EOW_INFORMATION_OFFSET_GUID found in fvevol.pdb

libyal / libbde

Library and tools to access the BitLocker Drive Encryption (BDE) encrypted volumes

GNU Lesser General Public License v3.0

214 stars 52 forks source link

EOW_INFORMATION_OFFSET_GUID found in fvevol.pdb #69

Open nblog opened 4 months ago

nblog commented 4 months ago

The BitLocker Used Disk Space Only encryption uses 92a84d3b-dd80-4d0e-9e4e-b1e3284eaed8., in the documentation, is a description of the error for full encryption/space-only encryption status is INFORMATION_OFFSET_GUID. for paused/continued state encryption status is EOW_INFORMATION_OFFSET_GUID. field names from fvevol.pdb

when the disk has Percentage Encrypted that is not 100%, then the extra eow_information_off field names from dislocker

nblog commented 4 months ago

when decrypting bitlokcer partitions under windows, it doesn't care if it encrypts all partitions or only uses space encryption, because fvevol.sys takes over and decrypts the specified sectors only when they are accessed.

However, due to encryption speed issues, the "Use space encryption only" field appeared, so the field was expanded starting in windows 8: extended_info_t xinfo;

where the flags field is explained: