thewhiteninja
commented
1 month ago I would say it's not possible. I don't think the recovery key or the VMK are stored somewhere where the FVEK can decrypt something to access them.
Closed BigPanda71 closed 3 weeks ago
thewhiteninja
commented
1 month ago I would say it's not possible. I don't think the recovery key or the VMK are stored somewhere where the FVEK can decrypt something to access them.
BigPanda71
commented
1 month ago Thanks for the reply. I know Passware will do it, but was hoping for something open source and quicker than their implementation
nblog
commented
1 month ago I know I can create a decrypted image of a drive using the FVEK, but is there a way to get the VMK and recovery key using the FVEK? I know it can be done the other way around (VMK to FVEK), but I don't see the functionality currently in the documentation.
I don't know if I'm understanding you correctly.
When you get the VMK and FVEK by password, you can continue to get the recovery key? (e.g. 463045-035024-167046-181632-589919-238865-094567-137885)
BigPanda71
commented
1 month ago Assume the partition has two protectors:
If you have a memory dump, you can use something like MemProcFS to get the FVEK. I can use something like Dislocker to mount the drive or drive image.
If I feed the image and the FVEK (or the whole memory dump) to Passware, it will give me the Recovery Key and VMK. But that takes hours. I'm looking for something open source and quicker that will do the same thing. Preferably something that works in Windows
nblog
commented
4 weeks ago Assume the partition has two protectors:
- TPM
- Recovery Key
If you have a memory dump, you can use something like MemProcFS to get the FVEK. I can use something like Dislocker to mount the drive or drive image.
If I feed the image and the FVEK (or the whole memory dump) to Passware, it will give me the Recovery Key and VMK. But that takes hours. I'm looking for something open source and quicker that will do the same thing. Preferably something that works in Windows
The most important one should be the VMK, so the condition for it to be valid must be that the memory dump contains the VMK, and it is completely impossible to derive the VMK directly from the FVEK (from AES-CCM-256).
The above steps may be motivated by the fact that some tools don't need to get the VMK directly, but look for the FVEK which is more important for decrypting the partition.
And Passware, for example, may look for the VMK based on a memory dump and check the validity with FVEK-ENTRY (comparing FVEK)
When we have the VMK, we can get the keys protected by the protector (e.g. RecoveryPassword, ExternalKey), because they are included in VMK-ENTRY, that's why (manage-bde -protectors -get C: can show other RecoveryPassword keys), it's just that such a process is not needed in the current open source tools.
So, based on the above it may be that looking up the VMK directly from the memory dump is more relevant to your needs, but as far as I know there should be no analog in the current open source projects.
I know I can create a decrypted image of a drive using the FVEK, but is there a way to get the VMK and recovery key using the FVEK? I know it can be done the other way around (VMK to FVEK), but I don't see the functionality currently in the documentation.