dissect.fve.bde.information
¶
Module Contents¶
Classes¶
Bitlocker Information. |
|
Bitlocker Information Validation. |
|
Bitlocker Information Dataset. |
|
Bitlocker Dataset Datum. |
|
Bitlocker Dataset Datum. |
|
Bitlocker Dataset Datum. |
|
Bitlocker Dataset Datum. |
|
Bitlocker Dataset Datum. |
|
Bitlocker Dataset Datum. |
|
Bitlocker Dataset Datum. |
|
Bitlocker Dataset Datum. |
|
Bitlocker Dataset Datum. |
|
Bitlocker Dataset Datum. |
|
Bitlocker Dataset Datum. |
|
Bitlocker Dataset Datum. |
|
Bitlocker Dataset Datum. |
|
Bitlocker Dataset Datum. |
|
Bitlocker Dataset Datum. |
|
Bitlocker Dataset Datum. |
|
Bitlocker Dataset Datum. |
|
Bitlocker Dataset Datum. |
|
Bitlocker Dataset Datum. |
|
Bitlocker Dataset Datum. |
|
Bitlocker Dataset Datum. |
|
Bitlocker Dataset Datum. |
- class dissect.fve.bde.information.Information(fh: BinaryIO, offset: int)¶
Bitlocker Information.
Parses Bitlocker Information and Dataset at a specified offset.
Bitlocker Information consists of a small header, a Dataset and at least a CRC32 validation check. The CRC32 Validation information is positioned after the Information buffer.
The
StateOffset
field contains the offset to a conversion log, but it also doubles as a “watermark”, containing the offset up until where the Bitlocker encryption is active. The conversion log as pointed to by theStateOffset
seems to only be used by older Bitlocker implementations. It looks like more modern implementations (Windows 10+) seem to prefer EOW.- offset¶
- header¶
- dataset¶
- validation¶
- __repr__() str ¶
- is_valid() bool ¶
Validate the integrity of this Information block.
- property size: int¶
- property version: int¶
- property current_state: dissect.fve.bde.c_bde.FVE_STATE¶
- property next_state: dissect.fve.bde.c_bde.FVE_STATE¶
- property state_offset: int¶
- property state_size: int¶
- property virtualized_sectors: int¶
- property virtualized_block_offset: int¶
- property information_offset: list[int]¶
- class dissect.fve.bde.information.Validation(fh: BinaryIO)¶
Bitlocker Information Validation.
The Validation structure is a small piece of data positioned after the Information buffer. It contains a CRC32 value of the entire Information buffer. It also contains an integrity check datum, which is a AES-CCM encrypted datum, encrypted with the same key that decrypts the FVEK. Decrypting the integrity check yields you a SHA256 digest, which must match the entire Information buffer.
- validation¶
- integrity_check = None¶
- property version: int¶
- property crc32: int¶
- class dissect.fve.bde.information.Dataset(fh: BinaryIO)¶
Bitlocker Information Dataset.
The dataset is a simple data structure, consisting of a small header and one or more “datum”. Each datum has a role and type, and you can query the dataset for datums with a specific role or type. Querying the dataset means iterating the datum array until you found the datum you’re looking for.
- header¶
- identifier¶
- property fvek_type: dissect.fve.bde.c_bde.FVE_KEY_TYPE¶
- find_datum(role: dissect.fve.bde.c_bde.FVE_DATUM_ROLE, type_: dissect.fve.bde.c_bde.FVE_DATUM_TYPE) Iterator[Datum] ¶
Find one or more datum specified by role and type.
- find_description() str | None ¶
Find the description datum.
- find_virtualization_info() VirtualizationInfoDatum | None ¶
Find the virtualization info datum.
- find_startup_key() ExternalInfoDatum | None ¶
Find the external startup/recovery key information.
- find_fvek() AesCcmEncryptedDatum | None ¶
Find the encrypted FVEK.
- find_vmk(protector_type: dissect.fve.bde.c_bde.FVE_KEY_PROTECTOR | None = None, min_priority: int = 0, max_priority: int = 32767, mask: int = 65280) Iterator[VmkInfoDatum] ¶
Find one or more VMK datum specified by key priority.
- find_clear_vmk() VmkInfoDatum | None ¶
Find the clear key VMK (for paused volumes).
- find_external_vmk() Iterator[VmkInfoDatum] ¶
Find the external VMK.
- find_recovery_vmk() Iterator[VmkInfoDatum] ¶
Find the recovery VMK.
- find_passphrase_vmk() Iterator[VmkInfoDatum] ¶
Find the passphrase VMK.
- class dissect.fve.bde.information.Datum(fh: BinaryIO)¶
Bitlocker Dataset Datum.
A Datum is the main metadata structure in Bitlocker. It’s a small data structure, specifying a size, role and type, followed by the necessary data to interpret that datum type.
Datums can be “complex”, in which case they can contain nested datums. These nested datums always have the PROPERTY role.
Datums can also have a data segment. A data segment is present if a datum is not complex, but contains data beyond the size of that datums’ type structure.
Originally, this information is stored in a table, also containing a type’s minimal size. This implementation doesn’t currently do that, instead relying on the reading from a file handle with cstruct. Whatever is left on the file handle is the data segment.
- __struct__ = None¶
- __complex__ = False¶
- MINIMAL_SIZE¶
- header¶
- data_segment¶
- __repr__() str ¶
- property role: dissect.fve.bde.c_bde.FVE_DATUM_ROLE¶
- property type: dissect.fve.bde.c_bde.FVE_DATUM_TYPE¶
- property size: int¶
- property data_size: int¶
- class dissect.fve.bde.information.SimpleDatum(fh: BinaryIO)¶
Bases:
Datum
Bitlocker Dataset Datum.
A Datum is the main metadata structure in Bitlocker. It’s a small data structure, specifying a size, role and type, followed by the necessary data to interpret that datum type.
Datums can be “complex”, in which case they can contain nested datums. These nested datums always have the PROPERTY role.
Datums can also have a data segment. A data segment is present if a datum is not complex, but contains data beyond the size of that datums’ type structure.
Originally, this information is stored in a table, also containing a type’s minimal size. This implementation doesn’t currently do that, instead relying on the reading from a file handle with cstruct. Whatever is left on the file handle is the data segment.
- __struct__¶
- __repr__() str ¶
- property data: int¶
- class dissect.fve.bde.information.SimpleLargeDatum(fh: BinaryIO)¶
Bases:
Datum
Bitlocker Dataset Datum.
A Datum is the main metadata structure in Bitlocker. It’s a small data structure, specifying a size, role and type, followed by the necessary data to interpret that datum type.
Datums can be “complex”, in which case they can contain nested datums. These nested datums always have the PROPERTY role.
Datums can also have a data segment. A data segment is present if a datum is not complex, but contains data beyond the size of that datums’ type structure.
Originally, this information is stored in a table, also containing a type’s minimal size. This implementation doesn’t currently do that, instead relying on the reading from a file handle with cstruct. Whatever is left on the file handle is the data segment.
- __struct__¶
- __repr__() str ¶
- property data: int¶
- class dissect.fve.bde.information.GuidDatum(fh: BinaryIO)¶
Bases:
Datum
Bitlocker Dataset Datum.
A Datum is the main metadata structure in Bitlocker. It’s a small data structure, specifying a size, role and type, followed by the necessary data to interpret that datum type.
Datums can be “complex”, in which case they can contain nested datums. These nested datums always have the PROPERTY role.
Datums can also have a data segment. A data segment is present if a datum is not complex, but contains data beyond the size of that datums’ type structure.
Originally, this information is stored in a table, also containing a type’s minimal size. This implementation doesn’t currently do that, instead relying on the reading from a file handle with cstruct. Whatever is left on the file handle is the data segment.
- __struct__¶
- __repr__() str ¶
- property guid: uuid.UUID¶
- class dissect.fve.bde.information.KeyDatum(fh: BinaryIO)¶
Bases:
Datum
Bitlocker Dataset Datum.
A Datum is the main metadata structure in Bitlocker. It’s a small data structure, specifying a size, role and type, followed by the necessary data to interpret that datum type.
Datums can be “complex”, in which case they can contain nested datums. These nested datums always have the PROPERTY role.
Datums can also have a data segment. A data segment is present if a datum is not complex, but contains data beyond the size of that datums’ type structure.
Originally, this information is stored in a table, also containing a type’s minimal size. This implementation doesn’t currently do that, instead relying on the reading from a file handle with cstruct. Whatever is left on the file handle is the data segment.
- __struct__¶
- __repr__() str ¶
- property key_type: dissect.fve.bde.c_bde.FVE_KEY_TYPE¶
- property key_flags: dissect.fve.bde.c_bde.FVE_KEY_FLAG¶
- class dissect.fve.bde.information.UnicodeDatum(fh: BinaryIO)¶
Bases:
Datum
Bitlocker Dataset Datum.
A Datum is the main metadata structure in Bitlocker. It’s a small data structure, specifying a size, role and type, followed by the necessary data to interpret that datum type.
Datums can be “complex”, in which case they can contain nested datums. These nested datums always have the PROPERTY role.
Datums can also have a data segment. A data segment is present if a datum is not complex, but contains data beyond the size of that datums’ type structure.
Originally, this information is stored in a table, also containing a type’s minimal size. This implementation doesn’t currently do that, instead relying on the reading from a file handle with cstruct. Whatever is left on the file handle is the data segment.
- __repr__() str ¶
- property text: str¶
- class dissect.fve.bde.information.StretchKeyDatum(fh: BinaryIO)¶
Bases:
Datum
Bitlocker Dataset Datum.
A Datum is the main metadata structure in Bitlocker. It’s a small data structure, specifying a size, role and type, followed by the necessary data to interpret that datum type.
Datums can be “complex”, in which case they can contain nested datums. These nested datums always have the PROPERTY role.
Datums can also have a data segment. A data segment is present if a datum is not complex, but contains data beyond the size of that datums’ type structure.
Originally, this information is stored in a table, also containing a type’s minimal size. This implementation doesn’t currently do that, instead relying on the reading from a file handle with cstruct. Whatever is left on the file handle is the data segment.
- __struct__¶
- __complex__ = True¶
- __repr__() str ¶
- property key_type: dissect.fve.bde.c_bde.FVE_KEY_TYPE¶
- property key_flags: dissect.fve.bde.c_bde.FVE_KEY_FLAG¶
- class dissect.fve.bde.information.UseKeyDatum(fh: BinaryIO)¶
Bases:
Datum
Bitlocker Dataset Datum.
A Datum is the main metadata structure in Bitlocker. It’s a small data structure, specifying a size, role and type, followed by the necessary data to interpret that datum type.
Datums can be “complex”, in which case they can contain nested datums. These nested datums always have the PROPERTY role.
Datums can also have a data segment. A data segment is present if a datum is not complex, but contains data beyond the size of that datums’ type structure.
Originally, this information is stored in a table, also containing a type’s minimal size. This implementation doesn’t currently do that, instead relying on the reading from a file handle with cstruct. Whatever is left on the file handle is the data segment.
- __struct__¶
- __complex__ = True¶
- __repr__() str ¶
- property key_type: dissect.fve.bde.c_bde.FVE_KEY_TYPE¶
- property key_flags: dissect.fve.bde.c_bde.FVE_KEY_FLAG¶
- class dissect.fve.bde.information.AesCcmEncryptedDatum(fh: BinaryIO)¶
Bases:
Datum
Bitlocker Dataset Datum.
A Datum is the main metadata structure in Bitlocker. It’s a small data structure, specifying a size, role and type, followed by the necessary data to interpret that datum type.
Datums can be “complex”, in which case they can contain nested datums. These nested datums always have the PROPERTY role.
Datums can also have a data segment. A data segment is present if a datum is not complex, but contains data beyond the size of that datums’ type structure.
Originally, this information is stored in a table, also containing a type’s minimal size. This implementation doesn’t currently do that, instead relying on the reading from a file handle with cstruct. Whatever is left on the file handle is the data segment.
- __struct__¶
- __repr__() str ¶
- property nonce_time: datetime.datetime | int¶
- property nonce_counter: int¶
- class dissect.fve.bde.information.TpmEncryptedBlobDatum(fh: BinaryIO)¶
Bases:
Datum
Bitlocker Dataset Datum.
A Datum is the main metadata structure in Bitlocker. It’s a small data structure, specifying a size, role and type, followed by the necessary data to interpret that datum type.
Datums can be “complex”, in which case they can contain nested datums. These nested datums always have the PROPERTY role.
Datums can also have a data segment. A data segment is present if a datum is not complex, but contains data beyond the size of that datums’ type structure.
Originally, this information is stored in a table, also containing a type’s minimal size. This implementation doesn’t currently do that, instead relying on the reading from a file handle with cstruct. Whatever is left on the file handle is the data segment.
- __struct__¶
- __repr__() str ¶
- property pcr_bitmap: int¶
- class dissect.fve.bde.information.ValidationInfoDatum(fh: BinaryIO)¶
Bases:
Datum
Bitlocker Dataset Datum.
A Datum is the main metadata structure in Bitlocker. It’s a small data structure, specifying a size, role and type, followed by the necessary data to interpret that datum type.
Datums can be “complex”, in which case they can contain nested datums. These nested datums always have the PROPERTY role.
Datums can also have a data segment. A data segment is present if a datum is not complex, but contains data beyond the size of that datums’ type structure.
Originally, this information is stored in a table, also containing a type’s minimal size. This implementation doesn’t currently do that, instead relying on the reading from a file handle with cstruct. Whatever is left on the file handle is the data segment.
- __repr__() str ¶
- property allow_list: list[ValidationEntry]¶
- class dissect.fve.bde.information.VmkInfoDatum(fh: BinaryIO)¶
Bases:
Datum
Bitlocker Dataset Datum.
A Datum is the main metadata structure in Bitlocker. It’s a small data structure, specifying a size, role and type, followed by the necessary data to interpret that datum type.
Datums can be “complex”, in which case they can contain nested datums. These nested datums always have the PROPERTY role.
Datums can also have a data segment. A data segment is present if a datum is not complex, but contains data beyond the size of that datums’ type structure.
Originally, this information is stored in a table, also containing a type’s minimal size. This implementation doesn’t currently do that, instead relying on the reading from a file handle with cstruct. Whatever is left on the file handle is the data segment.
- __struct__¶
- __complex__ = True¶
- __repr__() str ¶
- property identifier: uuid.UUID¶
- property datetime: datetime.datetime¶
- property priority: dissect.fve.bde.c_bde.FVE_KEY_PROTECTOR¶
- label() str ¶
- asymmetric_encrypted_key() AsymmetricEncryptedDatum ¶
- exported_key() ExportedPublicKeyDatum ¶
- tpm_encrypted_blob() TpmEncryptedBlobDatum ¶
- aes_ccm_encrypted_key() AesCcmEncryptedDatum ¶
- public_key_info() PublicKeyInfoDatum ¶
- use_keys() list[UseKeyDatum] ¶
- use_key(key_type: dissect.fve.bde.c_bde.FVE_KEY_TYPE) UseKeyDatum ¶
- stretch_keys() list[StretchKeyDatum] ¶
- stretch_key(key_type: dissect.fve.bde.c_bde.FVE_KEY_TYPE) StretchKeyDatum ¶
- is_enhanced_pin() bool ¶
- is_enhanced_crypto() bool ¶
- uses_pbkdf2() bool ¶
- class dissect.fve.bde.information.ExternalInfoDatum(fh: BinaryIO)¶
Bases:
Datum
Bitlocker Dataset Datum.
A Datum is the main metadata structure in Bitlocker. It’s a small data structure, specifying a size, role and type, followed by the necessary data to interpret that datum type.
Datums can be “complex”, in which case they can contain nested datums. These nested datums always have the PROPERTY role.
Datums can also have a data segment. A data segment is present if a datum is not complex, but contains data beyond the size of that datums’ type structure.
Originally, this information is stored in a table, also containing a type’s minimal size. This implementation doesn’t currently do that, instead relying on the reading from a file handle with cstruct. Whatever is left on the file handle is the data segment.
- __struct__¶
- __complex__ = True¶
- __repr__() str ¶
- property identifier: uuid.UUID¶
- property datetime: datetime.datetime¶
- label() str | None ¶
- class dissect.fve.bde.information.UpdateDatum(fh: BinaryIO)¶
Bases:
Datum
Bitlocker Dataset Datum.
A Datum is the main metadata structure in Bitlocker. It’s a small data structure, specifying a size, role and type, followed by the necessary data to interpret that datum type.
Datums can be “complex”, in which case they can contain nested datums. These nested datums always have the PROPERTY role.
Datums can also have a data segment. A data segment is present if a datum is not complex, but contains data beyond the size of that datums’ type structure.
Originally, this information is stored in a table, also containing a type’s minimal size. This implementation doesn’t currently do that, instead relying on the reading from a file handle with cstruct. Whatever is left on the file handle is the data segment.
- __struct__¶
- __complex__ = True¶
- __repr__() str ¶
- class dissect.fve.bde.information.ErrorLogDatum(fh: BinaryIO)¶
Bases:
Datum
Bitlocker Dataset Datum.
A Datum is the main metadata structure in Bitlocker. It’s a small data structure, specifying a size, role and type, followed by the necessary data to interpret that datum type.
Datums can be “complex”, in which case they can contain nested datums. These nested datums always have the PROPERTY role.
Datums can also have a data segment. A data segment is present if a datum is not complex, but contains data beyond the size of that datums’ type structure.
Originally, this information is stored in a table, also containing a type’s minimal size. This implementation doesn’t currently do that, instead relying on the reading from a file handle with cstruct. Whatever is left on the file handle is the data segment.
- __struct__¶
- __repr__() str ¶
- class dissect.fve.bde.information.AsymmetricEncryptedDatum(fh: BinaryIO)¶
Bases:
Datum
Bitlocker Dataset Datum.
A Datum is the main metadata structure in Bitlocker. It’s a small data structure, specifying a size, role and type, followed by the necessary data to interpret that datum type.
Datums can be “complex”, in which case they can contain nested datums. These nested datums always have the PROPERTY role.
Datums can also have a data segment. A data segment is present if a datum is not complex, but contains data beyond the size of that datums’ type structure.
Originally, this information is stored in a table, also containing a type’s minimal size. This implementation doesn’t currently do that, instead relying on the reading from a file handle with cstruct. Whatever is left on the file handle is the data segment.
- __repr__() str ¶
- class dissect.fve.bde.information.ExportedPublicKeyDatum(fh: BinaryIO)¶
Bases:
Datum
Bitlocker Dataset Datum.
A Datum is the main metadata structure in Bitlocker. It’s a small data structure, specifying a size, role and type, followed by the necessary data to interpret that datum type.
Datums can be “complex”, in which case they can contain nested datums. These nested datums always have the PROPERTY role.
Datums can also have a data segment. A data segment is present if a datum is not complex, but contains data beyond the size of that datums’ type structure.
Originally, this information is stored in a table, also containing a type’s minimal size. This implementation doesn’t currently do that, instead relying on the reading from a file handle with cstruct. Whatever is left on the file handle is the data segment.
- __repr__() str ¶
- class dissect.fve.bde.information.PublicKeyInfoDatum(fh: BinaryIO)¶
Bases:
Datum
Bitlocker Dataset Datum.
A Datum is the main metadata structure in Bitlocker. It’s a small data structure, specifying a size, role and type, followed by the necessary data to interpret that datum type.
Datums can be “complex”, in which case they can contain nested datums. These nested datums always have the PROPERTY role.
Datums can also have a data segment. A data segment is present if a datum is not complex, but contains data beyond the size of that datums’ type structure.
Originally, this information is stored in a table, also containing a type’s minimal size. This implementation doesn’t currently do that, instead relying on the reading from a file handle with cstruct. Whatever is left on the file handle is the data segment.
- __repr__() str ¶
- class dissect.fve.bde.information.VirtualizationInfoDatum(fh: BinaryIO)¶
Bases:
Datum
Bitlocker Dataset Datum.
A Datum is the main metadata structure in Bitlocker. It’s a small data structure, specifying a size, role and type, followed by the necessary data to interpret that datum type.
Datums can be “complex”, in which case they can contain nested datums. These nested datums always have the PROPERTY role.
Datums can also have a data segment. A data segment is present if a datum is not complex, but contains data beyond the size of that datums’ type structure.
Originally, this information is stored in a table, also containing a type’s minimal size. This implementation doesn’t currently do that, instead relying on the reading from a file handle with cstruct. Whatever is left on the file handle is the data segment.
- __struct__¶
- __repr__() str ¶
- property virtualized_block_offset: int¶
- property virtualized_block_size: int¶
- class dissect.fve.bde.information.ConcatHashKeyDatum(fh: BinaryIO)¶
Bases:
Datum
Bitlocker Dataset Datum.
A Datum is the main metadata structure in Bitlocker. It’s a small data structure, specifying a size, role and type, followed by the necessary data to interpret that datum type.
Datums can be “complex”, in which case they can contain nested datums. These nested datums always have the PROPERTY role.
Datums can also have a data segment. A data segment is present if a datum is not complex, but contains data beyond the size of that datums’ type structure.
Originally, this information is stored in a table, also containing a type’s minimal size. This implementation doesn’t currently do that, instead relying on the reading from a file handle with cstruct. Whatever is left on the file handle is the data segment.
- __struct__¶
- __repr__() str ¶
- class dissect.fve.bde.information.BackupInfoDatum(fh: BinaryIO)¶
Bases:
Datum
Bitlocker Dataset Datum.
A Datum is the main metadata structure in Bitlocker. It’s a small data structure, specifying a size, role and type, followed by the necessary data to interpret that datum type.
Datums can be “complex”, in which case they can contain nested datums. These nested datums always have the PROPERTY role.
Datums can also have a data segment. A data segment is present if a datum is not complex, but contains data beyond the size of that datums’ type structure.
Originally, this information is stored in a table, also containing a type’s minimal size. This implementation doesn’t currently do that, instead relying on the reading from a file handle with cstruct. Whatever is left on the file handle is the data segment.
- __struct__¶
- __repr__() str ¶
- class dissect.fve.bde.information.AesCbc256HmacSha512EncryptedDatum(fh: BinaryIO)¶
Bases:
Datum
Bitlocker Dataset Datum.
A Datum is the main metadata structure in Bitlocker. It’s a small data structure, specifying a size, role and type, followed by the necessary data to interpret that datum type.
Datums can be “complex”, in which case they can contain nested datums. These nested datums always have the PROPERTY role.
Datums can also have a data segment. A data segment is present if a datum is not complex, but contains data beyond the size of that datums’ type structure.
Originally, this information is stored in a table, also containing a type’s minimal size. This implementation doesn’t currently do that, instead relying on the reading from a file handle with cstruct. Whatever is left on the file handle is the data segment.
- __struct__¶
- __repr__() str ¶