Open signal3436 opened 3 months ago
joachimmetz
commented
3 months ago Can you provide the offset and data of the unencrypted volume, looks like you sent me the encrypted volume header
Also see: https://github.com/libyal/libbde/wiki/Troubleshooting#verbose-and-debug-output
signal3436
commented
3 months ago I compiled with the Verbose and debug output, but when I run the commands with -v, there is no output anywhere.
signal3436
commented
3 months ago My apologies - I typed the -v command in the wrong place. Attached is the output.
output_-k.txt output_-p.txt output_-r.txt
UPDATE: So I realized Volatility only provided half the FVEK. When I provided the entire key the same behavior results - a quick pause and back to the command prompt with nothing mounted.
joachimmetz
commented
3 months ago thanks but you'll need to rebuild the library with the verbose/debug output options otherwise the output is not sufficient detailed also see https://github.com/libyal/libbde/wiki/Building#verbose-and-debug-output
also make sure to remove any sensitive data, I'm mostly interested in what is causing the signature check to fail
signal3436
commented
3 months ago thanks but you'll need to rebuild the library with the verbose/debug output options otherwise the output is not sufficient detailed also see https://github.com/libyal/libbde/wiki/Building#verbose-and-debug-output
also make sure to remove any sensitive data, I'm mostly interested in what is causing the signature check to fail
It's all test data so there's nothing sensitive.
Are the attached logs not sufficient? I'm using the "> filename.txt 2>&1" command.
joachimmetz
commented
3 months ago Are the attached logs not sufficient? I'm using the "> filename.txt 2>&1" command.
they are empty unfortunately, given verbose/debug option has not been compiled
signal3436
commented
3 months ago Are the attached logs not sufficient? I'm using the "> filename.txt 2>&1" command.
they are empty unfortunately, given verbose/debug option has not been compiled
I re-uploaded, so each should be 80k.
joachimmetz
commented
3 months ago thanks looks better, will try to get taking a closer look soon, but have to deal with another thing first.
signal3436
commented
3 months ago thanks look better, will try to get taking a closer look soon, but have to deal with another thing first.
No worries at all. I really appreciate your help!
joachimmetz
commented
3 months ago output_-k.txt
libbde_ntfs_volume_header_read_data: NTFS volume header data:
00000000: fe 1c cd ae 13 ec 33 e3 17 98 b6 63 73 12 e3 b8 ......3. ...cs...
00000010: c8 5e 7e e1 1e fa 5f cc 06 9a f4 f4 39 a1 71 16 .^~..._. ....9.q.
00000020: 7d 03 36 e3 b9 ab 38 6a 75 20 ec 9f 26 f1 2c 8d }.6...8j u ..&.,.
00000030: 7d 08 ec 9e f6 f6 a8 af 2d 88 28 c1 d0 0d 92 ee }....... -.(.....output_-p.txt
libbde_ntfs_volume_header_read_data: NTFS volume header data:
00000000: eb 52 90 4e 54 46 53 20 20 20 20 00 02 08 00 00 .R.NTFS .....
00000010: 00 00 00 00 00 f8 00 00 3f 00 ff 00 00 b8 11 00 ........ ?.......
00000020: 00 00 00 00 80 00 80 00 53 8f bb 0e 00 00 00 00 ........ S.......
00000030: 00 00 0c 00 00 00 00 00 02 00 00 00 00 00 00 00 ........ ........
00000040: f6 00 00 00 01 00 00 00 06 c6 a7 12 fc a7 12 70 ........ .......poutput_-r.txt
libbde_ntfs_volume_header_read_data: NTFS volume header data:
00000000: eb 52 90 4e 54 46 53 20 20 20 20 00 02 08 00 00 .R.NTFS .....
00000010: 00 00 00 00 00 f8 00 00 3f 00 ff 00 00 b8 11 00 ........ ?.......
00000020: 00 00 00 00 80 00 80 00 53 8f bb 0e 00 00 00 00 ........ S.......
00000030: 00 00 0c 00 00 00 00 00 02 00 00 00 00 00 00 00 ........ ........
00000040: f6 00 00 00 01 00 00 00 06 c6 a7 12 fc a7 12 70 ........ .......p
00000050: 00 00 00 00 fa 33 c0 8e d0 bc 00 7c fb 68 c0 07 .....3.. ...|.h..Looks like output-p.txt and output-r.txt are able to decrypt the volume. Which version of Dokan are you using?
signal3436
commented
3 months ago Looks like output-p.txt and output-r.txt are able to decrypt the volume. Which version of Dokan are you using?
v2.0.5
joachimmetz
commented
3 months ago The issue you are encountering might be due to changes in Dokan 2.0 and later, I'll have a look later this week to see if I can add support. If you need it urgently you might be able to make the changes yourself based on https://github.com/libyal/libewf/commit/8abd6a9f79a3e942080c639a3705ea7da94a3efc
signal3436
commented
3 months ago I installed various versions of Dokan and I still can't get the image to mount.
Just so I'm clear and not doing anything wrong: -- I have bdeinfo.exe/bdemount.exe compiled in libbde\bdetools\ .libs -- I have cygbde-1.dll compiled in libbde\libbde\ .libs -- These three files were copied into a folder C:\bdemount
When I first ran bdemount.exe, I received error messages stating the following dlls were needed: --cygcrypto-3.dll, cygfuse-2.8.dll, cygwin1.dll, cygz.dll and winfsp-x64.dll
After these dlls were copied into C:\bdemount, the .exe ran (evidenced by the log files) but the image won't mount regardless of the Dokan version installed (v0.x, v1.x, v2.x).
Am I missing/omitting/screwing up a crucial step?
joachimmetz
commented
3 months ago cygfuse is not the same as Dokan, these are 2 different backends
how did you compile libbde and bdemount? with Visual Studio (+Dokan) or cygwin (+fuse)?
I assume the latter given your file names, but double checking
signal3436
commented
3 months ago cygfuse is not the same as Dokan, these are 2 different backends
how did you compile libbde and bdemount? with Visual Studio (+Dokan) or cygwin (+fuse)?
I assume the latter given your file names, but double checking
Yes, Cygwin (with every module installed).
So I need to compile with VS to get it to mount properly?
joachimmetz
commented
3 months ago So I need to compile with VS to get it to mount properly?
bdemount has been known to work with Linux fuse, macosfuse (see: https://github.com/libyal/libbde/wiki/Building#using-gnu-compiler-collection-gcc), and Dokan (pre 2.0) (see: https://github.com/libyal/libbde/wiki/Building#dokan-library)
cygwin fuse I would need to look in first and Dokan >= 2.0 you might need to make some tweaks
joachimmetz
commented
3 months ago Some changes for Dokan >= 2.0 in https://github.com/libyal/libbde/commit/99cc66bb2dcef7a05f317e29a43d7f84621b63a1
signal3436
commented
3 months ago Many thanks! I will start from scratch and circle back.
joachimmetz
commented
3 months ago just tested with Dokan 1.2 on my system and that is working as intended
I'll will give cygfuse and Dokan 2 a test drive when time permits
signal3436
commented
3 months ago just tested with Dokan 1.2 on my system and that is working as intended
I'll will give cygfuse and Dokan 2 a test drive when time permits
Thanks so much!
joachimmetz
commented
3 months ago So cygfuse is different from Linux fuse2 and fuse3. Made some tweaks and got it working on a test set up. To reproduce
FUSE_USE_VERSION 30 because it causes the linker to fail, in contrast to Linux fuse2 and fuse3 which requires it to be set otherwise compilation failsbdemount [options] source mountpoint, cygfuse requires the mount point to be drive letter e.g. x: not a pathWill take a closer look how to unmount, given fusermount -u x: does not appear to work
joachimmetz
commented
3 months ago Will take a closer look how to unmount, given
fusermount -u x:does not appear to work
not a nice integration, but looks like killing the bdemount process is a method
which appears the same method used by fusermount on cygwin https://github.com/mgeisert/cygfuse/blob/master/source/v3/fusermount#L190
joachimmetz
commented
3 months ago Note to self format of /var/run/fuse.mounts
Something like:
X: fuse PID localhost path
Note that
signal3436
commented
3 months ago After running >bdemount -p (password) P:\image.img X: there is some improvement on my end.
The command window "hangs" like it's supposed to, I see "bdemount.exe" in Task Manager but the image still doesn't mount. The last two lines of the error output are:
mount_fuse_getattr: / The service bdemount has been started.
joachimmetz
commented
3 months ago do you see a file X:\bde1 ?
signal3436
commented
3 months ago do you see a file
X:\bde1?
Unfortunately no.
joachimmetz
commented
3 months ago did you end up going the cygfuse+winfsp way or Dokan?
joachimmetz
commented
3 months ago nevermind, looks like you went the fuse route (mount_fuse_getattr), given that this is a new backend I don't have many tips for you at the moment
signal3436
commented
3 months ago I appreciate your help with all of this. I might just fresh install everything on something other than the Franken-machine I'm using right now to see if that clears up anything.
Hello,
I used Cygwin (installed all modules) to compile. When I run bdemount.exe in an admin cmd window to mount a BDE volume from a raw image, there is a slight pause but nothing is mounted to the specified drive letter. This occurs when using both the password and recovery options. When I try to use the FVEK option, I get errors:
P:\bdemount>bdeinfo P:\image.raw bdeinfo 20240223
Volume is locked and a password is needed to unlock it.
Password:
Unable to unlock volume.
BitLocker Drive Encryption information: Volume identifier : abbda335-f434-420c-b97e-5dc2fac4bf74 Encryption method : AES-XTS 128-bit Creation time : Mar 21, 2024 17:32:18.237762100 UTC Description : DESKTOP-B8H4DIM C: 3/21/2024 Number of key protectors : 3 Is locked
Key protector 0: Identifier : 49941cc7-a594-4ce9-be12-9e8d3007d356 Type : Password
Key protector 1: Identifier : d76929dc-6ab0-4f9c-bcd2-1be14f2bfca3 Type : Startup key
Key protector 2: Identifier : c92a358a-291f-42e0-ae44-617fc8f0a426 Type : Recovery password
P:\bdemount>bdemount.exe -p P:\image.raw X:
bdemount 20240223 --> it pauses and I get the command prompt, nothing mounted
P:\bdemount>bdemount.exe -r P:\image.raw X:
bdemount 20240223 --> it pauses and I get the command prompt, nothing mounted
P:\bdemount>bdemount.exe -k P:\image.raw X:
bdemount 20240223
Unable to open source volume libbde_ntfs_volume_header_read_data: invalid volume system signature. libbde_io_handle_read_unencrypted_volume_header: unable to read NTFS volume header. libbde_internal_volume_unlock: unable to read unencrypted volume header. libbde_internal_volume_open_read: unable to unlock volume. libbde_volume_open_file_io_handle: unable to read from file IO handle. mount_handle_open: unable to open volume.
Here are the first 1024 bytes of the volume: 1024 bytes.txt