Cybersecurity News

Decrypting DDs from Bitlocker-Encrypted Disks during a Digital Forensics Analysis

Hello everyone!  

Following the article on intrusion analysis via Team Viewer that I recently shared in Flu Project, I was asked by a colleague about how to address forensic cases in which we come across a disk encrypted with Bitlocker. In these cases it is true that the processing of a dd clone is not immediate, and technologies such as Autopsy do not accept (at least without scripts or plugins) the decryption of these disks, so a previous decryption must be performed before using an analysis tool. Luckily, there are already tools that we can use, and one of the most used is bdemount

There is little to say about Bdemount. As its own description indicates, mounts to BitLocker Drive Encryption (BDE) encrypted volume. However, we will obviously need to know the password in advance, and then the offset where the partition begins. There are ways to get the bitlocker key from a memory dump with some tool like Volatility, but I'll leave that for future articles. 

Once the forensic disk is cloned in dd format, we can list its contents using fdisk -l (encryption does not prevent cloning, so up to this point we should have no major drawbacks):  

The disk may contain several partitions, and the one we want to access to may be the one encrypted. You can find out with the Autopsy itself or FTK Imager visually:

Or if you like terminals best, with Hexdump:

To know if a partition is encrypted with Bitlocker you can look at the first bytes and you will find the following string: "-FVE-FS-". Here is a remarkably interesting link including many technical details about Bitlocker encryption:

Once the partition is identified, the only thing left to do is mount it in a decrypted form. To do this, here are the parameters to be used:

sudo bdemount -pPASSWORD -o $((512*OFFSET)) forensicsimage.dd /media/destination

Remember to previously have a folder with write permissions on destination. 

Now you can work with it as you deem appropriate. You can make another dd of the decrypted partition, you can analyse it from, for example, the version of Autopsy for Linux, you can extract specific files such as access logs to a certain application, etc.

In addition to bdemount, you can also use other tools such as Dislocker to decrypt an encrypted partition with Bitlocker. Dislocker is available among Kali's tools. Here is an interesting post by Stefan Rows, where he not only explains how to install and use Dislocker, but also details how to prepare a self-assembly script:

Finally, and to bring you some more reading on Bitlocker decryption for this week, here is a Twitter thread that I found thanks to DragonJAR:

A gem of a thread by Jon Aubrey, in which he shows how he managed to decrypt - in fact with Dislocker -, an encrypted laptop, extracting the key at the hardware level with a Saleae analyzer:

I’m sure this thread will have you "playing" for a while with any laptop you may have at hand :) 

I hope you found this article interesting.