thewhiteninja / ntfstool

Forensics tool for NTFS (parser, mft, bitlocker, deleted files)
MIT License
483 stars 97 forks source link

Derive VMK and Recovery Key from FVEK #31

Closed BigPanda71 closed 3 weeks ago

BigPanda71 commented 1 month ago

I know I can create a decrypted image of a drive using the FVEK, but is there a way to get the VMK and recovery key using the FVEK? I know it can be done the other way around (VMK to FVEK), but I don't see the functionality currently in the documentation.

thewhiteninja commented 1 month ago

I would say it's not possible. I don't think the recovery key or the VMK are stored somewhere where the FVEK can decrypt something to access them.

BigPanda71 commented 1 month ago

Thanks for the reply. I know Passware will do it, but was hoping for something open source and quicker than their implementation

nblog commented 1 month ago

I know I can create a decrypted image of a drive using the FVEK, but is there a way to get the VMK and recovery key using the FVEK? I know it can be done the other way around (VMK to FVEK), but I don't see the functionality currently in the documentation.

I don't know if I'm understanding you correctly.

  1. assuming the partition has 2 protectors 1) password 2) recovery key

When you get the VMK and FVEK by password, you can continue to get the recovery key? (e.g. 463045-035024-167046-181632-589919-238865-094567-137885)

BigPanda71 commented 1 month ago

Assume the partition has two protectors:

  1. TPM
  2. Recovery Key

If you have a memory dump, you can use something like MemProcFS to get the FVEK. I can use something like Dislocker to mount the drive or drive image.

If I feed the image and the FVEK (or the whole memory dump) to Passware, it will give me the Recovery Key and VMK. But that takes hours. I'm looking for something open source and quicker that will do the same thing. Preferably something that works in Windows

nblog commented 4 weeks ago

Assume the partition has two protectors:

  1. TPM
  2. Recovery Key

If you have a memory dump, you can use something like MemProcFS to get the FVEK. I can use something like Dislocker to mount the drive or drive image.

If I feed the image and the FVEK (or the whole memory dump) to Passware, it will give me the Recovery Key and VMK. But that takes hours. I'm looking for something open source and quicker that will do the same thing. Preferably something that works in Windows

The most important one should be the VMK, so the condition for it to be valid must be that the memory dump contains the VMK, and it is completely impossible to derive the VMK directly from the FVEK (from AES-CCM-256).

The above steps may be motivated by the fact that some tools don't need to get the VMK directly, but look for the FVEK which is more important for decrypting the partition.

And Passware, for example, may look for the VMK based on a memory dump and check the validity with FVEK-ENTRY (comparing FVEK)

When we have the VMK, we can get the keys protected by the protector (e.g. RecoveryPassword, ExternalKey), because they are included in VMK-ENTRY, that's why (manage-bde -protectors -get C: can show other RecoveryPassword keys), it's just that such a process is not needed in the current open source tools.

So, based on the above it may be that looking up the VMK directly from the memory dump is more relevant to your needs, but as far as I know there should be no analog in the current open source projects.