Missing identifier for Bitlocker Used Disk Space Only encryption

[bulhakov-adf]

Hi,

Currently I am experiencing the issue with Bitlocker image. Here is an output including debug info: bitlocker output.txt

I noticed that the problem appears at libbde_io_handle_read_volume_header function in libbde_io_handle.c in Bitlocker identifier checking logic. I tried to ignore checks and set LIBBDE_VERSION_WINDOWS_7 version to io_handle->version. This helped to decrypt the partition. Is it just a new Bitlocker identifier that is stored in those 16 bytes or the problem is much deeper?

Thank you!

[joachimmetz]

If we assume this is BDE ToGO from bitlocker output.txt it looks like part of the metadata including the identifier (at offset 0x1a8) has been changed to 'x'

00000180: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
00000190: 00 00 00 00 00 00 00 00  78 78 78 78 78 78 78 78   ........ xxxxxxxx
000001a0: 78 78 78 78 78 78 78 78  78 78 78 78 78 78 78 78   xxxxxxxx xxxxxxxx
000001b0: 78 78 78 78 78 78 78 78  78 78 78 78 78 78 78 78   xxxxxxxx xxxxxxxx
000001c0: 78 78 78 78 78 78 78 78  78 78 78 78 78 78 78 78   xxxxxxxx xxxxxxxx
000001d0: 78 78 78 78 78 78 78 78  78 78 78 78 78 78 78 78   xxxxxxxx xxxxxxxx
000001e0: 78 78 78 78 78 78 78 78  ff ff ff ff ff ff ff ff   xxxxxxxx ........
000001f0: ff ff ff ff ff ff ff ff  ff ff ff 00 1f 2c 55 aa   ........ .....,U.

If we assume this is BDE 7 offset 0xa0

00000090: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
000000a0: 3b 4d a8 92 80 dd 0e 4d  9e 4e b1 e3 28 4e ae d8   ;M.....M .N..(N..
000000b0: 00 00 40 02 00 00 00 00  00 40 8b 42 00 00 00 00   ..@..... .@.B....

uuid.UUID(bytes_le='3b 4d a8 92 80 dd 0e 4d  9e 4e b1 e3 28 4e ae d8'.replace(' ', '').decode('hex'))
Out[3]: UUID('92a84d3b-dd80-4d0e-9e4e-b1e3284eaed8')

92a84d3b-dd80-4d0e-9e4e-b1e3284eaed8 is different from known GUIDs.

• The BitLocker identifier (GUID) is 4967d63b-2e29-4ad8-8399-f6a339e3d00.
• BitLocker To Go uses 4967d63b-2e29-4ad8-8399-f6a339e3d01.

Any more context about this volume?

Also see: https://github.com/libyal/libbde/blob/master/documentation/BitLocker%20Drive%20Encryption%20(BDE)%20format.asciidoc#42-bitlocker-windows-7-and-later or https://github.com/libyal/libbde/blob/master/documentation/BitLocker%20Drive%20Encryption%20(BDE)%20format.asciidoc#43-bitlocker-to-go

[bulhakov-adf]

I will try to share everything I know: The image was created on Win10(ver. 1803), this is a system partition. The image was created by my colleges some time ago, so, unfortunately, I have no details on the creation. I will also share the output for succeed decryption with assumption that the version is LIBBDE_VERSION_WINDOWS_7 and failed one for LIBBDE_VERSION_TO_GO: bitlocker_output_win7.txt bitlocker_output_to_go.txt

I still have the source PC available and I will try to image again.

[joachimmetz]

My initial guess is that the format was changed, I can add the identifier but without a reference image to confirm, this will be speculation at this point nothing else changed. Would it be possible to make a small test image that could be shared?

[bulhakov-adf]

Unfortunately, I can't reproduce it, but I can give you the initial image(raw or raw compressed by 7zip). The size of raw image is 29 Gb. I will upload the image(or 7z containing raw image, as you prefer) to Google Drive and grant you access(to the email address that you provided in profile info), if you are okay with that.

[joachimmetz]

@bulhakov-adf yes that sounds good to me, thx

[bulhakov-adf]

Cool. I have sent you an email message with a link.

[joachimmetz]

Thx, I received it, and as indicated will try to have a look shortly at format changes.

[joachimmetz]

I've added support for the identifier (locally and will push the changes later). This looks it could be an identifier for "BitLocker Used Disk Space Only encryption" also referred to as Encryption On Write (EOW).

https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#used-disk-space-only-encryption

[joachimmetz]

Preliminary support of the "Bitlocker Used Disk Space Only encryption" has been disabled for now. Will re-enable when time permits to ensure format behaves the same as Windows 7 BDE

[Andrew-J-Larson]

@joachimmetz I might be able to help with the testing in a couple of days or so, is the current status of the "Bitlocker Used Disk Space Only encryption" such that bdemount can work on Windows 8/8.1/10 drives, but unsure if it works the same on Windows 7 drives? Let me know what I can do to help.

[joachimmetz]

demount can work on Windows 8/8.1/10 drives

It technically does work Windows 8/8.1/10 BDE volumes. "Bitlocker Used Disk Space Only encryption" is a specific format edge case of BDE, different from "regular" BDE volumes.

What helps would be to determine how to reproduce this edge case also have a look at https://github.com/dfirlabs/bde-specimens

[Andrew-J-Larson]

demount can work on Windows 8/8.1/10 drives

It technically does work Windows 8/8.1/10 BDE volumes. "Bitlocker Used Disk Space Only encryption" is a specific format edge case of BDE, different from "regular" BDE volumes.

What helps would be to determine how to reproduce this edge case also have a look at https://github.com/dfirlabs/bde-specimens

I know that at least on Windows 10, it may give an option to encrypt used space only.

Is the edge case such that Vista/7 won't prompt for this kind of encryption, and instead choose for you? @joachimmetz

[joachimmetz]

Is the edge case such that Vista/7 won't prompt for this kind of encryption,

the edge case is, that it looks like to be an intermediate format that is not present on all BDE volumes if you have a way to reliable reproduce it let me know

I know that at least on Windows 10, it may give an option to encrypt used space only.

I looked at this last time, but the resulting volume appeared to be normal BDE volumes to me, maybe it needs to be paused I'll have another look if time permits

[Andrew-J-Larson]

Okay, and just to make sure, @joachimmetz has testing already occurred with bitlocker'd drives that don't use the TPM? (e.g. https://www.groovypost.com/howto/enable-windows-8-full-disk-bitlocker-encryption-without-tpm)

[joachimmetz]

Why would that affect the "Bitlocker Used Disk Space Only encryption"? the TPM only introduces a new key protector, see the documentation of this project for more information. How/why do you conclude that?

But to answer your question, yes I have a test BDE volume from a system without a TPM.

[Andrew-J-Larson]

Just curious, in the case that it could have an effect on Used Disk Space encryption on Vista/7

[Andrew-J-Larson]

I have another thought though. If the disk is currently encrypting, but then there's an update to be installed, if the update starts commencing, it will have to pause and temporarily disable bitlocker... similar to pausing and disabling it manually, would a system-update-forced pause likely be the edge case? @joachimmetz

[Andrew-J-Larson]

Another idea... What about the condition of an encrypted Windows Vista/7 updating to a new major version while bitlocker has been turned on? It would be different from a normal update, and surely the way bitlocker needs to handle that would have to be different than normal. It would explain why such drive would be able to be decrypted with the LIBBDE_VERSION_WINDOWS_7, yet have issues detecting that, if it's coming from an updgrade of Vista -> 7, or in between an update from 7 -> 8/8.1/10

[Andrew-J-Larson]

And away from those ideas, would a setup being on BIOS vs UEFI have an effect on the identifiers?

[Andrew-J-Larson]

Also I noticed in your documentation, there's no note about Network Unlock... https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq

Is this the missing link?

More info at: https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock

[Andrew-J-Larson]

Also, at least from dislocker, you may be interested in this commit: https://github.com/Aorimn/dislocker/commit/017ac7255a75eedd984dda1b4b9432bba23f497d

[Andrew-J-Larson]

And probably not helpful, but also related: https://github.com/Aorimn/dislocker/issues/102

[joachimmetz]

@TheAlienDrew thx for the suggestions but blindly copying the observations (hearsay) or work of others is not typically not a good approach from a forensics perspective. What will help is reproducible test data.

[Andrew-J-Larson]

Oh I'm not suggesting any copying of work, but yeah I understand what you mean about having test data.

[joachimmetz]

Did some tests (with latest Windows 10) full or used space only option in the UI to encrypted a volume with BDE did not alter the format as originally reported

Unmounting/detaching a VHD before the volume is fully encrypted also did not alter the format as originally reported, but did surface another data format edge case

It could be that the guess/assumption that the format changes are related to "Bitlocker Used Disk Space Only" is incorrect.

[Andrew-J-Larson]

That's kinda what I was trying to say. I was thinking the reason why it's not standard is because it's a mix of events.

[Andrew-J-Larson]

Unmounting/detaching a VHD before the volume is fully encrypted also did not alter the format as originally reported, but did surface another data format edge case

@joachimmetz I assume this edge case has yet another 'new' identifier?

[Andrew-J-Larson]

Also would the case of using encryption on an HDD vs an SSD contribute to a changed identifier?

[joachimmetz]

@joachimmetz I assume this edge case has yet another 'new' identifier?

not sure yet, need to looking into this more closely, not sure if native BDE support likes the volume being abruptly unmounted.

Also would the case of using encryption on an HDD vs an SSD contribute to a changed identifier?

Not from what I've observed, but we can speculate indefinitely about possible causes

I was thinking the reason why it's not standard is because it's a mix of events.

Possibly, one method to go about this could be to extend scripts like https://github.com/dfirlabs/bde-specimens to cover various known scenarios and see where the format surfaces.

[Andrew-J-Larson]

not sure yet, need to looking into this more closely, not sure if native BDE support likes the volume being abruptly unmounted.

Maybe that's what another identifier is, an "interrupted" state if you will. I could imagine that would likely be the case, and necessary for situations like when power abruptly goes out. I assume an "interrupted" identifier would aid in using the BitLocker Repair Tool (Repair-bde from repair-bde.exe), but of course no idea for sure.

[Andrew-J-Larson]

I just was looking at some stuff on reddit until I came across this comment

Is this likely the missing identifier? A sort of "BitLocker Lite" device encryption?

[joachimmetz]

Don't think that is related, for Vista and 7 you could only use BDE in combination with certain versions of Windows. This no longer seems to be a limit.

[Andrew-J-Larson]

Ah yeah, brain fart, my bad

[datasynergyuk]

Please can I ask what the current status of support for "Bitlocker Used Disk Space Only encryption" is? Could this feature be re-enabled (perhaps experimentally) now?

[joachimmetz]

@datasynergyuk the feature is not supported, if you have test data that contains the feature and you can share it. It could help.

[datasynergyuk]

@joachimmetz thank you. I did some more investigation because I wanted to be sure of my facts and not waste your time.

After double checking, I found that my problem occurs when initial encryption is still in progress. Once encryption has completed, even with "Used Space Only Encrypted" mode, Libbde can successfully access the volume. In other words, the cause of my issue is not what I originally thought.

I tried to make a test image. This was surprisingly difficult with "Used Space Only Encrypted" mode because the encryption will complete very quickly unless there is a lot of data. This means any test image must be reasonably large. In the end, I did it but the image is ~5GB compressed.

Please, would you expect Libbde to work in these circumstances, when the volume is only partially encrypted? The problem occurs when the volume state is:

Size:                 999.39 GB
BitLocker Version:    2.0
Conversion Status:    Encryption in Progress
Percentage Encrypted: 50.8%                                 <=== e.g. not finished yet. This is the problem
Encryption Method:    XTS-AES 128
Protection Status:    Protection Off
Lock Status:          Unlocked
Identification Field: Unknown
Automatic Unlock:     Disabled
Key Protectors:
    Password
    Numerical Password

However, once the initial encryption has completed, Libbde works ok:

Size:                 999.39 GB
BitLocker Version:    2.0
Conversion Status:    Used Space Only Encrypted
Percentage Encrypted: 100.0%                              <=== e.g. encryption finished. Libbde works now
Encryption Method:    XTS-AES 128
Protection Status:    Protection On
Lock Status:          Unlocked
Identification Field: Unknown
Automatic Unlock:     Disabled
Key Protectors:
    Password
    Numerical Password

I have a test image that demonstrates the problem. This contains a volume that is still performing the initial encryption in the state above: https://drive.google.com/file/d/1zqN-J6SSboSbD4uJ8lMLMTFn_52uNAuK

[joachimmetz]

@datasynergyuk interesting find, I'll take a closer look as soon as time permits, but unfortunately multiple other priorities at the moment.