. Does Microsoft use different key sizes??? For what reasons? Thanks a lot!
经过多次测试,根据
https://tribalchicken.io/recovering-bitlocker-keys-on-windows-8-1-and-10/
中插件提取到的FVEK并非正确的bitlocker FVEK,Elcomsoft Forensic Disk Decryptor可以搜索到VMK,并且猜测极有可能是正确的结果(没有该软件注册版)。
所以,现在是否有新的方法,可以提取到正确的bitlocker FVEK,或者通过VMK直接解锁加密卷?
Hi,
Currently I am experiencing the issue with Bitlocker image. Here is an output including debug info:
bitlocker output.txt
I noticed that the problem appears at libbde_io_handle_read_volume_header function in libbde_io_handle.c in Bitlocker identifier checking logic. I tried to ignore checks and set LIBBDE_VERSION_WINDOWS_7 version to io_handle->version. This helped to decrypt the partition. Is it just a new Bitlocker identifier that is stored in those 16 bytes or the problem is much deeper?
Thank you!
So with XTS128 it appears to work correctly. I can concatenate two 128bit keys together to create a 256 bit key expected for XTS type encryption. (strangely it only works when the ":" that separates the FVEK:TWEAK keys is missing.)
$ bdeinfo bitlockerXTS128.001
bdeinfo 20190102
BitLocker Drive Encryption information:
Encryption method : AES-XTS 128-bit
Volume identifier : 09db8c9f-2b29-4bfc-97a9-937a85fc0e40
Creation time : Mar 26, 2021 09:55:58.734711900 UTC
Description : WINDOZE10 C: 26/03/2021
Number of key protectors : 2
Key protector 0:
Identifier : aa8831c2-2479-463f-ba2b-23470b001aec
Type : Password
Key protector 1:
Identifier : 451550f8-adcf-4847-b440-56b0045c2521
Type : Recovery password
Unable to unlock volume.
$ sudo bdemount -k 7a30be33e349e836fe47c9e749e05c80:54802aaf12307dd661caaec338616dfa bitlockerXTS128.001 /mnt
[sudo] password for user:
bdemount 20190102
Unable to open source volume
libbde_io_handle_read_unencrypted_volume_header: unable to determine volume size.
libbde_volume_open_read: unable to read unencrypted volume header.
libbde_volume_open_file_io_handle: unable to read from file IO handle.
mount_handle_open: unable to open volume.
$ sudo bdemount -k 7a30be33e349e836fe47c9e749e05c8054802aaf12307dd661caaec338616dfa bitlockerXTS128.001 /mnt
bdemount 20190102
$ sudo ls /mnt
bde1
$ sudo head /mnt/bde1|xxd
00000000: eb52 904e 5446 5320 2020 2000 0208 0000 .R.NTFS .....
00000010: 0000 0000 00f8 0000 3f00 ff00 0098 0100 ........?.......
00000020: 0000 0000 8000 8000 537f ee04 0000 0000 ........S.......
00000030: 0000 0c00 0000 0000 0200 0000 0000 0000 ................
00000040: f600 0000 0100 0000 f078 5286 ab52 8628 .........xR..R.(
00000050: 0000 0000 fa33 c08e d0bc 007c fb68 c007 .....3.....|.h..
00000060: 1f1e 6866 00cb 8816 0e00 6681 3e03 004e ..hf......f.>..N
00000070: 5446 5375 15b4 41bb aa55 cd13 720c 81fb TFSu..A..U..r...
00000080: 55aa 7506 f7c1 0100 7503 e9dd 001e 83ec U.u.....u.......
00000090: 1868 1a00 b448 8a16 0e00 8bf4 161f cd13 .h...H..........
000000a0: 9f83 c418 9e58 1f72 e13b 060b 0075 dba3 .....X.r.;...u..
000000b0: 0f00 c12e 0f00 041e 5a33 dbb9 0020 2bc8 ........Z3... +.
000000c0: 66ff 0611 0003 160f 008e c2ff 0616 00e8 f...............
000000d0: 4b00 2bc8 77ef b800 bbcd 1a66 23c0 752d K.+.w......f#.u-
000000e0: 6681 fb54 4350 4175 2481 f902 0172 1e16 f..TCPAu$....r..
000000f0: 6807 bb16 6852 1116 6809 0066 5366 5366 h...hR..h..fSfSf
00000100: 5516 1616 68b8 0166 610e 07cd 1a33 c0bf U...h..fa....3..
00000110: 0a13 b9f6 0cfc f3aa e9fe 0190 9066 601e .............f`.
00000120: 0666 a111 0066 0306 1c00 1e66 6800 0000 .f...f.....fh...
00000130: 0066 5006 5368 0100 6810 00b4 428a 160e .fP.Sh..h...B...
00000140: 0016 1f8b f4cd 1366 595b 5a66 5966 591f .......fY[ZfYfY.
00000150: 0f82 1600 66ff 0611 0003 160f 008e c2ff ....f...........
00000160: 0e16 0075 bc07 1f66 61c3 a1f6 01e8 0900 ...u...fa.......
00000170: a1fa 01e8 0300 f4eb fd8b f0ac 3c00 7409 ............<.t.
00000180: b40e bb07 00cd 10eb f2c3 0d0a 4120 6469 ............A di
00000190: 736b 2072 6561 6420 6572 726f 7220 6f63 sk read error oc
000001a0: 6375 7272 6564 000d 0a42 4f4f 544d 4752 curred...BOOTMGR
000001b0: 2069 7320 636f 6d70 7265 7373 6564 000d is compressed..
000001c0: 0a50 7265 7373 2043 7472 6c2b 416c 742b .Press Ctrl+Alt+
000001d0: 4465 6c20 746f 2072 6573 7461 7274 0d0a Del to restart..
000001e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000001f0: 0000 0000 0000 8a01 a701 bf01 0000 55aa ..............U.
but if I try the same with XTS256 it reports invalid tweak key value too small.
examples:
$ bdeinfo bitlockerXTS256.001
bdeinfo 20190102
BitLocker Drive Encryption information:
Encryption method : AES-XTS 256-bit
Volume identifier : f8475fb2-7412-4e4d-8c7a-59149808f3f1
Creation time : Mar 26, 2021 13:29:19.015861500 UTC
Description : WINDOZE10 C: 26/03/2021
Number of key protectors : 2
Key protector 0:
Identifier : 08e27b20-ed28-4434-b397-eec669f875e6
Type : Password
Key protector 1:
Identifier : c94cde1b-cead-4f38-9cc8-2d40137a16cc
Type : Recovery password
Unable to unlock volume.
$ sudo bdeinfo -k 66e8ff9c9b431620f435d353c82cede23018a6f6a8235bb349bc02807bd418422f45d3bdb406c59d403316ce881ffb2cf4d8a9875cfbf2341547f0b46e93e8f6 bitlockerXTS256.001 /mnt
[sudo] password for user:
bdeinfo 20190102
Unable to open: bitlockerXTS256.001.
libbde_encryption_set_keys: invalid tweak key value too small.
libbde_volume_open_read_keys_from_metadata: unable to set keys in encryption context.
libbde_volume_open_read: unable to read keys from primary metadata.
libbde_volume_open_file_io_handle: unable to read from file IO handle.
info_handle_open_input: unable to open input volume.
$ sudo bdeinfo -k 66e8ff9c9b431620f435d353c82cede23018a6f6a8235bb349bc02807bd41842:2f45d3bdb406c59d403316ce881ffb2cf4d8a9875cfbf2341547f0b46e93e8f6 bitlockerXTS256.001 /mnt
bdeinfo 20190102
Unable to open: bitlockerXTS256.001.
libbde_encryption_set_keys: invalid tweak key value too small.
libbde_volume_open_read_keys_from_metadata: unable to set keys in encryption context.
libbde_volume_open_read: unable to read keys from primary metadata.
libbde_volume_open_file_io_handle: unable to read from file IO handle.
info_handle_open_input: unable to open input volume.
$
Is this a fault with libbde or user error?
Can partitions encrypted with bitlocker and locked with TPM key (only) from Windows 7 be unlocked - obviously if still in the original machine 8)
Cheers
Jasper
I recently came across an image for which bdeinfo
did not recognize the key protector type, 0x500.
Could this mean that LIBBDE_KEY_PROTECTION_TYPE_TPM
(0x100) is combined with 0x400 for something else, maybe a start-up PIN?
I tried to open an image of a hard drive, which I believe to be half-way encrypted, using python. Unfortunately pybde refuses to open it.
import pybde
print(pybde.get_version())
# 20200724
try:
bde_volume = pybde.volume()
bde_volume.open("/mnt/e/image.raw")
bde_volume.close()
except Exception as e:
print(e)
# pybde_volume_open: unable to open volume. libbde_io_handle_read_volume_header: unsupported volume boot entry point. libbde_volume_open_read: unable to read volume header. libbde_volume_open_file_io_handle: unable to read from file IO handle. libbde_volume_open: unable to open volume: /mnt/e/image.raw.
try:
file_object = open("/mnt/e/image.raw", "rb")
bde_volume = pybde.volume()
bde_volume.open_file_object(file_object)
bde_volume.close()
except Exception as e:
print(e)
# pybde_volume_open_file_object: unable to open volume. libbde_io_handle_read_volume_header: unsupported volume boot entry point. libbde_volume_open_read: unable to read volume header. libbde_volume_open_file_io_handle: unable to read from file IO handle.
I manually verified, that there is an intact bitlocker volume header starting at offset 1048576 (dec):
eb 58 90 2d 46 56 45 2d 46 53 2d 00 10 40 20 00 00 00 00 00 00 f8 00 00 3f 00 ff 00 3f 00 00 00 20 09 aa 2b e0 1f 00 00 00 00 00 00 00 00 00 00 01 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 29 00 00 00 00 4e 4f 20 4e 41 4d 45 20 20 20 20 46 41 54 33 32 20 20 20 33 c9 8e d1 bc f4 7b 8e c1 8e d9 bd 00 7c a0 fb 7d b4 7d 8b f0 ac 98 40 74 0c 48 74 0e b4 0e bb 07 00 cd 10 eb ef a0 fd 7d eb e6 cd 16 cd 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3b 4d a8 92 80 dd 0e 4d 9e 4e b1 e3 28 4e ae d8 00 20 7f 53 08 00 00 00 00 20 87 53 08 00 00 00 00 20 8b 53 08 00 00 00 00 20 9f 53 08 00 00 00 00 20 a3 53 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0d 0a 52 65 6d 6f 76 65 20 64 69 73 6b 73 20 6f 72 20 6f 74 68 65 72 20 6d 65 64 69 61 2e ff 0d 0a 44 69 73 6b 20 65 72 72 6f 72 ff 0d 0a 50 72 65 73 73 20 61 6e 79 20 6b 65 79 20 74 6f 20 72 65 73 74 61 72 74 0d 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 1f 2c 55 aa
Is there anything I can do to further narrow down the problem? Or is this simply not supported by the library?
I am experiencing difficulties with libbde (and by extension, plaso) when opening a Bitlocker-encrypted partition. In fact, the same problem occurs with both encrypted partitions on the drive.
Without giving a recovery key, bdeinfo prints the following:
[root@machine ewfmount]# bdeinfo -o 1047527424 ewf1
bdeinfo 20180929
BitLocker Drive Encryption information:
Encryption method : AES-XTS 256-bit
Volume identifier : <redacted>
Creation time : Aug 09, 2018 11:35:38.295965800 UTC
Description : <redacted> SYSTEM 9. 8. 2018
Number of key protectors : 12
<Key identifiers>*12
When I supply the (verified correct) recovery key, I get:
[root@machine ewfmount]# bdeinfo -o 1047527424 -r <Redacted> ewf1
bdeinfo 20180929
Unable to open: ewf1.
libbde_encryption_set_keys: invalid tweak key value too small.
libbde_volume_open_read_keys_from_metadata: unable to set keys in encryption context.
libbde_volume_open_read: unable to read keys from primary metadata.
libbde_volume_open_file_io_handle: unable to read from file IO handle.
info_handle_open_input: unable to open input volume.
Unfortunately I cannot supply the image. I can correctly mount and open the volume on a Windows 10 machine, but not on a Windows 7 machine.
Is there anything I can do to help locate the issue?
Hi,
I am writing a John the Ripper jumbo plugin to brute-force password protected BitLocker volumes. My project is heavily based on your libbde project.
My brute-force method uses a known plaintext attack on the decrypted contents of metadata->password_volume_master_key->aes_ccm_encrypted_key->data
. Specifically, the version
has to be 1 and data_size
has to be 0x2c. This stuff is in the libbde_metadata_read_volume_master_key
function.
Do you know about more fields within the unencrypted_data
buffer with known values which could be used in improving the reliability of the attack ? Currently version
and data_size
provide 4 bytes of verification data. Having more known fields with known values would be helpful in reducing false positives encountered during the brute-forcing process.
I noticed many NULL bytes in the unencrypted_data
buffer but I don't know what they are, and if I can use them safely in conducting the known plaintext attack.
I noticed your comment "TODO improve this check" near the version
and data_size
checks in libbde/libbde_metadata.c
:-)
https://github.com/kholia/JohnTheRipper/blob/BitLocker/src/bitlocker_fmt_plug.c#L184 shows the known plaintext attack in action.
Thanks for your help.
The entire world apparently calls what BitLocker uses to wrap keys "AES-CCM". Unfortunately, that's not what is actually implemented. The algorithm implemented by libcaes_crypt_ccm
isn't CCM: it doesn't have a MAC, it doesn't have associated data, and it doesn't use the first keystream block for that. That makes it just AES-CTR.
The only thing "CCM" about it is that the nonce is prepended with a byte of value 15 - (uint8_t) nonce_size - 1
(which CCM does, and is not inherent to CTR mode). There's none of the other bits that would make it compliant with the CCM specification (RFC3610). Crucially, BitLocker key unwrapping can be implemented using a standard AES-CTR implementation (just prepend 0x02 to the nonce), but cannot be implemented using a standard AES-CCM implementation (because there is no way to disable the whole MAC machinery).
I would recommend renaming all mentions of CCM to CTR, to avoid confusion. I just spent a few hours wondering why using PyCryptodome yielded incorrect decryptions of BitLocker wrapped keys. Instead, CTR mode is what you want. In PyCryptodome:
python
def decrypt(p, k):
nonce = p[:12]
nonce = bytes([15 - len(nonce) - 1]) + nonce
aes = AES.new(k, AES.MODE_CTR, nonce=nonce)
a = aes.decrypt(p[12:])
return a
~~
is the code you'd want to unwrap a BitLocker wrapped key, with MODE_CTR
, not MODE_CCM
.
checking that generated files are newer than configure... done
configure: error: conditional "HAVE_WINCRYPT" was never defined.
Usually this means the macro was only invoked conditionally.
In the Mounting manual it says that all you have to do after using bdemount to mount is to do a "loop mount". But it doesn't work on MacOS, the system requires the specification of the type with -t option, and when I do specify, it says "Block device required". What do I do now?
(BTW: Shouldn't those details be described in the Mounting manual page? Is anyone being able to do this loop mount without specifying type? I'm confused...)
It's just a question.
libbde/include/libbde/features.h.in
Line 35 in aa1aba1
libbde_check_volume_signature_file_io_handle
on windows if I don't define HAVE_LIBBFIO directly.System is RHEL 7.6
Security Profile - USGCB/STIG
FIPS Enabled
Installed libebde-tools and dependencies from CERT Forensics Repo
Completed DD image - output file is FILENAME.001
issuing command below returns the following error
data has been sanitized for posting purposes, the actual recovery key was used.
[root@hostname]# bdemount -r 12345-12345-12345-12345-12345-12345-12345-12345 -o 1026555904 ditto-file.001 /mnt/windows_mount/
bdemount 20181124
Unable to unlock volume.
[root@hostname]#
There was no error during the "yum install libbde-tools" process.
If I use the same recovery key on Win10 - the image file is decrypted without error.
Instead of passing the password as and command line argument add a password prompt to make sure the password does not end up in logs and so. This is a low priority since the bdetools are intended as recovery tools mainly.
For additional ideas about protecting the password also see:
https://security.stackexchange.com/questions/29019/are-passwords-stored-in-memory-safe
I am currently working with devices that have been encrypted with BitlockerToGo and I was wondering if it is possible certain information after (bde)mounting the device:
Thanks for your time.
libbde version 20220121
For perhaps the first time I have a bunch of 2TB external USB drives I'm trying to image. after decrypting.
I used bdemount to create a virtual fille (/mnt/bde1). It works great for the first 1,000 GB, but then it fails.
In troubleshooting I tried a simple "od -c -j $((1024 * 1024 * 1024 * 1000)) /mnt/bde1 | less" and it works as expected.
That is a 1000 GB offset -- no problem.
But "od -c -j $((1024 * 1024 * 1024 * 1024) /mnt/bde1" fails.
This is a 1024 GB offset and it fails with an i/o error
Any plans to support XTS-AES mode introduced in Windows 10 Threshold 2 (1511 build 10586)
Add write support. Has a low priority.
libbde_metadata_entry_read: FVE metadata entry:
00000000: a0 00 02 00 08 00 03 00 ........
libbde_metadata_entry_read: entry size : 160
libbde_metadata_entry_read: entry type : 0x0002 (Volume master key (VMK))
libbde_metadata_entry_read: value type : 0x0008 (Volume master key)
libbde_metadata_entry_read: version : 3
libbde_metadata_entry_read: unsupported FVE metadata entry version.
libbde_metadata_read_entries: unable to read metadata entry.
libbde_metadata_read_block: unable to read metadata header.
libbde_volume_open_read: unable to read primary metadata block.
libbde_volume_open_file_io_handle: unable to read from file IO handle.
info_handle_open_input: unable to open input volum
Support BDE images without metadata value type 0x000f
I was wondering whether there is a plan to add a Python binding for bdemount so that a Bitlocker image can be directly mounted from Python without using the bdemount binary.
Hello,
It's just a question, is it possible to retrieve with pybde library the recovery key ID ?
Many thanks for your help and all your work it's so helpful
Philippe
use size in metadata header to read metadata
Device G has been encrypted with BitLocker,so i use dos commands
“bdeinfo -p binarydataleo.(bitlocker password) G:” in windows 10 system,but report an error: "Unable to open: G:.
libcfile_file_open_with_error_code: unable to open file: G: with error: BitLocker".
Is there any help documentation with bdeinfo and bdemount?
Thanks!!!
TPM wrapped keys turn out to be rather trivial: the TPM encoded key contains the wrapped key to be passed to the TPM (exact structure depends on the TPM, and also there may be a header I haven't looked at in detail). If the PCR values are correct, the TPM unwraps the key and directly returns the 256-bit VMK.
So, for example, with physical access to a machine using TPM mode BitLocker, you can simply sniff the TPM bus and see the wrapped key being sent and the VMK being returned.
I think the best way to handle this would be to add a way for the user to specify a VMK directly, similar to how the user can currently specify a FVEK with -k
. Thoughts?
root@1:/home/l/桌面# bdeinfo -p 88888888 /media/l/5BB4-4AE1
bdeinfo 20170902
Unable to open: /media/l/5BB4-4AE1.
libcfile_file_read_buffer_with_error_code: unable to read from file with error: Is a directory
libcfile_file_read_buffer: unable to read from file.
libbfio_file_read: unable to read from file: /media/l/5BB4-4AE1.
libbfio_file_range_read: unable to read from file IO handle.
libbfio_handle_read_buffer: unable to read from handle.
libbde_io_handle_read_volume_header: unable to read volume header data.
libbde_volume_open_read: unable to read volume header.
libbde_volume_open_file_io_handle: unable to read from file IO handle.
info_handle_open_input: unable to open input volume.
root@1:/home/l/桌面# bdeinfo -p 88888888 /dev/sda1
bdeinfo 20170902
Unable to open: /dev/sda1.
libbde_io_handle_read_volume_header: unsupported volume boot entry point.
libbde_volume_open_read: unable to read volume header.
libbde_volume_open_file_io_handle: unable to read from file IO handle.
info_handle_open_input: unable to open input volume.
root@1:/home/l/桌面#
I try to make it in windows, but wmi its too slow, can you do this?
Hello! I get Bitlocker recovery key with manage-bde -protectors C: -get
. How i can get Bitlocker recovery key in linux, after i unlock volume?
Hi,
**Excuse me, I have a question:
when running program, it prompts me “unable to read from file IO handle”. then I find that The version of FVE metadata entry is 3 by debugging code. Is this version not supported?
thanks.**
Remember that metadata entry 0x000b? This is what that is for.
Windows supports auto-unlocking BitLocker fixed volumes (which are unlocked before user login). This works only when the OS drive is itself using BitLocker. It works like this:
LIBBDE_ENTRY_TYPE_AUTO_UNLOCK_KEY
AUTO_UNLOCK_KEY
, yielding an aes_ccm_encrypted_keyHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FVEAutoUnlock\{volume identifier guid}
and a binary value named Data
is created with the following format:So the question here is how should this be implemented in libbde? It involves somewhat complex interaction between two volumes and the registry. The steps would have to be something like this:
Any hints as to what this should look like in libbde? I can give a shot at implementing it once the right way forward is clear.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.