bitlocker: Volatility Framework plugin for extracting BitLocker FVEK
Volatility Framework: BitLocker
This plugin finds and extracts Full Volume Encryption Key (FVEK) from memory dumps and/or hibernation files. This allows rapid unlocking of systems that had BitLocker encrypted volumes mounted at the time of acquisition.
Supported memory images:
- Windows 10 (work in progress)
- Windows 8.1
- Windows Server 2012 R2
- Windows 8
- Windows Server 2012
- Windows 7
- Windows Server 2008 R2
- Windows Server 2008
- Windows Vista
git clone https://github.com/elceef/bitlocker.git
Evidence: Raw HDD image
1) Determine partition layout and identify BitLocker volume
The last one starting from sector 316475392 is BitLocker protected. It can be verified by looking at the filesystem header. Volumes encrypted with BitLocker will have a different signature than the standard NTFS header. A BitLocker encrypted volume starts with the “-FVE-FS-” signature.
2) Locate and convert hibernation file
Mount the system volume starting from sector 1050624 in read-only mode.
Convert hibernation file hiberfil.sys for further forensic analysis.
3) Use the bitlocker plugin to extract FVEK
The plugin scans the memory image for BitLocker cryptographic allocations (memory pools) and extracts AES keys (FVEK).
4) Decrypt and access the volume
Decrypt the volume on-the-fly using previously extracted FVEK.
Finally, mount and access the filesystem.