{"id":13511088,"url":"https://github.com/elceef/bitlocker","last_synced_at":"2025-08-21T06:30:39.589Z","repository":{"id":65536201,"uuid":"45672997","full_name":"elceef/bitlocker","owner":"elceef","description":"Volatility Framework plugin for extracting BitLocker FVEK (Full Volume Encryption Key)","archived":false,"fork":false,"pushed_at":"2016-05-16T22:04:41.000Z","size":9,"stargazers_count":223,"open_issues_count":0,"forks_count":43,"subscribers_count":21,"default_branch":"master","last_synced_at":"2024-12-06T07:23:12.284Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/elceef.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-11-06T09:38:23.000Z","updated_at":"2024-11-22T12:22:21.000Z","dependencies_parsed_at":"2023-01-28T00:25:20.900Z","dependency_job_id":null,"html_url":"https://github.com/elceef/bitlocker","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elceef%2Fbitlocker","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elceef%2Fbitlocker/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elceef%2Fbitlocker/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elceef%2Fbitlocker/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/elceef","download_url":"https://codeload.github.com/elceef/bitlocker/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":230494921,"owners_count":18235046,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T03:00:34.247Z","updated_at":"2024-12-19T20:08:04.846Z","avatar_url":"https://github.com/elceef.png","language":"Python","funding_links":[],"categories":["Volatility 2","\u003ca id=\"4d2a33083a894d6e6ef01b360929f30a\"\u003e\u003c/a\u003eVolatility"],"sub_categories":["Plugins"],"readme":"Volatility Framework: bitlocker\n===============================\n\nThis plugin finds and extracts Full Volume Encryption Key (FVEK) from memory dumps and/or hibernation files. This allows rapid unlocking of systems that had BitLocker encrypted volumes mounted at the time of acquisition.\n\nSupported memory images:\n- Windows 10 (*work in progress*)\n- Windows 8.1\n- Windows Server 2012 R2\n- Windows 8\n- Windows Server 2012\n- Windows 7\n- Windows Server 2008 R2\n- Windows Server 2008\n- Windows Vista\n\n\nExample case - Windows 7 SP1 x64\n--------------------------------\n\n*Evidence: Raw HDD image*\n\n**1) Determine partition layout and identify BitLocker volume**\n\n```console\nelceef@cerebellum:~$ fdisk -l john_win7_x64.dd\nDisk john_win7_x64.dd: 298.1 GiB, 320072933376 bytes, 625142448 sectors\nUnits: sectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size (minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: dos\nDisk identifier: 0x51c47769\n\nDevice                    Boot     Start       End   Sectors   Size Id Type\njohn_win7_x64.dd1 *         2048   1050623   1048576   512M  7 HPFS/NTFS/exFAT\njohn_win7_x64.dd2        1050624 316475391 315424768 150.4G  7 HPFS/NTFS/exFAT\njohn_win7_x64.dd3      316475392 625137663 308662272 147.2G  7 HPFS/NTFS/exFAT\n```\n\nThe last one starting from sector 316475392 is BitLocker protected. It can be verified by lookig at the filesystem header. Volumes encrypted with BitLocker will have a different signature than the standard NTFS header. A BitLocker encrypted volume starts with the \"-FVE-FS-\" signature.\n\n```console\nelceef@cerebellum:~$ hexdump -C -s $((512*316475392)) -n 16 john_win7_x64.dd\n25ba100000  eb 58 90 2d 46 56 45 2d  46 53 2d 00 02 08 00 00  |.X.-FVE-FS-.....|\n```\n\n**2) Locate and convert hibernation file**\n\nMount the system volume starting from sector 1050624 in read-only mode.\n\n```console\nelceef@cerebellum:~$ sudo mount -o loop,ro,offset=$((512*1050624)) john_win7_x64.dd /mnt/1\n```\n\nConvert hibernation file *hiberfil.sys* for further forensic analysis.\n\n```console\nelceef@cerebellum:~$ vol -f /mnt/1/hiberfil.sys --profile Win7SP1x64 imagecopy -O hiberfil.raw\n```\n\n**3) Use the bitlocker plugin to extract FVEK**\n\nThe plugin scans the memory image for BitLocker cryptographic allocations (memory pools) and extracts AES keys (FVEK).\n\n```console\nelceef@cerebellum:~$ vol -f hiberfil.raw --profile Win7SP1x64 bitlocker\nVolatility Foundation Volatility Framework 2.5\n\nAddress : 0xfa8009958c10\nCipher  : AES-256\nFVEK    : d5b6e71adb0c2e2d38dafdcedade8fc11e8be631b9fed5b2ba5b51ba32a57cd1\nTWEAK   : 49f9ecd5ddffcae44cde7f7a578b9a3ca5e79087826779e147de89423ebdf3f3\n\n```\n\n**4) Decrypt and access the volume**\n\nDecrypt the volume on-the-fly using previously extracted FVEK.\n\n```console\nelceef@cerebellum:~$ sudo bdemount -k d5b6e71adb0c2e2d38dafdcedade8fc11e8be631b9fed5b2ba5b51ba32a57cd1:49f9ecd5ddffcae44cde7f7a578b9a3ca5e79087826779e147de89423ebdf3f3 -o $((512*316475392)) john_win7_x64.dd /crypt/1\n```\n\nFinally mount and access the filesystem.\n\n```console\nelceef@cerebellum:~$ sudo mount -o loop,ro /crypt/1/bde1 /mnt/2\nelceef@cerebellum:~$ ls /mnt/2\nCONFIDENTIAL\n```\n\n\nExample case - Windows 8.1 x86\n------------------------------\n\n*Evidence: Raw memory image*\n\nWindows 8 and newer versions use Cryptography API: Next Generation (CNG) which creates a lot of dynamically allocated memory pools. For this reason, the keys are often located in several places in the memory.\n\n```console\nelceef@cerebellum:~$ vol -f john_win81_x86.raw --profile Win81U1x86 bitlocker\nVolatility Foundation Volatility Framework 2.5\n\nAddress : 0x872db068\nCipher  : AES-128\nFVEK    : 48286dcd34d3ff215d705d68c5df4f08\n\nAddress : 0x9ef55b08\nCipher  : AES-128\nFVEK    : 48286dcd34d3ff215d705d68c5df4f08\n\nAddress : 0xa4748b08\nCipher  : AES-128\nFVEK    : 48286dcd34d3ff215d705d68c5df4f08\n\n```\n\n\nContact\n-------\n\nTo send questions, comments or a chocolate, just drop an e-mail at\n[marcin@ulikowski.pl](mailto:marcin@ulikowski.pl)\n\nYou can also reach me via:\n\n- Twitter: [@elceef](https://twitter.com/elceef)\n- LinkedIn: [Marcin Ulikowski](https://pl.linkedin.com/in/elceef)\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Felceef%2Fbitlocker","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Felceef%2Fbitlocker","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Felceef%2Fbitlocker/lists"}