search

libyal / libbde

Library and tools to access the BitLocker Drive Encryption (BDE) encrypted volumes
GNU Lesser General Public License v3.0
214 stars 52 forks source link

Unable to unlock volume: multiple recovery passwords #44

Closed lcfut closed 5 years ago

lcfut commented 5 years ago

System is RHEL 7.6 Security Profile - USGCB/STIG FIPS Enabled

Installed libebde-tools and dependencies from CERT Forensics Repo

Completed DD image - output file is FILENAME.001 issuing command below returns the following error data has been sanitized for posting purposes, the actual recovery key was used.

[root@hostname]# bdemount -r 12345-12345-12345-12345-12345-12345-12345-12345 -o 1026555904 ditto-file.001 /mnt/windows_mount/ bdemount 20181124

Unable to unlock volume. [root@hostname]#

There was no error during the "yum install libbde-tools" process. If I use the same recovery key on Win10 - the image file is decrypted without error.

joachimmetz commented 5 years ago

bdemount 20181124

please use the latest version of libbde and tools, you could be running into an issue that has been fixed a while ago

what does bdeinfo -r 12345-12345-12345-12345-12345-12345-12345-12345 -o 1026555904 ditto-file.001 tell you?

lcfut commented 5 years ago

I pulled down the latest "alpha" release as you suggested and it fails to compile.

[lsierra@usdsglxp0066 libbde-20190701]$ ./configure ./configure: line 16: $'\r': command not found ./configure: line 31: syntax error near unexpected token newline' '/configure: line 31: ;; [lsierra@usdsglxp0066 libbde-20190701]$

joachimmetz commented 5 years ago

did you download a copy of the source in git or a source distribution package? https://github.com/libyal/libbde/wiki/Building#read-first likely clarifies the issue you are running into.

You need to download libbde-alpha-20190701.tar.gz

lcfut commented 5 years ago

OK - this is not the first time I have installed something.

  1. navigated to the following location - https://github.com/libyal/libbde/releases
  2. Downloaded "tar.gz" file
  3. Unpacked file
  4. Ran "./configure" as per instructions found here - https://github.com/libyal/libbde/wiki/Building#read-first - GCC Section Failed.
joachimmetz commented 5 years ago

I just tested with libbde-alpha-20190701.tar.gz and it works for me, so presumably something is different in your build environment. Could you attach config.log

with GCC Section are you referring to the error ./configure: line 16: $'\r': command not found ?

this sounds to me as \n (LF) was changed to \r\n (CRLF) in the configure script?

lcfut commented 5 years ago

No. when i say "GCC Section" I am referring to the heading on the github page. Specifically called - "Using GNU Compiler Collection (GCC)"

And the error is what I get when I run the "./configure" command. There is no "config.log" in the folder after running it.

joachimmetz commented 5 years ago

Could you tell me how you Unpacked the file

since line 16 of configure is empty, seeing the error I think the way you extracted converted the line ends

joachimmetz commented 5 years ago

no update from original reporter, assuming issue got resolved on their end.

ilSant0 commented 3 years ago

Same problem here...

bdemount -o $((512*1261568)) -r XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX /mnt/image.dd /mnt2
bdemount 20200816

Unable to unlock source volume
bdeinfo -r XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX -o 645922816 /mnt/image.dd
bdeinfo 20200816

BitLocker Drive Encryption information:
    Encryption method       : AES-XTS 128-bit
    Volume identifier       : <id removed>
    Creation time           : Oct 22, 2019 11:23:44.94036781 UTC
    Description         : ABCDEFG C: 22/10/2019
    Number of key protectors    : 9

Key protector 0:
    Identifier          : <id removed>
    Type                : Recovery password

Key protector 1:
    Identifier          : <id removed>
    Type                : TPM

Key protector 2:
    Identifier          : <id removed>
    Type                : Recovery password

Key protector 3:
    Identifier          : <id removed>
    Type                : Recovery password

Key protector 4:
    Identifier          : <id removed>
    Type                : Recovery password

Key protector 5:
    Identifier          : <id removed>
    Type                : Recovery password

Key protector 6:
    Identifier          : <id removed>
    Type                : Recovery password

Key protector 7:
    Identifier          : <id removed>
    Type                : Recovery password

Key protector 8:
    Identifier          : <id removed>
    Type                : Recovery password

Unable to unlock volume.
joachimmetz commented 3 years ago

@zara86 can you provide me with debug output, https://github.com/libyal/libbde/wiki/Troubleshooting#verbose-and-debug-output. Want to see what happens with the multiple recovery passwords for your image

ilSant0 commented 3 years ago

Sorry for the delay. I try to made what you ask, I hope it can help. bdeinfo_stderr.zip

joachimmetz commented 3 years ago

@zara86 thx having a look as soon as time permits

joachimmetz commented 3 years ago

Note to self create image with multiple recovery passwords with https://github.com/dfirlabs/bde-specimens