search

libyal / libbde

Library and tools to access the BitLocker Drive Encryption (BDE) encrypted volumes
GNU Lesser General Public License v3.0
214 stars 52 forks source link

Fat32 decrypted BDE volume filled with W's? #62

Closed DataDrug closed 1 year ago

DataDrug commented 1 year ago

Hello Joachim,

(Tried ro e-mail you without success)

I'm writing to you after a extensive search on the web for answers, to no result.

I got a pendrive with bitlocker coming in for recovery. Recovery key is known, So i cloned it, but, however after the decryption most of the sectors become filled with WWWW's.

Upon further research I realized that i'm missing about 1.000.000 sectors out of 976.562.500 (usb drive has 512gb).

What I would like to ask you is;

1) Can this small area be responsible for some low level translation table or something like that?

2) Even if this was a critical area (and all these sectors are in the same spot) shouldn't BDE have metadata stored on other areas?

3) before I decrypt the drive, i can look at HEX and everything seems "normal" without pattern or repeats... At least a raw recovery should show me many files once I was able to clone 99.9% of the data no?

4) i might have to resort to chip-off, but it will be a pain to ECC correct a NAND with 512GB... After I apply XOR, ECC and all the parameters, do you happen to know any kind of utility that decrypt bitlocker using every sector/cluster?

Thank you and sorry for taking your time with this. Have a good weekend.

joachimmetz commented 1 year ago

(Tried ro e-mail you without success)

@DataDrug is this because your email bounced or you never got a reply? If the latter so make sure your email has a decent explanation; I get a lot of noise.

So i cloned it, but, however after the decryption most of the sectors become filled with WWWW's.

then like the data is actually that, if the keys or IVs are wrong, you're more likely to get random data.

i might have to resort to chip-off, but it will be a pain to ECC correct a NAND with 512GB

how is this going to help? sounds to me the data in the encrypted volume was likely wiped (filled with W's)

DataDrug commented 1 year ago

Hi!

The e-mail bounced :/

I was asking about the chip-off alternative as that method would allow me to read that specific area on the NAND that is problematic. If I look at the hex while encrypted there is nothing sugesting a patern of W's, that just happens post decryption and I'm only able to get 30ish GB even though I can see full file structure.

I'm not very experienced in issues with bitlocker but this really looks like that those missing sectors I can't read are crucial for the rest of the files.

At this point I would be happy if a Raw scan on the decrypted image gave me some more files.

(I'm already performing ECC on the NAND and will see what happens)

joachimmetz commented 1 year ago

I have insufficient information to help you and your description of the problem is hard to follow since you're mixing multiple different layers (physical, encrypted, unencrypted). Unless you're able to provide me with the data or provide me with a description is is more clear, I'm afraid I cannot help you. As I said, sounds to me that your unencrypted volume actually contains to Ws as data.

DataDrug commented 1 year ago

How could I provide you with the data?

I think random HEX without repeats cannot translate to W's after decryption :/

joachimmetz commented 1 year ago

How could I provide you with the data?

Can you upload it somewhere? Google Drive, other?

I think random HEX without repeats cannot translate to W's after decryption :/

Very unlikely, but the encryption is just AES, so likely the decryption is correct (based on the limited information available)