Open arcticforensics opened 3 years ago
@brucemarkey must have missed this earlier, thx for the report
looks like the bytes per sector
value in the volume header is 0
libbde_io_handle_read_volume_header: signature : -FVE-FS-
libbde_io_handle_read_volume_header: bytes per sector : 0
libbde_io_handle_read_volume_header: sectors per cluster block : 0
libbde_io_handle_read_volume_header: unknown1
00000000: 00 00 00 00 00 .....
One option is to fall back to 512 if the bytes per sector is set to 0
the question is why would it be set to 0, a BDE image created with https://github.com/dfirlabs/bde-specimens on Windows 10 20H2
libbde_io_handle_read_volume_header: signature : -FVE-FS-
libbde_io_handle_read_volume_header: bytes per sector : 512
libbde_io_handle_read_volume_header: sectors per cluster block : 8
libbde_io_handle_read_volume_header: unknown1
00000000: 00 00 00 00 00 .....
@brucemarkey could you indicate to me how it was created, with manage-bde
?
It was created using the Windows GUI (Manage BitLocker). But I can't repeat the issue since upgrading to Windows 10's October 2020 update (20H2). It appears that only Windows 10's May 2020 update (20H1) is responsible.
bdemount 20200724 fails to mount BitLocker volume created by Windows 10 (version 1903). Error "volume header size in FVE Volume header block does not match number of volume header sectors." (calculated volume header size = 0). See attached log.
log.txt