dissect.fve.bde.bde

Module Contents

Classes

BDE

Bitlocker disk encryption.

BootSector

Bitlocker boot sector parsing.

BitlockerStream

Transparently decrypting Bitlocker stream.

Functions

Attributes

dissect.fve.bde.bde.Run
dissect.fve.bde.bde.log
class dissect.fve.bde.bde.BDE(fh: BinaryIO)

Bitlocker disk encryption.

fh
boot_sector
information
eow_information = None
property identifiers: list[uuid.UUID]
property sector_size: int
property version: int
property paused: bool
property decrypted: bool
property encrypted: bool
property switching: bool
property unlocked: bool
description() str | None

Return the volume description, if present.

has_clear_key() bool

Return whether this volume has a clear/obfuscated encryption key. Used in paused volumes.

has_recovery_password() bool

Return whether this volume can be unlocked with a recovery password.

has_passphrase() bool

Return whether this volume can be unlocked with a user passphrase.

has_bek() bool

Return whether this volume can be unlocked with a BEK file.

unlock(key: bytes) None

Unlock this volume with the specified encryption key.

unlock_with_clear_key() None

Unlock this volume with the clear/obfuscated key.

unlock_with_recovery_password(recovery_password: str, identifier: uuid.UUID | str | None = None) None

Unlock this volume with the recovery password.

unlock_with_passphrase(passphrase: str, identifier: uuid.UUID | str | None = None) None

Unlock this volume with the user passphrase.

unlock_with_bek(bek_fh: BinaryIO) None

Unlock this volume with a BEK file.

open() BitlockerStream

Open this volume and return a readable (decrypted) stream.

reserved_regions() list[tuple[int, int]]

Return a list of reserved regions for this volume.

Some areas of the volume must “fake” return all null bytes when read. This includes things like the information regions.

Reference: - InitializeFilterData - FveLibIdentifyCurrentRegionTypeAndEnd

class dissect.fve.bde.bde.BootSector(fh: BinaryIO)

Bitlocker boot sector parsing.

Bitlocker seems to do some funny stuff with the boot sector. Instead of trying to make sense of that, just do what Microsoft does in their driver: looking for specific GUIDs to determine the version.

If no GUIDs can be found, but the Oem string still says -FVE-FS-, we’re dealing with a legacy Vista volume.

boot_sector
sector_size
cluster_size
guid = None
information_offsets = []
eow_offsets = []
class dissect.fve.bde.bde.BitlockerStream(bde: BDE)

Bases: dissect.util.stream.AlignedStream

Transparently decrypting Bitlocker stream.

Provides a transparently decrypted Bitlocker stream for reading. Takes care of the reserved regions, as well as the virtualized blocks in Vista and newer Bitlocker versions.

For Vista, the first 0x2000 bytes aren’t actually encrypted. The very first sector is obviously modified to contain the Bitlocker information, so when reading that sector we must patch the Oem ID to be the NTFS one, as well as replacing the secondary MFT location with one that’s located in the Information structure.

For newer versions, the first N sectors (usually 16) _are_ encrypted, but have been placed elsewhere on the volume. The location and amount of so-called virtualized sectors are specified in the Information structure.

The Microsoft implementation works on a byte level, for the time being it’s easier for us to work on sector level. I haven’t seen a reason why this would break, yet.

RUN_PLAIN = 0
RUN_VISTA_HEADER = 1
RUN_SPARSE = 2
RUN_ENCRYPTED = 3
bde
sector_size
is_eow
dissect.fve.bde.bde.is_bde_volume(fh: BinaryIO) bool