Windows 10 BitLocked volume fails to unlock - "volume header size in FVE Volume header block does not match number of volume header sectors."

[arcticforensics]

bdemount 20200724 fails to mount BitLocker volume created by Windows 10 (version 1903). Error "volume header size in FVE Volume header block does not match number of volume header sectors." (calculated volume header size = 0). See attached log.

log.txt

[joachimmetz]

@brucemarkey must have missed this earlier, thx for the report

looks like the bytes per sector value in the volume header is 0

libbde_io_handle_read_volume_header: signature                          : -FVE-FS-
libbde_io_handle_read_volume_header: bytes per sector                   : 0
libbde_io_handle_read_volume_header: sectors per cluster block          : 0
libbde_io_handle_read_volume_header: unknown1
00000000: 00 00 00 00 00                                     .....

[joachimmetz]

One option is to fall back to 512 if the bytes per sector is set to 0

[joachimmetz]

the question is why would it be set to 0, a BDE image created with https://github.com/dfirlabs/bde-specimens on Windows 10 20H2

libbde_io_handle_read_volume_header: signature                          : -FVE-FS-
libbde_io_handle_read_volume_header: bytes per sector                   : 512
libbde_io_handle_read_volume_header: sectors per cluster block          : 8
libbde_io_handle_read_volume_header: unknown1
00000000: 00 00 00 00 00                                     .....

[joachimmetz]

@brucemarkey could you indicate to me how it was created, with manage-bde?

[arcticforensics]

It was created using the Windows GUI (Manage BitLocker). But I can't repeat the issue since upgrading to Windows 10's October 2020 update (20H2). It appears that only Windows 10's May 2020 update (20H1) is responsible.