Git Product home page Git Product logo

libbde's Introduction

libbde's People

Contributors

joachimmetz avatar roxxik avatar themaks avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

uikit0 zhangway100 windworst hgabignon elafonizi stanleypng kalnyc1 yang123vc totopouet roxxik nemermollon ramambahara tianzengyin ly20180228 azmmat marcan ericzinnikas neotim mrmugiwara matale14 seabreg peheaven joker594302831 ryuffhant misimon 5l1v3r1 liuxingyuzm 3453-315h wirelesswizard rhea-cybersec hartl3y94 000000000000000000000000000000000000005 5433d-r32433 eddyp llenroc kanghyeonsu1202 superuser5 rnshah9 bbkot vound-software boydfields glyle agarmo df-omnius landon739 xambroz fengjixuchui bnavigator

libbde's Issues

FVE metadata entry version is not 1

Hi,
Excuse me, I have a question:
when running program, it prompts me “unable to read from file IO handle”. then I find that The version of FVE metadata entry is 3 by debugging code. Is this version not supported?
thanks.

Issue opening volume (tweak key value too small)

I am experiencing difficulties with libbde (and by extension, plaso) when opening a Bitlocker-encrypted partition. In fact, the same problem occurs with both encrypted partitions on the drive.

Without giving a recovery key, bdeinfo prints the following:

[root@machine ewfmount]# bdeinfo -o 1047527424 ewf1 
bdeinfo 20180929

BitLocker Drive Encryption information:
	Encryption method		: AES-XTS 256-bit
	Volume identifier		: <redacted>
	Creation time			: Aug 09, 2018 11:35:38.295965800 UTC
	Description			: <redacted> SYSTEM 9. 8. 2018
	Number of key protectors	: 12

<Key identifiers>*12

When I supply the (verified correct) recovery key, I get:

[root@machine ewfmount]# bdeinfo -o 1047527424 -r <Redacted> ewf1 
bdeinfo 20180929

Unable to open: ewf1.
libbde_encryption_set_keys: invalid tweak key value too small.
libbde_volume_open_read_keys_from_metadata: unable to set keys in encryption context.
libbde_volume_open_read: unable to read keys from primary metadata.
libbde_volume_open_file_io_handle: unable to read from file IO handle.
info_handle_open_input: unable to open input volume.

Unfortunately I cannot supply the image. I can correctly mount and open the volume on a Windows 10 machine, but not on a Windows 7 machine.

Is there anything I can do to help locate the issue?

Python binding for mount tools?

I was wondering whether there is a plan to add a Python binding for bdemount so that a Bitlocker image can be directly mounted from Python without using the bdemount binary.

bde_test_metadata fails in

On a number of architectures, libbde failed to build due to crashes in the test suite, see https://buildd.debian.org/status/logs.php?pkg=libbde&ver=20170204-1.

I decided to take a closer look on i386:

$ LD_LIBRARY_PATH=../libbde/.libs/ gdb ./.libs/bde_test_metadata
GNU gdb (Debian 7.12-6) 7.12.0.20161007-git
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./.libs/bde_test_metadata...done.
(gdb) run
Starting program: /home/bengen/p/deb/plaso/libbde/tests/.libs/bde_test_metadata 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0xb7ebfea4 in libcdata_array_free (array=0x8000608c, 
    entry_free_function=0xb7eb2d6a <libbde_metadata_entry_free>, error=0x0)
    at libcdata_array.c:252
(gdb) p internal_array
$1 = (libcdata_internal_array_t *) 0x49
(gdb) bt
#0  0xb7ebfea4 in libcdata_array_free (array=0x8000608c, 
    entry_free_function=0xb7eb2d6a <libbde_metadata_entry_free>, error=0x0)
    at libcdata_array.c:252
#1  0xb7eae94e in libbde_metadata_initialize (metadata=0xbfffed0c, 
    error=0xbfffed08) at libbde_metadata.c:145
#2  0x80001061 in bde_test_metadata_initialize () at bde_test_metadata.c:182
#3  0x80002d31 in main (argc=1, argv=0xbfffede4) at bde_test_metadata.c:1110
(gdb)

I was reminded of the bug I reported against libbfio (libyal/libbfio#2) so I just went ahead and disabled the memory tests altogether when building the Debian package.

Unable to mount bitlocker hdd from Freebsd

Hello having difficulty using bdemount, and I am new to Unix like systems, so if this is due to inability on my part I appologize .If you can help me to gain access to bitlocker It would be greatly appreciated; this is what I get from:

root@home:/usr/home/bitlocker # sudo dd if=/dev/da0s1 bs=4096 count=1 | hexdump -Cv
1+0 records in
1+0 records out
4096 bytes transferred in 0.001828 secs (2241307 bytes/sec)
00000000  eb 58 90 2d 46 56 45 2d  46 53 2d 00 02 08 00 00  |.X.-FVE-FS-.....|
00000010  00 00 00 00 00 f8 00 00  3f 00 ff 00 00 08 00 00  |........?.......|
00000020  00 00 00 00 e0 1f 00 00  00 00 00 00 00 00 00 00  |................|
00000030  01 00 06 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000040  80 00 29 00 00 00 00 4e  4f 20 4e 41 4d 45 20 20  |..)....NO NAME  |
00000050  20 20 46 41 54 33 32 20  20 20 33 c9 8e d1 bc f4  |  FAT32   3.....|
00000060  7b 8e c1 8e d9 bd 00 7c  a0 fb 7d b4 7d 8b f0 ac  |{......|..}.}...|
00000070  98 40 74 0c 48 74 0e b4  0e bb 07 00 cd 10 eb ef  |[email protected]..........|
00000080  a0 fd 7d eb e6 cd 16 cd  19 00 00 00 00 00 00 00  |..}.............|
00000090  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000a0  3b d6 67 49 29 2e d8 4a  83 99 f6 a3 39 e3 d0 01  |;.gI)..J....9...|
000000b0  00 00 2c c0 00 00 00 00  00 00 2d c0 00 00 00 00  |..,.......-.....|
000000c0  00 00 2e c0 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000d0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000e0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000f0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000100  0d 0a 52 65 6d 6f 76 65  20 64 69 73 6b 73 20 6f  |..Remove disks o|
00000110  72 20 6f 74 68 65 72 20  6d 65 64 69 61 2e ff 0d  |r other media...|
00000120  0a 44 69 73 6b 20 65 72  72 6f 72 ff 0d 0a 50 72  |.Disk error...Pr|
00000130  65 73 73 20 61 6e 79 20  6b 65 79 20 74 6f 20 72  |ess any key to r|
00000140  65 73 74 61 72 74 0d 0a  00 00 00 00 00 00 00 00  |estart..........|
00000150  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000160  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000170  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000180  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000190  00 00 00 00 00 00 00 00  78 78 78 78 78 78 78 78  |........xxxxxxxx|
000001a0  78 78 78 78 78 78 78 78  78 78 78 78 78 78 78 78  |xxxxxxxxxxxxxxxx|
000001b0  78 78 78 78 78 78 78 78  78 78 78 78 78 78 78 78  |xxxxxxxxxxxxxxxx|
000001c0  78 78 78 78 78 78 78 78  78 78 78 78 78 78 78 78  |xxxxxxxxxxxxxxxx|
000001d0  78 78 78 78 78 78 78 78  78 78 78 78 78 78 78 78  |xxxxxxxxxxxxxxxx|
000001e0  78 78 78 78 78 78 78 78  ff ff ff ff ff ff ff ff  |xxxxxxxx........|
000001f0  ff ff ff ff ff ff ff ff  ff ff ff 00 1f 2c 55 aa  |.............,U.|
00000200  f1 3d c8 34 a3 18 d1 77  d9 84 31 ca c4 89 1c 33  |.=.4...w..1....3|
00000210  82 09 cf ec 37 d5 49 f7  ee 18 58 ea 4c 73 0d d4  |....7.I...X.Ls..|
00000220  ea 2c 8c 08 54 a7 41 e9  99 68 2a df 40 73 3c e8  |.,..T.A..h*.@s<.|
00000230  8a b9 c6 21 5a ef 45 76  5c 77 06 11 2b e7 8f 9e  |...!Z.Ev\w..+...|
00000240  c8 55 e3 82 54 7d e4 6e  36 6a 79 f0 95 eb 35 5c  |.U..T}.n6jy...5\|
00000250  80 ab ba a1 3a c4 37 23  0d 8c c6 e3 bd b2 d8 24  |....:.7#.......$|
00000260  1a 35 51 8a 89 b1 a1 6a  d4 c9 69 d4 4c 2b ef 28  |.5Q....j..i.L+.(|
00000270  f3 7e 91 3a 93 4f 16 71  22 95 b7 70 0a 99 37 74  |.~.:.O.q"..p..7t|
00000280  13 d7 68 ea 0b 31 8e e0  0f 7a 1f 6c ea f0 1f 95  |..h..1...z.l....|
00000290  1f d5 c9 83 51 d8 c5 f5  72 4b 22 89 2c 3d 63 d5  |....Q...rK".,=c.|
000002a0  b8 7e 41 a1 c4 40 e1 76  bf f0 20 b2 19 ed f0 2b  |[email protected].. ....+|
000002b0  f9 5d 18 b2 9d 91 9f af  87 b8 66 7d 50 82 1d a6  |.]........f}P...|
000002c0  d8 2f d2 47 72 44 4c 9a  56 d6 12 46 e0 1a db 6e  |./.GrDL.V..F...n|
000002d0  98 0f 72 17 d9 63 81 33  40 05 f4 4b 30 14 c1 1f  |[email protected]...|
000002e0  75 0c 85 df 9c 99 74 8a  5f 46 60 b4 2e 43 8a 3e  |u.....t._F`..C.>|
000002f0  3a 49 e6 c5 73 95 86 99  a4 bd f2 7e 91 f0 c0 45  |:I..s......~...E|
00000300  60 1e 38 98 07 fd 31 b8  89 b9 c2 4f 23 55 ff 2f  |`.8...1....O#U./|
00000310  fe a9 67 5f 2d b4 2a 7c  05 75 99 62 b6 8b e7 61  |..g_-.*|.u.b...a|
00000320  23 d3 de 66 b8 b4 33 7e  b6 2c 7b 4b de 66 0c 11  |#..f..3~.,{K.f..|
00000330  a1 91 0f 5d 0b 45 11 c5  0c 86 23 2e b5 a9 2f fa  |...].E....#.../.|
00000340  7a 27 aa c9 4e b6 08 dc  e8 65 0a f8 01 82 c9 8c  |z'..N....e......|
00000350  9b 66 0c dc a0 80 60 8b  f1 67 56 35 86 ef 1b a1  |.f....`..gV5....|
00000360  a0 42 bf 13 6f 04 7e 74  ec 89 42 25 cf 06 95 9b  |.B..o.~t..B%....|
00000370  93 65 16 b1 b5 e9 87 db  f0 70 a1 0c b7 a4 7a 56  |.e.......p....zV|
00000380  20 cd 7f 62 a4 3f c9 a4  f6 89 80 40 97 fc 2b 41  | ..b.?.....@..+A|
00000390  89 f4 e9 26 06 ca fa f1  1a b6 1b a6 01 22 04 37  |...&.........".7|
000003a0  0a e7 43 77 f0 22 7c f2  0a 4d dd 78 99 36 6f a6  |..Cw."|..M.x.6o.|
000003b0  98 18 94 0f 86 4d dd f9  b7 e5 1c e9 9c 23 e5 26  |.....M.......#.&|
000003c0  3e 1c bb 56 bc 97 fd 0e  fe e4 6b fe cf 1b 18 fe  |>..V......k.....|
000003d0  16 92 aa 72 11 81 ba f9  5e fb ab a8 f8 64 bb 01  |...r....^....d..|
000003e0  78 d3 e4 5f 97 c1 84 75  a3 3f fc ae 91 40 2e 8b  |x.._...u.?...@..|
000003f0  a0 9f ad 7f 00 73 28 8b  3b 04 0f e5 65 ce 68 de  |.....s(.;...e.h.|
00000400  91 ab c9 30 2c 59 f9 78  ca 56 8b 04 c1 54 0f e6  |...0,Y.x.V...T..|
00000410  26 91 6a 64 8e 05 67 43  b8 d8 cc 39 3e 5d 94 e2  |&.jd..gC...9>]..|
00000420  c4 f5 95 03 13 72 8c 7d  24 03 c4 06 8b 6c 11 5f  |.....r.}$....l._|
00000430  b7 c2 a6 d0 c2 ce 7a 69  f0 2a f8 4c 7c 70 6a ec  |......zi.*.L|pj.|
00000440  3f 8c 8d 17 7c cd 53 78  2b 3b da 9a 4b c2 f6 2c  |?...|.Sx+;..K..,|
00000450  04 c6 de 59 83 43 cc 79  2a ed 38 ac 4e 72 14 c6  |...Y.C.y*.8.Nr..|
00000460  cf c3 7b 69 b2 bb a8 88  db a3 75 cd ee 66 d0 a9  |..{i......u..f..|
00000470  db 65 6f c7 be 3e 25 1d  87 80 94 50 16 c0 77 86  |.eo..>%....P..w.|
00000480  b5 6d ec 99 d3 e7 a7 25  68 d9 92 ba f4 c9 7c de  |.m.....%h.....|.|
00000490  a0 b3 21 16 bd f7 60 1a  6d 8f 55 da 87 62 cd 43  |..!...`.m.U..b.C|
000004a0  a2 f8 3d 6b 0f 69 cd 80  ee 7c 6e e2 c1 1b fe fe  |..=k.i...|n.....|
000004b0  37 57 ab b0 62 d7 83 a8  f6 b3 5a 55 73 a7 24 a6  |7W..b.....ZUs.$.|
000004c0  d3 9d 3d 44 a0 4d 46 59  96 0f d8 c9 5b 26 c1 a9  |..=D.MFY....[&..|
000004d0  16 24 0c 51 56 b3 c3 bd  9e e7 bc 83 9c 63 09 b0  |.$.QV........c..|
000004e0  13 8c f9 e9 0f f7 81 f0  5f 2b be 6f e5 9d 15 fb  |........_+.o....|
000004f0  fc 3a a1 ea d5 c2 93 83  68 a0 ba 3c b1 1c 80 bc  |.:......h..<....|
00000500  7c d8 78 b6 4b 35 68 ba  32 ac 5b 8e 6e 35 c8 05  ||.x.K5h.2.[.n5..|
00000510  d9 48 a0 bd f9 fb e6 3a  46 7a d9 67 b9 0e 85 83  |.H.....:Fz.g....|
00000520  1a 6d ce fb 7e 46 a4 33  a1 0a ed bb 78 70 0b 76  |.m..~F.3....xp.v|
00000530  16 d6 48 31 8e 2a f4 d9  f7 f7 50 12 e0 29 20 a0  |..H1.*....P..) .|
00000540  71 46 87 37 d4 a5 3c c4  82 d4 48 58 e3 17 88 71  |qF.7..<...HX...q|
00000550  e3 f5 cd 1c 11 99 96 3f  7e f0 cf bc 63 28 44 a4  |.......?~...c(D.|
00000560  ca 8e 06 dd 28 47 95 20  84 65 e8 f4 2d 39 2b 9e  |....(G. .e..-9+.|
00000570  44 5f 94 dc db ee 50 b6  82 08 43 79 ab 7c 02 6c  |D_....P...Cy.|.l|
00000580  7a ee b7 e2 75 83 bc d4  e3 85 81 a6 9a 83 52 e9  |z...u.........R.|
00000590  81 00 60 ad ee 9c 92 f0  f4 12 fd ba 97 89 74 73  |..`...........ts|
000005a0  f7 d1 74 6c c3 ab 86 2c  a7 61 7d bb aa 97 78 aa  |..tl...,.a}...x.|
000005b0  ad 6d 7a c3 d2 c0 6b ff  7a d2 b0 d0 03 c9 83 e5  |.mz...k.z.......|
000005c0  25 92 0b e0 b6 39 6c e4  79 94 ef 0f b7 2a e3 d7  |%....9l.y....*..|
000005d0  63 f1 c7 6b f1 b2 1e 0e  33 6d ea 57 43 3b e7 ee  |c..k....3m.WC;..|
000005e0  3b 24 13 70 91 17 5d 0b  0c 75 bc 41 bb 78 b8 04  |;$.p..]..u.A.x..|
000005f0  69 6d d8 0d 52 ec 3f 34  76 fc 12 c5 72 7f e5 75  |im..R.?4v...r..u|
00000600  f5 a0 e1 d3 68 08 e3 b5  54 85 aa 42 bf da 4d cd  |....h...T..B..M.|
00000610  ce d6 af ed 97 22 ef 51  4a 13 d1 4b 61 e1 89 34  |.....".QJ..Ka..4|
00000620  5f 52 6c ea 3a 32 59 66  ff 76 1d 9f ea 37 96 7d  |_Rl.:2Yf.v...7.}|
00000630  c8 38 7f 54 29 1f 43 b9  7d 2d 3d d5 69 eb 69 17  |.8.T).C.}-=.i.i.|
00000640  a4 2d 27 63 40 9a d4 93  e9 07 5d 6d 6e bf 40 58  |.-'c@.....]mn.@X|
00000650  8f fd 88 c2 90 ef 67 6f  c7 d5 78 e8 46 55 97 bf  |......go..x.FU..|
00000660  52 67 83 78 4d e6 8a 2c  6d d3 ca 24 63 7e b0 60  |Rg.xM..,m..$c~.`|
00000670  63 b3 52 87 8c 79 9b 4e  83 2a 1c 73 07 75 72 26  |c.R..y.N.*.s.ur&|
00000680  0c 70 44 f5 c4 3e 82 aa  f0 03 8b e8 db b2 31 2e  |.pD..>........1.|
00000690  de 39 e9 0a 30 98 16 2a  e2 16 bd 78 51 c9 eb 32  |.9..0..*...xQ..2|
000006a0  1b c2 9a 6f 8c 4f 45 4e  f2 ca f4 ec b7 0c 87 49  |...o.OEN.......I|
000006b0  4b 38 3f ac c4 ca 0d 7c  81 7f 8a 01 9f da a6 78  |K8?....|.......x|
000006c0  35 eb 06 7b 4f f3 e9 06  08 4b d4 d7 96 b7 19 ac  |5..{O....K......|
000006d0  bd e2 84 eb 1a 11 84 e9  3a 7a 46 1b 80 c5 72 ad  |........:zF...r.|
000006e0  96 d6 b3 91 e6 ca c1 49  07 da ca 36 61 3f 8c e1  |.......I...6a?..|
000006f0  c9 7e d4 fb 7c c2 31 50  11 4f 3d cf 1f 1a 34 b1  |.~..|.1P.O=...4.|
00000700  c0 ec 09 40 fd 7d 5c df  20 4d 72 19 08 9f fe bf  |...@.}\. Mr.....|
00000710  95 ff 7c e9 92 2e 53 d9  14 c4 de 61 13 4c a4 f6  |..|...S....a.L..|
00000720  aa e1 29 90 3e 96 6d 72  99 b5 3a 79 00 4f 13 33  |..).>.mr..:y.O.3|
00000730  dd ab ea 12 2c f7 3d 96  cb 7a c7 1c f3 2c 15 5d  |....,.=..z...,.]|
00000740  7d da 43 70 2f 2c d2 a5  6f e8 03 62 ac 31 fa 72  |}.Cp/,..o..b.1.r|
00000750  b6 e9 ca e9 ae d0 06 26  02 15 47 52 b9 3d 88 4a  |.......&..GR.=.J|
00000760  e7 3b 73 40 97 d8 fe 91  2f f5 0e 0e 96 9b b7 c1  |.;s@..../.......|
00000770  16 5a b8 57 c8 ad 3b 8b  58 7b 1a 35 ce 4f 2a 7d  |.Z.W..;.X{.5.O*}|
00000780  ac 63 6f 74 c0 34 00 18  8e cd 22 92 b7 e6 0d d8  |.cot.4....".....|
00000790  bb c0 bc 12 e2 93 ef 7a  ef bf b3 4d db 1f b6 2a  |.......z...M...*|
000007a0  22 8c a7 57 5b fa 5e 02  5a 80 40 6c 4f fb 31 59  |"..W[.^[email protected]|
000007b0  62 4a 96 4c 5b 52 a9 f3  e4 05 9f 1e 8b aa 2d e0  |bJ.L[R........-.|
000007c0  5a 19 25 c0 91 45 ec 3a  bc 0d 24 cd a2 b3 66 1b  |Z.%..E.:..$...f.|
000007d0  ff b8 81 e5 7b 82 f5 0a  91 45 47 02 3b aa 39 84  |....{....EG.;.9.|
000007e0  c3 82 50 14 00 59 e1 1c  e1 d4 90 9a 0f 45 d5 22  |..P..Y.......E."|
000007f0  42 1b da b8 c3 68 43 48  12 e8 55 02 90 8a 9d 08  |B....hCH..U.....|
00000800  31 05 67 3d d8 83 d2 67  ff 8e da 3d 1b 51 7e 18  |1.g=...g...=.Q~.|
00000810  7f 51 60 22 65 5a 0c 50  75 c2 8c 18 16 64 12 b1  |.Q`"eZ.Pu....d..|
00000820  37 32 70 77 a5 46 df 17  ba 2d 80 80 a5 b1 1a da  |72pw.F...-......|
00000830  db 08 25 6f d8 20 82 b1  9e f7 a6 84 6e c0 2e c1  |..%o. ......n...|
00000840  53 ae 58 74 e1 e8 f9 74  54 41 7d 76 da da dc 59  |S.Xt...tTA}v...Y|
00000850  f8 e8 2c 73 4a 36 aa 27  39 54 88 4e db 03 2b 3e  |..,sJ6.'9T.N..+>|
00000860  76 a3 ff 21 25 8c 6b 17  23 df 71 cf 92 d7 a9 b8  |v..!%.k.#.q.....|
00000870  9f 60 a3 9f 25 67 7d 33  26 68 cf e8 34 ea 1a 02  |.`..%g}3&h..4...|
00000880  70 17 49 35 84 a3 1a f9  15 3c 59 38 6f 75 2f 31  |p.I5.....<Y8ou/1|
00000890  e5 50 2a 13 58 29 00 6c  59 a5 d8 d1 85 32 a0 0b  |.P*.X).lY....2..|
000008a0  59 4f ce ed 0d 93 5b da  91 6d 9a 11 41 28 cc a5  |YO....[..m..A(..|
000008b0  7d c4 7f ce 71 c0 f1 f6  30 62 db 34 d0 77 2a 09  |}...q...0b.4.w*.|
000008c0  f7 78 cf 27 e2 e5 39 d5  b6 7a 4c 73 28 7a 69 09  |.x.'..9..zLs(zi.|
000008d0  90 87 99 be 1b dc 61 0f  92 53 3b d1 23 95 7c 40  |......a..S;.#.|@|
000008e0  b6 3f 8c b7 d5 ae fc 6d  8e 2f ce 84 7b 27 12 38  |.?.....m./..{'.8|
000008f0  25 07 f7 d5 7e 58 58 bf  46 d4 f4 b4 20 1b 41 18  |%...~XX.F... .A.|
00000900  b9 36 c3 4d 89 77 03 63  69 ac 70 5d ea d9 30 b4  |.6.M.w.ci.p]..0.|
00000910  cd 3a 47 12 97 9a c9 4b  c1 21 3a 49 84 98 e9 5f  |.:G....K.!:I..._|
00000920  c1 31 a4 b8 54 ce a3 b7  e7 af 00 6c 99 ac 86 25  |.1..T......l...%|
00000930  9d 3d 17 56 65 bd d6 d1  46 6b b5 39 bf 07 70 cd  |.=.Ve...Fk.9..p.|
00000940  19 11 9a 48 fb 4a f2 28  79 78 12 d7 d0 9d 6e 1f  |...H.J.(yx....n.|
00000950  b7 79 47 fc 7b 3f 1a fc  1f 8e e6 e0 c6 c0 f2 96  |.yG.{?..........|
00000960  9d 3a cf b6 eb ce 80 3c  88 30 61 b0 bf 53 45 6d  |.:.....<.0a..SEm|
00000970  ba b9 4c 11 d6 39 fa 8c  2a 39 26 2f 84 3b eb b2  |..L..9..*9&/.;..|
00000980  0f df fc 1d 13 70 d7 42  13 52 15 fa c7 b5 c2 e0  |.....p.B.R......|
00000990  d3 c4 2e 6e 9f fd b1 15  09 65 76 a5 f3 dd 44 9b  |...n.....ev...D.|
000009a0  cf 5e bb 81 8a 2a 75 13  68 c7 fa 8f 02 49 05 13  |.^...*u.h....I..|
000009b0  1a e2 e0 56 19 2e 16 11  2a 3b 61 81 a9 31 f7 e3  |...V....*;a..1..|
000009c0  ed 02 45 a4 77 c6 57 12  cd 63 6f 64 84 6a 99 72  |..E.w.W..cod.j.r|
000009d0  0f 44 bc dc 69 bf f7 2e  c0 f2 a0 03 82 0c 9c 41  |.D..i..........A|
000009e0  0e 01 1f 6c e3 d1 53 72  01 52 64 c8 6e 0f ff a9  |...l..Sr.Rd.n...|
000009f0  82 56 97 01 1f 1d a7 fe  dd bf 05 20 bd cb 26 d7  |.V......... ..&.|
00000a00  35 84 8d e2 08 20 20 48  c3 41 8e 46 80 fc 65 b9  |5....  H.A.F..e.|
00000a10  2f ae bc 94 c5 f5 e5 e8  8f 96 96 27 e8 55 cf d7  |/..........'.U..|
00000a20  fc e8 a3 fc 0d cb 93 c1  3d 9c 3c ac 82 a3 ff 2c  |........=.<....,|
00000a30  37 b9 1c ed b1 f6 b3 f7  1b ce 0a 50 49 df c7 78  |7..........PI..x|
00000a40  31 03 54 cc 02 9c e3 a1  79 59 bf a4 db ec 91 98  |1.T.....yY......|
00000a50  5d 05 47 17 62 b0 fd 20  4b b2 6d 86 c5 b1 02 ee  |].G.b.. K.m.....|
00000a60  2a 2f b0 ca 20 7f 42 ac  2b 73 b9 cb 2d 26 5a cf  |*/.. .B.+s..-&Z.|
00000a70  99 e5 4f 3a fa 96 36 20  cf 16 be 4a 59 ee a9 c6  |..O:..6 ...JY...|
00000a80  41 8f 65 a5 ac 1e 9f 0c  c8 83 fc c6 97 26 1d c9  |A.e..........&..|
00000a90  2c 1d 0d 14 f6 22 8d 84  c8 4c ec a8 42 83 20 0e  |,...."...L..B. .|
00000aa0  00 c5 09 3d 93 32 30 8b  aa e1 b9 f5 c5 f8 e9 bc  |...=.20.........|
00000ab0  34 23 c1 c3 48 4c 8b 1e  68 f9 22 0b b5 ee af 8d  |4#..HL..h.".....|
00000ac0  b0 a5 18 52 d2 2d 78 d5  0f c5 81 96 8f 4d 6b 0c  |...R.-x......Mk.|
00000ad0  a1 fa 5c b8 e9 52 4e af  76 29 9e a8 be b5 06 3b  |..\..RN.v).....;|
00000ae0  69 1e 40 18 43 2a 4d ed  2e d6 51 e7 53 23 f7 05  |[email protected]*M...Q.S#..|
00000af0  ca cc 57 fe 2a 80 13 fd  52 89 31 37 3f 93 f1 5f  |..W.*...R.17?.._|
00000b00  7c 9e 51 48 a4 56 26 cd  30 2e 66 d2 ff 22 df 9d  ||.QH.V&.0.f.."..|
00000b10  62 0e 75 e0 51 7c d8 d1  41 20 e3 58 a3 58 69 4b  |b.u.Q|..A .X.XiK|
00000b20  3d f6 57 f6 ba 19 64 64  1d db 1c a0 40 98 24 bb  |=.W...dd....@.$.|
00000b30  5c 69 61 32 0a e7 47 7a  be bf f1 2a f4 c1 69 c3  |\ia2..Gz...*..i.|
00000b40  c5 2b 41 a6 3a ff 52 0c  86 8c fe 83 ac 7f 55 ec  |.+A.:.R.......U.|
00000b50  8f e8 ac 72 2b 43 3c fa  32 9b 9f f0 7b 30 70 84  |...r+C<.2...{0p.|
00000b60  2e 2f 9f 53 a8 1b 9e b4  81 f1 a9 46 a0 94 ba ef  |./.S.......F....|
00000b70  7e 64 31 6d 80 d9 51 fe  93 31 18 c0 10 6d 64 4e  |~d1m..Q..1...mdN|
00000b80  af e8 2b d3 ef 9e 3e 22  80 11 13 09 7f 69 fd e9  |..+...>".....i..|
00000b90  bc d0 9d 55 55 18 36 99  b3 b7 a1 6b 9c 8b 26 cf  |...UU.6....k..&.|
00000ba0  e0 c5 e8 8d 5b 6a f4 9f  20 99 9d 3b 9c 30 c4 37  |....[j.. ..;.0.7|
00000bb0  3c c5 4f 6b 8d 17 1e 85  ae d9 1f 78 2a 6e 6c 88  |<.Ok.......x*nl.|
00000bc0  2b 2f 8b e9 46 3e 6d 1c  81 d7 7d 3d 69 06 d5 ae  |+/..F>m...}=i...|
00000bd0  4d d8 02 20 b1 b4 b5 dc  d8 e1 27 4e 59 22 aa 2f  |M.. ......'NY"./|
00000be0  d7 f0 71 a5 25 c2 1a a6  8c 53 20 47 49 7c 34 8f  |..q.%....S GI|4.|
00000bf0  eb dd 44 72 97 8e 35 9a  21 8e 03 2a e0 05 92 43  |..Dr..5.!..*...C|
00000c00  6e 95 9d 7e 30 8b bd d8  d5 67 2c e8 9f 3b 30 3d  |n..~0....g,..;0=|
00000c10  d8 8d 2a 31 8f ac ed d0  be 29 83 ab 94 28 31 6c  |..*1.....)...(1l|
00000c20  30 6e bb c0 7f a9 0d 7c  c2 38 b6 70 f8 27 9d da  |0n.....|.8.p.'..|
00000c30  99 d3 64 14 72 90 32 41  a0 ec 5b 64 4a 28 64 89  |..d.r.2A..[dJ(d.|
00000c40  64 ea dc f9 d9 0b a5 b4  31 5a e8 cc fc 3b db b1  |d.......1Z...;..|
00000c50  2b 0a 6a 6e a3 88 95 60  bc 04 7c 6e da f2 32 28  |+.jn...`..|n..2(|
00000c60  e1 18 6d b6 e5 3f 2b e1  70 82 1e 4c 03 db df 1d  |..m..?+.p..L....|
00000c70  c6 99 0c e6 30 ba 90 c7  60 8d fb 2c 07 5a 1d 0e  |....0...`..,.Z..|
00000c80  75 4e de 2f 14 89 b2 12  23 4f 41 c1 6d 8c 21 72  |uN./....#OA.m.!r|
00000c90  60 8a 33 e7 1b 1e 6b 8c  d3 43 ad a8 c2 4a f8 58  |`.3...k..C...J.X|
00000ca0  70 fd 26 5d cb 5a cd dd  6b 03 82 e0 b2 cd c3 ca  |p.&].Z..k.......|
00000cb0  d1 3c 66 88 3f ef 1f 1d  43 be 2b f3 73 28 71 b0  |.<f.?...C.+.s(q.|
00000cc0  20 f7 a2 7f ce ce a8 8e  59 90 93 db 1a ef cc 5b  | .......Y......[|
00000cd0  44 dc 43 46 22 e4 8d bf  06 b4 3e c8 bd 44 ac ca  |D.CF".....>..D..|
00000ce0  cd 7b 46 c1 27 b4 71 e0  e0 dd 89 12 6d 4e ca e6  |.{F.'.q.....mN..|
00000cf0  3f 1d a1 3b 55 62 cf 4a  ea 99 19 3a e9 e3 66 71  |?..;Ub.J...:..fq|
00000d00  19 98 45 28 2a 04 c0 44  f7 d8 3d 5f a0 be ec f6  |..E(*..D..=_....|
00000d10  e3 a7 ef be f0 1d cc d6  37 fe 41 fc c7 0a e0 24  |........7.A....$|
00000d20  97 d1 b4 22 e4 5c 84 c5  2b e3 8e c4 9a ad c7 fa  |...".\..+.......|
00000d30  ab 3d 0e 4e 43 43 f8 33  92 6b 66 52 24 65 b1 a8  |.=.NCC.3.kfR$e..|
00000d40  21 cb 5b e6 97 28 b7 70  0e ce a6 97 45 ba 0c 07  |!.[..(.p....E...|
00000d50  50 98 97 01 f8 82 68 47  cc ff 5f 74 48 13 85 45  |P.....hG.._tH..E|
00000d60  b4 ee 37 7b 3f 11 5e 8f  db 15 88 bd 60 87 ac 37  |..7{?.^.....`..7|
00000d70  57 c1 1e 35 a9 65 df 91  5d 15 bb 93 fb a0 96 06  |W..5.e..].......|
00000d80  7b 0e 54 75 7f b9 2f bf  a0 a3 d8 9b 14 be a8 fb  |{.Tu../.........|
00000d90  31 60 c9 93 28 2c 6a d7  52 a1 b6 81 06 d9 7e bb  |1`..(,j.R.....~.|
00000da0  42 9e f3 06 9b 48 f8 63  20 d8 eb 7a 82 30 85 f3  |B....H.c ..z.0..|
00000db0  0b ca 1d 68 24 01 ce 38  dc 62 6b a2 14 64 36 e3  |...h$..8.bk..d6.|
00000dc0  69 bd 70 4f be 57 d0 26  c7 6c 22 b1 62 99 28 90  |i.pO.W.&.l".b.(.|
00000dd0  df aa 4e 8b 8b 0b 4d 4a  0e 27 10 3d 35 e9 47 4e  |..N...MJ.'.=5.GN|
00000de0  53 7f 2f 88 53 83 18 47  9b 00 fe 58 4a 87 c7 4b  |S./.S..G...XJ..K|
00000df0  45 05 87 a5 50 d9 25 e4  80 9f 60 41 2c 06 b5 33  |E...P.%...`A,..3|
00000e00  f7 5f f3 5b 3d 6e e0 d5  6d 37 42 a9 4b fd f7 d2  |._.[=n..m7B.K...|
00000e10  53 6f 05 90 b7 63 5f 0b  4c be 7f 12 1a d9 42 8e  |So...c_.L.....B.|
00000e20  63 54 48 99 b0 55 f3 02  15 14 ab ef 51 53 9c 06  |cTH..U......QS..|
00000e30  4a 95 7f 51 ae 39 c7 34  c2 ca fd 01 76 1c 15 a3  |J..Q.9.4....v...|
00000e40  b7 32 a0 e2 8e 22 4a da  db 1e 31 a2 d3 39 64 2a  |.2..."J...1..9d*|
00000e50  3a 69 f6 90 f9 c0 94 5b  38 5c 69 de 78 1d 1b 95  |:i.....[8\i.x...|
00000e60  72 c6 a4 65 76 2d 8f c5  4a c5 9a 67 df 11 9d 4d  |r..ev-..J..g...M|
00000e70  ab 0c 41 0b 12 68 0a a3  aa f5 b4 ac 9e 9b dd ea  |..A..h..........|
00000e80  e5 10 6c 76 89 70 ed d7  97 93 81 65 a1 68 51 a2  |..lv.p.....e.hQ.|
00000e90  f0 99 7e 4c 52 6c 2c 50  19 1c 12 e4 41 11 24 bf  |..~LRl,P....A.$.|
00000ea0  e9 f5 30 03 2f 78 cf dd  c6 e1 a3 db bd 4e 76 88  |..0./x.......Nv.|
00000eb0  76 2e 45 70 13 ef 50 31  96 84 67 7f 88 7c 5c e1  |v.Ep..P1..g..|\.|
00000ec0  ef 72 bb 73 e4 6e 90 0c  e1 2a fd c8 4c 6a 66 e1  |.r.s.n...*..Ljf.|
00000ed0  ea 86 a6 48 6c 34 de d1  91 40 f6 ac 7e da 7d 94  |...Hl4...@..~.}.|
00000ee0  9e 96 df 55 ca 82 2d 63  07 4b ee dc d4 76 ed 2e  |...U..-c.K...v..|
00000ef0  70 ea 40 72 37 88 67 61  7f 02 74 8c f1 ac bb 76  |[email protected]|
00000f00  75 1b d4 6b 8e 47 68 ac  71 7e 75 f9 54 3f 56 2a  |u..k.Gh.q~u.T?V*|
00000f10  e4 9e 5c c2 21 df 18 d3  2c 4a bd 0f 91 0b f0 4f  |..\.!...,J.....O|
00000f20  6f b7 ad 38 8a bd d9 c3  da c3 69 ff ac 2c 3c 6b  |o..8......i..,<k|
00000f30  76 fa 1f eb e6 a5 b2 60  e0 a3 12 ab d6 4f 05 a4  |v......`.....O..|
00000f40  e9 f7 7f bc 14 60 19 e0  a2 07 60 61 eb 47 24 09  |.....`....`a.G$.|
00000f50  45 34 1e 08 d6 f6 4f 83  62 81 91 27 8f c1 e9 10  |E4....O.b..'....|
00000f60  60 20 7c 69 e2 c3 fb 76  3b fb ff a9 f9 48 e2 20  |` |i...v;....H. |
00000f70  cd 5f 05 82 ab d7 f9 04  30 d7 f9 5a 50 18 e1 3e  |._......0..ZP..>|
00000f80  17 92 8e 86 4a 83 bd ef  45 5a 05 0e 8d 4e 44 fa  |....J...EZ...ND.|
00000f90  38 57 61 6b ce 4c 90 34  bd 72 85 84 fc 83 05 ef  |8Wak.L.4.r......|
00000fa0  e4 ec 95 7d 62 da 7f 21  b3 d9 39 6d 75 75 69 1b  |...}b..!..9muui.|
00000fb0  e9 4f ed eb dd ee 77 be  82 1f b0 00 4a f2 a4 7a  |.O....w.....J..z|
00000fc0  16 9e df 29 a8 bb 98 32  3a d3 0f 54 45 d1 c4 9a  |...)...2:..TE...|
00000fd0  fe 16 0c 13 8f 8d ee 54  34 56 f6 91 2c fe e5 be  |.......T4V..,...|
00000fe0  d0 81 4c 0e 56 43 56 b8  17 63 0b 07 22 a7 b9 87  |..L.VCV..c.."...|
00000ff0  b8 f8 30 50 43 21 a1 16  a0 2e d8 fb 19 28 15 0b  |..0PC!.......(..|
00001000

and this is typical of the output I get when trying bdemount:

root@home:/usr/home # bdemount -p ******** /dev/da0s1 /media/da0s1/
bdemount 20191221

Unable to open source volume
libbde_io_handle_read_volume_header: unsupported volume boot entry point.
libbde_volume_open_read: unable to read volume header.
libbde_volume_open_file_io_handle: unable to read from file IO handle.
mount_handle_open: unable to open volume.

Thank you for your time

How do I use bdeinfo on a Windows volume?

Device G has been encrypted with BitLocker,so i use dos commands
“bdeinfo -p binarydataleo.(bitlocker password) G:” in windows 10 system,but report an error: "Unable to open: G:.
libcfile_file_open_with_error_code: unable to open file: G: with error: BitLocker".
Is there any help documentation with bdeinfo and bdemount?
Thanks!!!

how to use

I have downloaded “libbde-alpha-20190317.tar.gz” software, and installed it through setup.py in the Kali Linux system environment. How can I use this software under Kali linux? Do you have software instructions?

Gather information about mounted devices

I am currently working with devices that have been encrypted with BitlockerToGo and I was wondering if it is possible certain information after (bde)mounting the device:

  • Is there any way to check if a device has already been mounted via bdemount?
  • Is it possible to determine the device a bdemount originated from?

Thanks for your time.

FVE metadata entry version is not 1

Hi,

   **Excuse me, I have a question:
          when running program, it  prompts me “unable to read from file IO handle”.  then I find that The version of FVE metadata entry is 3 by debugging code.  Is this version not supported?
          thanks.**

Add support for metadata version 3 

libbde_metadata_entry_read: FVE metadata entry:
00000000: a0 00 02 00 08 00 03 00                            ........

libbde_metadata_entry_read: entry size                                  : 160
libbde_metadata_entry_read: entry type                                  : 0x0002 (Volume master key (VMK))
libbde_metadata_entry_read: value type                                  : 0x0008 (Volume master key)
libbde_metadata_entry_read: version                                     : 3

libbde_metadata_entry_read: unsupported FVE metadata entry version.
libbde_metadata_read_entries: unable to read metadata entry.
libbde_metadata_read_block: unable to read metadata header.
libbde_volume_open_read: unable to read primary metadata block.
libbde_volume_open_file_io_handle: unable to read from file IO handle.
info_handle_open_input: unable to open input volum

libcaes_crypt_set_key: unsupported key bit size

Hi developers,

although it seems to be no bug in the proper sense, I would like you to have an eye on this case:
I have a Windows 10 SD, system partition, I am not able to mount because of the above error. Does anyone know if this is Microsofts fault? The second disc (hdd) can be decrypted just fine with this great tool. Does Microsoft use different key sizes??? For what reasons? Thanks a lot!

unable to open partially encrypted volume with pybde?

I tried to open an image of a hard drive, which I believe to be half-way encrypted, using python. Unfortunately pybde refuses to open it.

import pybde
print(pybde.get_version())
# 20200724

try:
    bde_volume = pybde.volume()
    bde_volume.open("/mnt/e/image.raw")
    bde_volume.close()
except Exception as e:
    print(e)
# pybde_volume_open: unable to open volume. libbde_io_handle_read_volume_header: unsupported volume boot entry point. libbde_volume_open_read: unable to read volume header. libbde_volume_open_file_io_handle: unable to read from file IO handle. libbde_volume_open: unable to open volume: /mnt/e/image.raw.

try:
    file_object = open("/mnt/e/image.raw", "rb")
    bde_volume = pybde.volume()
    bde_volume.open_file_object(file_object)
    bde_volume.close()
except Exception as e:
    print(e)
# pybde_volume_open_file_object: unable to open volume. libbde_io_handle_read_volume_header: unsupported volume boot entry point. libbde_volume_open_read: unable to read volume header. libbde_volume_open_file_io_handle: unable to read from file IO handle.

I manually verified, that there is an intact bitlocker volume header starting at offset 1048576 (dec):

eb 58 90 2d 46 56 45 2d 46 53 2d 00 10 40 20 00 00 00 00 00 00 f8 00 00 3f 00 ff 00 3f 00 00 00 20 09 aa 2b e0 1f 00 00 00 00 00 00 00 00 00 00 01 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 29 00 00 00 00 4e 4f 20 4e 41 4d 45 20 20 20 20 46 41 54 33 32 20 20 20 33 c9 8e d1 bc f4 7b 8e c1 8e d9 bd 00 7c a0 fb 7d b4 7d 8b f0 ac 98 40 74 0c 48 74 0e b4 0e bb 07 00 cd 10 eb ef a0 fd 7d eb e6 cd 16 cd 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3b 4d a8 92 80 dd 0e 4d 9e 4e b1 e3 28 4e ae d8 00 20 7f 53 08 00 00 00 00 20 87 53 08 00 00 00 00 20 8b 53 08 00 00 00 00 20 9f 53 08 00 00 00 00 20 a3 53 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0d 0a 52 65 6d 6f 76 65 20 64 69 73 6b 73 20 6f 72 20 6f 74 68 65 72 20 6d 65 64 69 61 2e ff 0d 0a 44 69 73 6b 20 65 72 72 6f 72 ff 0d 0a 50 72 65 73 73 20 61 6e 79 20 6b 65 79 20 74 6f 20 72 65 73 74 61 72 74 0d 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 1f 2c 55 aa

Is there anything I can do to further narrow down the problem? Or is this simply not supported by the library?

libbde does not work with Windows 10 out of the box

I haven't done a lot of digging into the actual issue, but Bit Locker for Windows 10 is different and adjustments will need to be made to libbde. I have a rest image you can use, and will look into it soon-ish(?). What this issue lacks in detail to fix it, it makes up for in providing amble notice of a new "feature".

$ bdeinfo -r -o $((512*1411072)) desk-base.dd
bdeinfo 20160418

Unable to open: desk-base.dd.
libbde_metadata_entry_read: unsupported FVE metadata entry version.
libbde_volume_master_key_read: unable to read property metadata entry.
libbde_metadata_read_entries: unable to read volume master key.
libbde_metadata_read_block: unable to read metadata header.
libbde_volume_open_read: unable to read primary metadata block.
libbde_volume_open_file_io_handle: unable to read from file IO handle.
info_handle_open_input: unable to open input volume.

How to have pybde read from raw image with a volume offset?

Wish I could label this a question instead of an issue. What I have is a full disk image. While I can pull out the Bitlocker partition, I'd prefer to just hand libbde the offset. I'm actually not even trying to mount the thing in general, but just use libbde to pull out parts of Bitlocker's data that I need. Everytime I try to give libbde the full disk image, it appears to fail, thinking that it isn't the correct type. Maybe you can suggest another way? Seeking to the offset of the bitlocker partition in a file object doesn't seem to work either. I'm working on a standalone machine, so its difficult to provide much data, but I get the following error, if it helps:

OSError: pybde_volume_open_file_object: unable to open volume. libbde_volume_header_read_data: unsupported volume boot entry point. libbde_volume_header_read_file_io_handle: unable to read volume header data. libbde_internal_volume_open_read: unable to read volume header. libbde_volume_open_file_io_handle: unable to read from file IO handle.

According to that, it would seem that I can't actually read the file, but as I own the file, I'm unsure what is going on.

bdemount: Unable to open volume with 512-bit FVEK (AES-XTS 256-bit)

So with XTS128 it appears to work correctly. I can concatenate two 128bit keys together to create a 256 bit key expected for XTS type encryption. (strangely it only works when the ":" that separates the FVEK:TWEAK keys is missing.)


$ bdeinfo bitlockerXTS128.001 
bdeinfo 20190102

BitLocker Drive Encryption information:
	Encryption method		: AES-XTS 128-bit
	Volume identifier		: 09db8c9f-2b29-4bfc-97a9-937a85fc0e40
	Creation time			: Mar 26, 2021 09:55:58.734711900 UTC
	Description			: WINDOZE10 C: 26/03/2021
	Number of key protectors	: 2

Key protector 0:
	Identifier			: aa8831c2-2479-463f-ba2b-23470b001aec
	Type				: Password

Key protector 1:
	Identifier			: 451550f8-adcf-4847-b440-56b0045c2521
	Type				: Recovery password

Unable to unlock volume.
$ sudo bdemount -k 7a30be33e349e836fe47c9e749e05c80:54802aaf12307dd661caaec338616dfa bitlockerXTS128.001 /mnt
[sudo] password for user: 
bdemount 20190102

Unable to open source volume
libbde_io_handle_read_unencrypted_volume_header: unable to determine volume size.
libbde_volume_open_read: unable to read unencrypted volume header.
libbde_volume_open_file_io_handle: unable to read from file IO handle.
mount_handle_open: unable to open volume.
$ sudo bdemount -k 7a30be33e349e836fe47c9e749e05c8054802aaf12307dd661caaec338616dfa bitlockerXTS128.001 /mnt
bdemount 20190102

$ sudo ls /mnt
bde1
$ sudo head /mnt/bde1|xxd
00000000: eb52 904e 5446 5320 2020 2000 0208 0000  .R.NTFS    .....
00000010: 0000 0000 00f8 0000 3f00 ff00 0098 0100  ........?.......
00000020: 0000 0000 8000 8000 537f ee04 0000 0000  ........S.......
00000030: 0000 0c00 0000 0000 0200 0000 0000 0000  ................
00000040: f600 0000 0100 0000 f078 5286 ab52 8628  .........xR..R.(
00000050: 0000 0000 fa33 c08e d0bc 007c fb68 c007  .....3.....|.h..
00000060: 1f1e 6866 00cb 8816 0e00 6681 3e03 004e  ..hf......f.>..N
00000070: 5446 5375 15b4 41bb aa55 cd13 720c 81fb  TFSu..A..U..r...
00000080: 55aa 7506 f7c1 0100 7503 e9dd 001e 83ec  U.u.....u.......
00000090: 1868 1a00 b448 8a16 0e00 8bf4 161f cd13  .h...H..........
000000a0: 9f83 c418 9e58 1f72 e13b 060b 0075 dba3  .....X.r.;...u..
000000b0: 0f00 c12e 0f00 041e 5a33 dbb9 0020 2bc8  ........Z3... +.
000000c0: 66ff 0611 0003 160f 008e c2ff 0616 00e8  f...............
000000d0: 4b00 2bc8 77ef b800 bbcd 1a66 23c0 752d  K.+.w......f#.u-
000000e0: 6681 fb54 4350 4175 2481 f902 0172 1e16  f..TCPAu$....r..
000000f0: 6807 bb16 6852 1116 6809 0066 5366 5366  h...hR..h..fSfSf
00000100: 5516 1616 68b8 0166 610e 07cd 1a33 c0bf  U...h..fa....3..
00000110: 0a13 b9f6 0cfc f3aa e9fe 0190 9066 601e  .............f`.
00000120: 0666 a111 0066 0306 1c00 1e66 6800 0000  .f...f.....fh...
00000130: 0066 5006 5368 0100 6810 00b4 428a 160e  .fP.Sh..h...B...
00000140: 0016 1f8b f4cd 1366 595b 5a66 5966 591f  .......fY[ZfYfY.
00000150: 0f82 1600 66ff 0611 0003 160f 008e c2ff  ....f...........
00000160: 0e16 0075 bc07 1f66 61c3 a1f6 01e8 0900  ...u...fa.......
00000170: a1fa 01e8 0300 f4eb fd8b f0ac 3c00 7409  ............<.t.
00000180: b40e bb07 00cd 10eb f2c3 0d0a 4120 6469  ............A di
00000190: 736b 2072 6561 6420 6572 726f 7220 6f63  sk read error oc
000001a0: 6375 7272 6564 000d 0a42 4f4f 544d 4752  curred...BOOTMGR
000001b0: 2069 7320 636f 6d70 7265 7373 6564 000d   is compressed..
000001c0: 0a50 7265 7373 2043 7472 6c2b 416c 742b  .Press Ctrl+Alt+
000001d0: 4465 6c20 746f 2072 6573 7461 7274 0d0a  Del to restart..
000001e0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000001f0: 0000 0000 0000 8a01 a701 bf01 0000 55aa  ..............U.

but if I try the same with XTS256 it reports invalid tweak key value too small.

examples:

$ bdeinfo bitlockerXTS256.001 
bdeinfo 20190102

BitLocker Drive Encryption information:
	Encryption method		: AES-XTS 256-bit
	Volume identifier		: f8475fb2-7412-4e4d-8c7a-59149808f3f1
	Creation time			: Mar 26, 2021 13:29:19.015861500 UTC
	Description			: WINDOZE10 C: 26/03/2021
	Number of key protectors	: 2

Key protector 0:
	Identifier			: 08e27b20-ed28-4434-b397-eec669f875e6
	Type				: Password

Key protector 1:
	Identifier			: c94cde1b-cead-4f38-9cc8-2d40137a16cc
	Type				: Recovery password

Unable to unlock volume.
$ sudo bdeinfo -k 66e8ff9c9b431620f435d353c82cede23018a6f6a8235bb349bc02807bd418422f45d3bdb406c59d403316ce881ffb2cf4d8a9875cfbf2341547f0b46e93e8f6 bitlockerXTS256.001 /mnt
[sudo] password for user: 
bdeinfo 20190102

Unable to open: bitlockerXTS256.001.
libbde_encryption_set_keys: invalid tweak key value too small.
libbde_volume_open_read_keys_from_metadata: unable to set keys in encryption context.
libbde_volume_open_read: unable to read keys from primary metadata.
libbde_volume_open_file_io_handle: unable to read from file IO handle.
info_handle_open_input: unable to open input volume.
$ sudo bdeinfo -k 66e8ff9c9b431620f435d353c82cede23018a6f6a8235bb349bc02807bd41842:2f45d3bdb406c59d403316ce881ffb2cf4d8a9875cfbf2341547f0b46e93e8f6 bitlockerXTS256.001 /mnt
bdeinfo 20190102

Unable to open: bitlockerXTS256.001.
libbde_encryption_set_keys: invalid tweak key value too small.
libbde_volume_open_read_keys_from_metadata: unable to set keys in encryption context.
libbde_volume_open_read: unable to read keys from primary metadata.
libbde_volume_open_file_io_handle: unable to read from file IO handle.
info_handle_open_input: unable to open input volume.
$

Is this a fault with libbde or user error?

What is Key Protector Type 0x500?

I recently came across an image for which bdeinfo did not recognize the key protector type, 0x500.

Could this mean that LIBBDE_KEY_PROTECTION_TYPE_TPM (0x100) is combined with 0x400 for something else, maybe a start-up PIN?

How to loop mount mounted BDE volume on Mac OS?

In the Mounting manual it says that all you have to do after using bdemount to mount is to do a "loop mount". But it doesn't work on MacOS, the system requires the specification of the type with -t option, and when I do specify, it says "Block device required". What do I do now?

(BTW: Shouldn't those details be described in the Mounting manual page? Is anyone being able to do this loop mount without specifying type? I'm confused...)

CCM key unwrapping does not validate tag and returns 16 bytes of garbage header

The entire world apparently calls what BitLocker uses to wrap keys "AES-CCM". Unfortunately, that's not what is actually implemented. The algorithm implemented by libcaes_crypt_ccm isn't CCM: it doesn't have a MAC, it doesn't have associated data, and it doesn't use the first keystream block for that. That makes it just AES-CTR.

The only thing "CCM" about it is that the nonce is prepended with a byte of value 15 - (uint8_t) nonce_size - 1 (which CCM does, and is not inherent to CTR mode). There's none of the other bits that would make it compliant with the CCM specification (RFC3610). Crucially, BitLocker key unwrapping can be implemented using a standard AES-CTR implementation (just prepend 0x02 to the nonce), but cannot be implemented using a standard AES-CCM implementation (because there is no way to disable the whole MAC machinery).

I would recommend renaming all mentions of CCM to CTR, to avoid confusion. I just spent a few hours wondering why using PyCryptodome yielded incorrect decryptions of BitLocker wrapped keys. Instead, CTR mode is what you want. In PyCryptodome:

python
def decrypt(p, k):
nonce = p[:12]
nonce = bytes([15 - len(nonce) - 1]) + nonce
aes = AES.new(k, AES.MODE_CTR, nonce=nonce)
a = aes.decrypt(p[12:])
return a
~~
is the code you'd want to unwrap a BitLocker wrapped key, with MODE_CTR, not MODE_CCM.

Ask for help

It is really a big problem for a freshman to read such a large number of codes. So would you please add some descriptions about the lib. Plz Plz Plz. Cause it's so hard to do a integration testing without knowing what does the functions means. An excessive request from a code noob. Thanks a lot.

TPM key?

Can partitions encrypted with bitlocker and locked with TPM key (only) from Windows 7 be unlocked - obviously if still in the original machine 8)

Cheers

Jasper

BDE spec: Didn't mention "COV 0001. ER", etc.

Hello. My I suggest one improvement of the BDE spec?
I have recently been experimenting with BitLocker encryption of FAT32 volumes, and I found my "discovery volume" contains "COV 0001. ER" and such for encrypted data.

For example, from an ls -l output when mounted in Linux:

...
-r--r--r-- 1 root root      32768 Mar 30  2018 COV\ 0000.\ BL*
-r--r--r-- 1 root root 4294934528 Mar 30  2018 COV\ 0000.\ ER*
-r--r--r-- 1 root root 4294934528 Mar 30  2018 COV\ 0001.\ ER*
-r--r--r-- 1 root root 4294934528 Mar 30  2018 COV\ 0002.\ ER*
-r--r--r-- 1 root root 3146153984 Mar 30  2018 COV\ 0003.\ ER*
...

It looks like each . ER file has a maximum size of 4294934528 bytes (4 GiB - 32768 bytes).
The existence of multiple . ER files and their size limit it not mentioned in the specification.

By the way, I encrypted this drive in Windows 10 version 1703. It's a 16 GB USB flash drive with a single FAT32 volume; partition table is MBR.

Extending the existing known-plaintext-attack on version and data_size fields

Hi,

I am writing a John the Ripper jumbo plugin to brute-force password protected BitLocker volumes. My project is heavily based on your libbde project.

My brute-force method uses a known plaintext attack on the decrypted contents of metadata->password_volume_master_key->aes_ccm_encrypted_key->data. Specifically, the version has to be 1 and data_size has to be 0x2c. This stuff is in the libbde_metadata_read_volume_master_key function.

Do you know about more fields within the unencrypted_data buffer with known values which could be used in improving the reliability of the attack ? Currently version and data_size provide 4 bytes of verification data. Having more known fields with known values would be helpful in reducing false positives encountered during the brute-forcing process.

I noticed many NULL bytes in the unencrypted_data buffer but I don't know what they are, and if I can use them safely in conducting the known plaintext attack.

I noticed your comment "TODO improve this check" near the version and data_size checks in libbde/libbde_metadata.c :-)

https://github.com/kholia/JohnTheRipper/blob/BitLocker/src/bitlocker_fmt_plug.c#L184 shows the known plaintext attack in action.

Thanks for your help.

Implement FVEAutoUnlock key unwrapping

Remember that metadata entry 0x000b? This is what that is for.

Windows supports auto-unlocking BitLocker fixed volumes (which are unlocked before user login). This works only when the OS drive is itself using BitLocker. It works like this:

  1. The OS drive gets a 0x000b metadata key entry, which is wrapped with its VMK in the same way the FVEK is. Let's call this the LIBBDE_ENTRY_TYPE_AUTO_UNLOCK_KEY
  2. When a secondary fixed drive is configured to auto unlock, a new VMK record is created in the secondary metadata of the "Startup key" type (name: ExternalKey). This uses a new key to wrap the VMK for the secondary volume.
  3. That new key is subsequently wrapped with the OS drive's AUTO_UNLOCK_KEY, yielding an aes_ccm_encrypted_key
  4. A registry key is created at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FVEAutoUnlock\{volume identifier guid} and a binary value named Data is created with the following format:
  • uint32_t length; // 0x70
  • uint32_t unknown; // 0x9 here
  • GUID vmk_identifier // GUID identifier of the VMK slot in the secondary drive
  • aes_ccm_encrypted key (standard metadata format: u16 size=80; u16 type=0; u16 valuetype=5; u16 version=1; u8 nonce[12]; u8 tag[16]; u8 ciphertext[...])

So the question here is how should this be implemented in libbde? It involves somewhat complex interaction between two volumes and the registry. The steps would have to be something like this:

  • Extract the plaintext AUTO_UNLOCK_KEY from the OS volume (e.g. new bdeinfo feature?)
  • Use bdemount on the OS volume, and then use e.g. the chntpw toolset to inspect the SYSTEM registry and extract the FVEAutoUnlock key
  • Feed both the AUTO_UNLOCK_KEY from the OS volume and the extracted FVEAutoUnlock blob from the registry into libbde, plus the secondary volume. libbde would then have all the information needed to mount the secondary volume, decrypting the FVEAutoUnlockBlob and using the result to decrypt the VMK and finally the volume's FVEK.

Any hints as to what this should look like in libbde? I can give a shot at implementing it once the right way forward is clear.

handle corrupt metadata

  • when reading metadata flag if corrupt
  • do not use metadata if corrupt
  • only error if all 3 metadata areas are corrupt

Unable to read past 1TiB?

libbde version 20220121

For perhaps the first time I have a bunch of 2TB external USB drives I'm trying to image. after decrypting.

I used bdemount to create a virtual fille (/mnt/bde1). It works great for the first 1,000 GB, but then it fails.

In troubleshooting I tried a simple "od -c -j $((1024 * 1024 * 1024 * 1000)) /mnt/bde1 | less" and it works as expected.

That is a 1000 GB offset -- no problem.

But "od -c -j $((1024 * 1024 * 1024 * 1024) /mnt/bde1" fails.

This is a 1024 GB offset and it fails with an i/o error

Look into recovery

Use cases:

  • partially overwritten BDE encrypted volume, maybe 1 or 2 BDE metadata areas still available

libcstring and libcsystem missing in synclibs.sh

Hello,

it seems that the current version of synclibs.sh misses the two libs libcsystem and libcstring inside the LOCAL_LIBS parameter. That causes autogen.sh and configure to fail.

By the way: I can confirm that libbde supports BDE partitions made with Windows 8.1 too.

Implement TPM wrapped keys

TPM wrapped keys turn out to be rather trivial: the TPM encoded key contains the wrapped key to be passed to the TPM (exact structure depends on the TPM, and also there may be a header I haven't looked at in detail). If the PCR values are correct, the TPM unwraps the key and directly returns the 256-bit VMK.

So, for example, with physical access to a machine using TPM mode BitLocker, you can simply sniff the TPM bus and see the wrapped key being sent and the VMK being returned.

I think the best way to handle this would be to add a way for the user to specify a VMK directly, similar to how the user can currently specify a FVEK with -k. Thoughts?

1 terabyte partition limit?

Hi,

I am using libbde DLL (version 20190701) to decrypt a 1.8 TB bitlocker partition (1984698515456 bytes).

When the libbde_volume_read_buffer method arrives at offset 1099511627776 (0x10000000000), an error occurs as follows:

--------------------------------------------------------------------------------------------
error_backtrace:
libfdata_vector_get_element_index_at_offset: invalid element index value exceeds maximum.
libfdata_vector_get_element_value_at_offset: unable to retrieve element index at offset: 0x10000000000.
libbde_internal_volume_read_buffer_from_file_io_handle: unable to retrieve sector data at offset: 1099511627776.
libbde_volume_read_buffer: unable to read buffer.

debug:
libfdata_vector_get_element_value_by_index: cache: 0x4569dc98 hit
libfdata_vector_get_element_index_at_offset: requested offset: 0x10000000000
libfdata_vector_get_element_index_at_offset: segment: 000	mapped range: 0x00000000 - 0x1ce19400000 (size: 1984698515456)
libfdata_vector_get_element_index_at_offset: segment: 000	file index: 000 offset: 0x00000000 - 0x1ce19400000 (size: 1984698515456)
-------------------------------------------------------------------------------------------

The 'element index' has value of 0x80000000

Is there a limitation to read bytes at addresses above 1099511627776 bytes? Is there any alternative configuration?

Thanks!

New XTS-AES mode

Any plans to support XTS-AES mode introduced in Windows 10 Threshold 2 (1511 build 10586)

Feature Request: show FVEK on mount with passphrase

Dear all,

when mounting a bitlocker encrypted partition using bdemount and the correct passphrase, we would like to dump/extract/see the FVEK. The reasoning for this is that we want to have the correct FVEK as a reference when doing testing on RAM dumps.

Is there an easy way to do this using bdemount/bdeinfo?

Thank you in advance for any help.

Best Regards
Dennis

How to use libbde_volume_open?

about libbde_volume_open ,what is the filename parameter,

const char *filename="F:\\";
	result = libbde_volume_open(
		volume,
		filename,
		LIBBDE_OPEN_READ,
		&error);	
	if (result != 1) {
		libbde_error_fprint(error, stderr);
		libbde_error_free(&error);
		return 0;
	}

been failing,libbde_volume_open: unable to set filename in file IO handle.

Please help analyze the problem (请帮忙分析问题)

root@1:/home/l/桌面# bdeinfo -p 88888888 /media/l/5BB4-4AE1
bdeinfo 20170902

Unable to open: /media/l/5BB4-4AE1.
libcfile_file_read_buffer_with_error_code: unable to read from file with error: Is a directory
libcfile_file_read_buffer: unable to read from file.
libbfio_file_read: unable to read from file: /media/l/5BB4-4AE1.
libbfio_file_range_read: unable to read from file IO handle.
libbfio_handle_read_buffer: unable to read from handle.
libbde_io_handle_read_volume_header: unable to read volume header data.
libbde_volume_open_read: unable to read volume header.
libbde_volume_open_file_io_handle: unable to read from file IO handle.
info_handle_open_input: unable to open input volume.
root@1:/home/l/桌面# bdeinfo -p 88888888 /dev/sda1
bdeinfo 20170902

Unable to open: /dev/sda1.
libbde_io_handle_read_volume_header: unsupported volume boot entry point.
libbde_volume_open_read: unable to read volume header.
libbde_volume_open_file_io_handle: unable to read from file IO handle.
info_handle_open_input: unable to open input volume.
root@1:/home/l/桌面#

Missing identifier for Bitlocker Used Disk Space Only encryption

Hi,

Currently I am experiencing the issue with Bitlocker image. Here is an output including debug info:
bitlocker output.txt

I noticed that the problem appears at libbde_io_handle_read_volume_header function in libbde_io_handle.c in Bitlocker identifier checking logic. I tried to ignore checks and set LIBBDE_VERSION_WINDOWS_7 version to io_handle->version. This helped to decrypt the partition. Is it just a new Bitlocker identifier that is stored in those 16 bytes or the problem is much deeper?

Thank you!

Unable to unlock volume: multiple recovery passwords

System is RHEL 7.6
Security Profile - USGCB/STIG
FIPS Enabled

Installed libebde-tools and dependencies from CERT Forensics Repo

Completed DD image - output file is FILENAME.001
issuing command below returns the following error
data has been sanitized for posting purposes, the actual recovery key was used.

[root@hostname]# bdemount -r 12345-12345-12345-12345-12345-12345-12345-12345 -o 1026555904 ditto-file.001 /mnt/windows_mount/
bdemount 20181124

Unable to unlock volume.
[root@hostname]#

There was no error during the "yum install libbde-tools" process.
If I use the same recovery key on Win10 - the image file is decrypted without error.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.