search

libyal / libbde

Library and tools to access the BitLocker Drive Encryption (BDE) encrypted volumes
GNU Lesser General Public License v3.0
214 stars 52 forks source link

Cannot unlock with recovery key when password protector is set #61

Open tobraha opened 1 year ago

tobraha commented 1 year ago

I am trying to mount a BitLocker partition after having mounted the disk image with ewfmount. When I enter the known recovery key to either bdeinfo or bdemount with -r <recovery-key>, I am prompted to enter the volume Password (which is not known).

I am using current versions of ewftools and bdetools built from source:

ewfmount 20230101
bdemount 20221231

Here is some of the image metadata:

Files & Mounts

$ tree
.
├── evidence
│   └── item001
│       ├── 001_laptop-ssd.E01
│       ├── 001_laptop-ssd.E01.txt
│       ├── 001_laptop-ssd.E02
    [ ... snip fragments ... ]
│       └── 001_laptop-ssd.E31
└── mnt
    ├── bde
    └── ewf
        └── ewf1

Partition Layout

$ mmls mnt/ewf/ewf1
GUID Partition Table (EFI)
Offset Sector: 0
Units are in 512-byte sectors

      Slot      Start        End          Length       Description
000:  Meta      0000000000   0000000000   0000000001   Safety Table
001:  -------   0000000000   0000002047   0000002048   Unallocated
002:  Meta      0000000001   0000000001   0000000001   GPT Header
003:  Meta      0000000002   0000000033   0000000032   Partition Table
004:  000       0000002048   0496651710   0496649663   楗摮睯s
005:  -------   0496651711   0496652287   0000000577   Unallocated
006:  001       0496652288   0498251775   0001599488
007:  -------   0498251776   0498253607   0000001832   Unallocated
008:  002       0498253608   0500115240   0001861633
009:  -------   0500115241   0500118191   0000002951   Unallocated

* curious, those Chinese characters... not sure I've ever seen that before from Sleuthkit

BitLocker Volume Info

$ bdeinfo -o $(( 512 * 2048 )) mnt/ewf/ewf1
bdeinfo 20221231

Volume is locked and a password is needed to unlock it.

Password:

Unable to unlock volume.

BitLocker Drive Encryption information:
        Volume identifier               : [snip]
        Encryption method               : AES-XTS 256-bit
        Creation time                   : Apr 22, 2022 15:01:15.359152000 UTC
        Description                     : [snip]
        Number of key protectors        : 2
        Is locked

Key protector 0:
        Identifier                      : [snip]
        Type                            : Recovery password

Key protector 1:
        Identifier                      : [snip]
        Type                            : Password

I don't recall ever trying to use bdemount on a volume that has both of these protectors enabled.

Am I missing something? Some compile option needed that I'm missing?

Thanks, -Tommy

tobraha commented 1 year ago

UPDATE:

I ran bdemount again with debug+verbose output enabled. The bde metadata has a few references to 'SophosProtector', so that may be the cause of my issue.

Also, this may be related to #44

Thanks!

joachimmetz commented 1 year ago

@tobraha can you attach or send me a sanitize version of the debug output. I'll have a look when time permits.

tobraha commented 1 year ago

@joachimmetz - apologies for the delay. Here is the sanitized debug output:

bdemount_debug_output.zip

Not that the output contains any revealing info (I think), but I've encrypted this using your key here: https://github.com/joachimmetz.gpg.

If you're not able to decrypt for any reason, let me know and I will email you a copy of the output. After all, who really uses PGP anymore :upside_down_face: