dissect.fve.bde.eow

Module Contents

Classes

EowInformation

Bitlocker EOW Information.

EowBitmap

Bitlocker EOW Bitmap.

EowBitmapRecord

Bitlocker EOW Bitmap Record.

class dissect.fve.bde.eow.EowInformation(fh: BinaryIO, offset: int)

Bitlocker EOW Information.

fh
offset
header
is_valid() bool
property size: int
property chunk_size: int
property conv_log_size: int
property bitmaps: list[EowBitmap]
class dissect.fve.bde.eow.EowBitmap(fh: BinaryIO, offset: int)

Bitlocker EOW Bitmap.

A bitmap contains multiple bitmap records, but only one record is active. The active record is determined by the Lsn field in the header. The record with the highest Lsn is the active record.

It looks like the number of bitmap records is hardcoded to 2, but let’s keep the implementation flexible.

fh
offset
header
__repr__() str
is_valid() bool
runs(chunk: int, length: int) Iterator[tuple[int, int]]
property size: int
property region_offset: int
property region_size: int
property conv_log_offset: int
property active_record: EowBitmapRecord
property records: list[EowBitmapRecord]
class dissect.fve.bde.eow.EowBitmapRecord(fh: BinaryIO)

Bitlocker EOW Bitmap Record.

The record holding the actual bitmap. Each bit indicates a chunk with the size defined by the EOW information. The Lsn is the sequence number of that record.

The flags are currently unknown, but seem related to an encrypted/decrypted state.

fh
header
__repr__() str
is_valid() bool
runs(chunk: int, length: int) Iterator[tuple[int, int]]
property size: int
property bitmap: bytes
property bitmap_size: int
property sequence_number: int