search

libyal / libbde

Library and tools to access the BitLocker Drive Encryption (BDE) encrypted volumes
GNU Lesser General Public License v3.0
214 stars 52 forks source link

FVE metadata entry version "261", "0x0105" #60

Open blitzdose opened 1 year ago

blitzdose commented 1 year ago

I got a BitLocker Volume in suspended mode. The VMK is stored AES-CCM encrypted together with the encryption key (metadata value type 0x0001). But the Version of the entry which stores the encrypted VMK and Key has the Version 261 (0x0105). When I edit the source code so that this version is also accepted (together with 0x0001 and 0x0003) everything works fine. Tested this with two virtual machines. Both got Version 261 when BitLocker is supended. Edit: Windows 10 21H2 (Build 19044.1288)

00000000  2d 46 56 45 2d 46 53 2d  52 00 02 00 04 00 04 00  |-FVE-FS-R.......|
00000010  00 ea ba d7 18 00 00 00  00 00 00 00 10 00 00 00  |................|
00000020  00 40 da 05 00 00 00 00  00 00 a4 c6 00 00 00 00  |.@..............|
00000030  00 00 a5 c6 00 00 00 00  00 10 2f 03 00 00 00 00  |........../.....|
00000040  de 04 00 00 01 00 00 00  30 00 00 00 de 04 00 00  |........0.......|
00000050  ba 0e 0f 30 ed d2 84 46  aa 64 22 0d e1 06 6e 1b  |...0...F.d"...n.|
00000060  0b 00 00 00 04 80 04 80  82 74 7c 8f 49 2a d9 01  |.........t|.I*..|
00000070  50 00 0b 00 05 00 01 00  50 95 96 8f 49 2a d9 01  |P.......P...I*..|
00000080  02 00 00 00 69 6d 42 61  47 61 bb 3a cf 01 da d0  |....imBaGa.:....|
00000090  d1 b1 70 ff ea aa 13 bc  71 37 28 f3 5f 40 c1 cd  |..p.....q7(._@..|
000000a0  d0 28 0b 5d a0 bb 6b 14  4b 63 1c 7c d9 40 8c d9  |.(.]..k.Kc.|.@..|
000000b0  a8 29 b2 28 ab d4 69 30  6c 1d fb 34 47 f2 d8 45  |.).(..i0l..4G..E|
000000c0  44 00 07 00 02 00 01 00  44 00 45 00 53 00 4b 00  |D.......D.E.S.K.|
000000d0  54 00 4f 00 50 00 2d 00  33 00 41 00 52 00 33 00  |T.O.P.-.3.A.R.3.|
000000e0  35 00 4e 00 55 00 20 00  43 00 3a 00 20 00 31 00  |5.N.U. .C.:. .1.|
000000f0  37 00 2e 00 30 00 31 00  2e 00 32 00 30 00 32 00  |7...0.1...2.0.2.|
00000100  33 00 00 00 52 01 02 00  08 00 01 00 80 ca 69 4d  |3...R.........iM|
00000110  a4 1b 91 4f a4 dd af 2b  88 b8 77 b5 00 8f b5 8f  |...O...+..w.....|
00000120  49 2a d9 01 00 00 00 01  2e 01 00 00 06 00 01 00  |I*..............|
00000130  80 08 00 00 00 aa 00 20  89 49 42 33 7a 47 24 83  |....... .IB3zG$.|
00000140  66 80 38 84 66 dd ce d3  42 e3 c2 06 c2 b1 47 cc  |f.8.f...B.....G.|
00000150  d4 d7 7e 16 c9 58 31 58  00 10 56 73 ac 29 7b 26  |..~..X1X..Vs.){&|
00000160  51 7b fe 79 22 46 45 77  e6 5a 36 e0 80 d3 7c 32  |Q{.y"FEw.Z6...|2|
00000170  6c de 0f 5d 08 ae 0e 3a  16 37 80 94 ac 21 44 0b  |l..]...:.7...!D.|
00000180  dd 09 ef ac f1 67 08 f7  b5 4e 80 45 38 76 e1 0d  |.....g...N.E8v..|
00000190  a5 ea ac bb 8a 20 c4 18  9f 77 48 49 af 1c 36 ed  |..... ...wHI..6.|
000001a0  1f 27 aa 68 d2 9c 4a 4a  f3 71 17 1a f4 db 74 53  |.'.h..JJ.q....tS|
000001b0  9a 6f 98 cd e5 9f 48 b5  07 fe 41 25 5d 9e d3 db  |.o....H...A%]...|
000001c0  0e 00 a7 97 05 18 07 0f  75 be 4c cf 1e 30 77 20  |........u.L..0w |
000001d0  9f 14 51 df b1 e2 cd 23  e9 17 2c 43 c0 08 29 ea  |..Q....#..,C..).|
000001e0  00 4e 00 08 00 0b 00 00  04 12 00 20 62 69 98 d7  |.N......... bi..|
000001f0  e0 8e 60 98 7d f1 0d 20  5a ec 00 a8 95 2f a0 be  |..`.}.. Z..../..|
00000200  ec af 80 2d df 43 a5 16  c1 e8 ec 54 00 10 00 20  |...-.C.....T... |
00000210  eb 59 c7 6d 09 66 c4 eb  a7 30 ba 39 65 9e 1f 08  |.Y.m.f...0.9e...|
00000220  70 9f 97 94 95 5f a5 c0  30 76 91 1c 36 28 fa 07  |p...._..0v..6(..|
00000230  00 20 f8 8c df 65 29 ad  bd f1 4d 8f 89 2f 1c e2  |. ...e)...M../..|
00000240  18 ee ad 17 25 59 fc 6c  50 53 bb f2 ca 8f 11 03  |....%Y.lPS......|
00000250  17 e4 03 80 08 00 30 00  11 00 07 00 01 00 03 00  |......0.........|
00000260  00 00 b0 01 00 00 d0 1e  0c 6f 2a cb ba 78 a8 1b  |.........o*..x..|
00000270  2b bc fe 98 e1 04 f4 ce  9b be 06 83 46 68 ff e9  |+...........Fh..|
00000280  24 54 24 e3 57 dd 3c 01  02 00 08 00 01 00 64 25  |$T$.W.<.......d%|
00000290  70 3f c5 2b a9 41 89 13  92 b9 bf 27 8c 4c 20 2a  |p?.+.A.....'.L *|
000002a0  a6 93 49 2a d9 01 00 00  00 08 ac 00 00 00 03 00  |..I*............|
000002b0  01 00 00 10 00 00 e5 26  cd 6c 0d 26 e2 df 15 8b  |.......&.l.&....|
000002c0  ca 2d be b0 48 25 40 00  12 00 05 00 01 00 50 95  |.-..H%@.......P.|
000002d0  96 8f 49 2a d9 01 03 00  00 00 2b 10 b1 9b 30 fe  |..I*......+...0.|
000002e0  9a 79 f9 46 07 cb eb b0  17 eb cd 7e 5e 81 a7 3b  |.y.F.......~^..;|
000002f0  80 78 47 6a 5d 1a f7 b7  ad 1c 9b a3 bb 66 ad 69  |.xGj]........f.i|
00000300  09 7d a5 b7 8a f6 50 00  13 00 05 00 01 00 50 95  |.}....P.......P.|
00000310  96 8f 49 2a d9 01 04 00  00 00 3c ea b2 fe c2 4c  |..I*......<....L|
00000320  b1 be 3e c1 8d e1 62 b0  b3 f9 26 db 1d 0a 13 10  |..>...b...&.....|
00000330  07 5b 2e 02 9b e7 6e 83  41 92 ed 14 e8 77 b5 6d  |.[....n.A....w.m|
00000340  a7 81 a5 d7 f4 28 06 d2  3e 52 d0 00 a3 88 8e fb  |.....(..>R......|
00000350  bb 85 af cd 1e 04 50 00  00 00 05 00 01 00 50 95  |......P.......P.|
00000360  96 8f 49 2a d9 01 05 00  00 00 c5 2f 15 4f 59 0b  |..I*......./.OY.|
00000370  fa 42 84 b9 c6 9b c8 62  28 09 11 0c 51 bd 5f 3a  |.B.....b(...Q._:|
00000380  5a 98 3f fd c8 c8 f7 10  ac 71 13 f3 6a d8 48 7f  |Z.?......q..j.H.|
00000390  59 a6 20 19 c4 d8 55 d5  43 2a 2f 6f de 2d 68 bd  |Y. ...U.C*/o.-h.|
000003a0  73 90 8d 28 f2 b3 1c 00  00 00 15 00 01 00 40 53  |s..(..........@S|
000003b0  49 a7 49 2a d9 01 40 53  49 a7 49 2a d9 01 10 00  |I.I*..@SI.I*....|
000003c0  02 00 08 00 04 00 07 00  01 00 50 00 03 00 05 00  |..........P.....|
000003d0  01 00 50 95 96 8f 49 2a  d9 01 07 00 00 00 dd d0  |..P...I*........|
000003e0  27 ca cd 93 7c a1 26 c9  a7 c2 78 76 b8 3c 86 e0  |'...|.&...xv.<..|
000003f0  9e 05 af 5e f8 2f a1 2c  ad 79 31 9f dd 08 20 b6  |...^./.,.y1... .|
00000400  c1 46 0b e7 d9 14 03 70  05 58 6d 14 ab f6 2b 67  |.F.....p.Xm...+g|
00000410  57 81 eb d8 99 54 cd 84  6b 4d a0 00 02 00 08 00  |W....T..kM......|
00000420  05 01 a5 86 e8 8d a3 de  27 49 b0 67 4e fc a8 62  |........'I.gN..b|
00000430  31 69 60 5a b7 25 4a 2a  d9 01 00 00 00 00 2c 00  |1i`Z.%J*......,.|
00000440  00 00 01 00 01 00 00 20  00 00 6a 23 4b f0 4f 94  |....... ..j#K.O.|
00000450  a9 58 35 ca df a5 f8 94  bd 20 44 16 3b d8 6b 7d  |.X5...... D.;.k}|
00000460  e2 2c 8a 36 7e f8 de 12  6c df 50 00 00 00 05 00  |.,.6~...l.P.....|
00000470  01 00 60 5a b7 25 4a 2a  d9 01 09 00 00 00 5b e0  |..`Z.%J*......[.|
00000480  05 7b f6 52 7b 1d 46 af  ad 1b ce 92 98 14 76 4d  |.{.R{.F.......vM|
00000490  98 f7 1a be 10 fe cc 9a  01 2d 1e d2 4a 50 58 04  |.........-..JPX.|
000004a0  85 7c f0 07 7f fb 71 9e  05 07 80 0c ae e1 bb 9c  |.|....q.........|
000004b0  0a de 05 fe 73 96 20 2b  ac e1 64 00 0f 00 0f 00  |....s. +..d.....|
000004c0  01 00 00 10 2f 03 00 00  00 00 00 20 00 00 00 00  |..../...... ....|
000004d0  00 00 05 00 4c 00 00 00  00 00 07 00 00 00 00 00  |....L...........|
000004e0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 02  |................|
000004f0  00 00 00 02 00 00 0a 00  00 00 00 00 00 00 64 4a  |..............dJ|
00000500  00 00 02 00 00 00 00 00  00 00 10 01 01 02 00 40  |...............@|
00000510  db 05 00 00 00 00 00 00  01 00 00 00 00 00 00 00  |................|
joachimmetz commented 1 year ago

@blitzdose thanks for the report I'll have a closer look when time permits