dissect.fve.bde.bde
¶
Module Contents¶
Classes¶
Bitlocker disk encryption. |
|
Bitlocker boot sector parsing. |
|
Transparently decrypting Bitlocker stream. |
Functions¶
Attributes¶
- dissect.fve.bde.bde.Run¶
- dissect.fve.bde.bde.log¶
- class dissect.fve.bde.bde.BDE(fh: BinaryIO)¶
Bitlocker disk encryption.
- fh¶
- boot_sector¶
- information¶
- eow_information = None¶
- property identifiers: list[uuid.UUID]¶
- property sector_size: int¶
- property version: int¶
- property paused: bool¶
- property decrypted: bool¶
- property encrypted: bool¶
- property switching: bool¶
- property unlocked: bool¶
- description() str | None ¶
Return the volume description, if present.
- has_clear_key() bool ¶
Return whether this volume has a clear/obfuscated encryption key. Used in paused volumes.
- has_recovery_password() bool ¶
Return whether this volume can be unlocked with a recovery password.
- has_passphrase() bool ¶
Return whether this volume can be unlocked with a user passphrase.
- has_bek() bool ¶
Return whether this volume can be unlocked with a BEK file.
- unlock_with_clear_key() None ¶
Unlock this volume with the clear/obfuscated key.
- unlock_with_recovery_password(recovery_password: str, identifier: uuid.UUID | str | None = None) None ¶
Unlock this volume with the recovery password.
- unlock_with_passphrase(passphrase: str, identifier: uuid.UUID | str | None = None) None ¶
Unlock this volume with the user passphrase.
- unlock_with_bek(bek_fh: BinaryIO) None ¶
Unlock this volume with a BEK file.
- open() BitlockerStream ¶
Open this volume and return a readable (decrypted) stream.
- reserved_regions() list[tuple[int, int]] ¶
Return a list of reserved regions for this volume.
Some areas of the volume must “fake” return all null bytes when read. This includes things like the information regions.
Reference: - InitializeFilterData - FveLibIdentifyCurrentRegionTypeAndEnd
- class dissect.fve.bde.bde.BootSector(fh: BinaryIO)¶
Bitlocker boot sector parsing.
Bitlocker seems to do some funny stuff with the boot sector. Instead of trying to make sense of that, just do what Microsoft does in their driver: looking for specific GUIDs to determine the version.
If no GUIDs can be found, but the Oem string still says -FVE-FS-, we’re dealing with a legacy Vista volume.
- boot_sector¶
- sector_size¶
- cluster_size¶
- guid = None¶
- information_offsets = []¶
- eow_offsets = []¶
- class dissect.fve.bde.bde.BitlockerStream(bde: BDE)¶
Bases:
dissect.util.stream.AlignedStream
Transparently decrypting Bitlocker stream.
Provides a transparently decrypted Bitlocker stream for reading. Takes care of the reserved regions, as well as the virtualized blocks in Vista and newer Bitlocker versions.
For Vista, the first 0x2000 bytes aren’t actually encrypted. The very first sector is obviously modified to contain the Bitlocker information, so when reading that sector we must patch the Oem ID to be the NTFS one, as well as replacing the secondary MFT location with one that’s located in the Information structure.
For newer versions, the first N sectors (usually 16) _are_ encrypted, but have been placed elsewhere on the volume. The location and amount of so-called virtualized sectors are specified in the Information structure.
The Microsoft implementation works on a byte level, for the time being it’s easier for us to work on sector level. I haven’t seen a reason why this would break, yet.
- RUN_PLAIN = 0¶
- RUN_VISTA_HEADER = 1¶
- RUN_SPARSE = 2¶
- RUN_ENCRYPTED = 3¶
- bde¶
- sector_size¶
- is_eow¶
- dissect.fve.bde.bde.is_bde_volume(fh: BinaryIO) bool ¶