dissect.fve.bde.information

Module Contents

Classes

Information

Bitlocker Information.

Validation

Bitlocker Information Validation.

Dataset

Bitlocker Information Dataset.

Datum

Bitlocker Dataset Datum.

SimpleDatum

Bitlocker Dataset Datum.

SimpleLargeDatum

Bitlocker Dataset Datum.

GuidDatum

Bitlocker Dataset Datum.

KeyDatum

Bitlocker Dataset Datum.

UnicodeDatum

Bitlocker Dataset Datum.

StretchKeyDatum

Bitlocker Dataset Datum.

UseKeyDatum

Bitlocker Dataset Datum.

AesCcmEncryptedDatum

Bitlocker Dataset Datum.

TpmEncryptedBlobDatum

Bitlocker Dataset Datum.

ValidationEntry

ValidationInfoDatum

Bitlocker Dataset Datum.

VmkInfoDatum

Bitlocker Dataset Datum.

ExternalInfoDatum

Bitlocker Dataset Datum.

UpdateDatum

Bitlocker Dataset Datum.

ErrorLogDatum

Bitlocker Dataset Datum.

AsymmetricEncryptedDatum

Bitlocker Dataset Datum.

ExportedPublicKeyDatum

Bitlocker Dataset Datum.

PublicKeyInfoDatum

Bitlocker Dataset Datum.

VirtualizationInfoDatum

Bitlocker Dataset Datum.

ConcatHashKeyDatum

Bitlocker Dataset Datum.

BackupInfoDatum

Bitlocker Dataset Datum.

AesCbc256HmacSha512EncryptedDatum

Bitlocker Dataset Datum.

class dissect.fve.bde.information.Information(fh: BinaryIO, offset: int)

Bitlocker Information.

Parses Bitlocker Information and Dataset at a specified offset.

Bitlocker Information consists of a small header, a Dataset and at least a CRC32 validation check. The CRC32 Validation information is positioned after the Information buffer.

The StateOffset field contains the offset to a conversion log, but it also doubles as a “watermark”, containing the offset up until where the Bitlocker encryption is active. The conversion log as pointed to by the StateOffset seems to only be used by older Bitlocker implementations. It looks like more modern implementations (Windows 10+) seem to prefer EOW.

offset
header
dataset
validation
__repr__() str
is_valid() bool

Validate the integrity of this Information block.

check_integrity(key: KeyDatum | bytes) bool

Check the integrity of this Information block.

property size: int
property version: int
property current_state: dissect.fve.bde.c_bde.FVE_STATE
property next_state: dissect.fve.bde.c_bde.FVE_STATE
property state_offset: int
property state_size: int
property virtualized_sectors: int
property virtualized_block_offset: int
property information_offset: list[int]
class dissect.fve.bde.information.Validation(fh: BinaryIO)

Bitlocker Information Validation.

The Validation structure is a small piece of data positioned after the Information buffer. It contains a CRC32 value of the entire Information buffer. It also contains an integrity check datum, which is a AES-CCM encrypted datum, encrypted with the same key that decrypts the FVEK. Decrypting the integrity check yields you a SHA256 digest, which must match the entire Information buffer.

validation
integrity_check = None
property version: int
property crc32: int
class dissect.fve.bde.information.Dataset(fh: BinaryIO)

Bitlocker Information Dataset.

The dataset is a simple data structure, consisting of a small header and one or more “datum”. Each datum has a role and type, and you can query the dataset for datums with a specific role or type. Querying the dataset means iterating the datum array until you found the datum you’re looking for.

header
identifier
__iter__() Iterator[Datum]
property data: list[Datum]

Return the list of Datum in this Dataset.

property fvek_type: dissect.fve.bde.c_bde.FVE_KEY_TYPE
find_datum(role: dissect.fve.bde.c_bde.FVE_DATUM_ROLE, type_: dissect.fve.bde.c_bde.FVE_DATUM_TYPE) Iterator[Datum]

Find one or more datum specified by role and type.

find_description() str | None

Find the description datum.

find_virtualization_info() VirtualizationInfoDatum | None

Find the virtualization info datum.

find_startup_key() ExternalInfoDatum | None

Find the external startup/recovery key information.

find_fvek() AesCcmEncryptedDatum | None

Find the encrypted FVEK.

find_vmk(protector_type: dissect.fve.bde.c_bde.FVE_KEY_PROTECTOR | None = None, min_priority: int = 0, max_priority: int = 32767, mask: int = 65280) Iterator[VmkInfoDatum]

Find one or more VMK datum specified by key priority.

find_clear_vmk() VmkInfoDatum | None

Find the clear key VMK (for paused volumes).

find_external_vmk() Iterator[VmkInfoDatum]

Find the external VMK.

find_recovery_vmk() Iterator[VmkInfoDatum]

Find the recovery VMK.

find_passphrase_vmk() Iterator[VmkInfoDatum]

Find the passphrase VMK.

class dissect.fve.bde.information.Datum(fh: BinaryIO)

Bitlocker Dataset Datum.

A Datum is the main metadata structure in Bitlocker. It’s a small data structure, specifying a size, role and type, followed by the necessary data to interpret that datum type.

Datums can be “complex”, in which case they can contain nested datums. These nested datums always have the PROPERTY role.

Datums can also have a data segment. A data segment is present if a datum is not complex, but contains data beyond the size of that datums’ type structure.

Originally, this information is stored in a table, also containing a type’s minimal size. This implementation doesn’t currently do that, instead relying on the reading from a file handle with cstruct. Whatever is left on the file handle is the data segment.

__struct__ = None
__complex__ = False
MINIMAL_SIZE
header
data_segment
__repr__() str
property role: dissect.fve.bde.c_bde.FVE_DATUM_ROLE
property type: dissect.fve.bde.c_bde.FVE_DATUM_TYPE
property size: int
property data_size: int
property properties: list[Datum]

Return a list of property datum if this datum is complex.

classmethod from_fh(fh: BinaryIO) Datum

Read a datum from a file handle.

classmethod from_bytes(buf: bytes) Datum

Read a datum from raw bytes.

find_property(type_: dissect.fve.bde.c_bde.FVE_DATUM_TYPE | None) Iterator[Datum]

Find one or more datum with a specified type within the properties.

class dissect.fve.bde.information.SimpleDatum(fh: BinaryIO)

Bases: Datum

Bitlocker Dataset Datum.

A Datum is the main metadata structure in Bitlocker. It’s a small data structure, specifying a size, role and type, followed by the necessary data to interpret that datum type.

Datums can be “complex”, in which case they can contain nested datums. These nested datums always have the PROPERTY role.

Datums can also have a data segment. A data segment is present if a datum is not complex, but contains data beyond the size of that datums’ type structure.

Originally, this information is stored in a table, also containing a type’s minimal size. This implementation doesn’t currently do that, instead relying on the reading from a file handle with cstruct. Whatever is left on the file handle is the data segment.

__struct__
__repr__() str
property data: int
class dissect.fve.bde.information.SimpleLargeDatum(fh: BinaryIO)

Bases: Datum

Bitlocker Dataset Datum.

A Datum is the main metadata structure in Bitlocker. It’s a small data structure, specifying a size, role and type, followed by the necessary data to interpret that datum type.

Datums can be “complex”, in which case they can contain nested datums. These nested datums always have the PROPERTY role.

Datums can also have a data segment. A data segment is present if a datum is not complex, but contains data beyond the size of that datums’ type structure.

Originally, this information is stored in a table, also containing a type’s minimal size. This implementation doesn’t currently do that, instead relying on the reading from a file handle with cstruct. Whatever is left on the file handle is the data segment.

__struct__
__repr__() str
property data: int
class dissect.fve.bde.information.GuidDatum(fh: BinaryIO)

Bases: Datum

Bitlocker Dataset Datum.

A Datum is the main metadata structure in Bitlocker. It’s a small data structure, specifying a size, role and type, followed by the necessary data to interpret that datum type.

Datums can be “complex”, in which case they can contain nested datums. These nested datums always have the PROPERTY role.

Datums can also have a data segment. A data segment is present if a datum is not complex, but contains data beyond the size of that datums’ type structure.

Originally, this information is stored in a table, also containing a type’s minimal size. This implementation doesn’t currently do that, instead relying on the reading from a file handle with cstruct. Whatever is left on the file handle is the data segment.

__struct__
__repr__() str
property guid: uuid.UUID
class dissect.fve.bde.information.KeyDatum(fh: BinaryIO)

Bases: Datum

Bitlocker Dataset Datum.

A Datum is the main metadata structure in Bitlocker. It’s a small data structure, specifying a size, role and type, followed by the necessary data to interpret that datum type.

Datums can be “complex”, in which case they can contain nested datums. These nested datums always have the PROPERTY role.

Datums can also have a data segment. A data segment is present if a datum is not complex, but contains data beyond the size of that datums’ type structure.

Originally, this information is stored in a table, also containing a type’s minimal size. This implementation doesn’t currently do that, instead relying on the reading from a file handle with cstruct. Whatever is left on the file handle is the data segment.

__struct__
__repr__() str
property key_type: dissect.fve.bde.c_bde.FVE_KEY_TYPE
property key_flags: dissect.fve.bde.c_bde.FVE_KEY_FLAG
property data: bytes
class dissect.fve.bde.information.UnicodeDatum(fh: BinaryIO)

Bases: Datum

Bitlocker Dataset Datum.

A Datum is the main metadata structure in Bitlocker. It’s a small data structure, specifying a size, role and type, followed by the necessary data to interpret that datum type.

Datums can be “complex”, in which case they can contain nested datums. These nested datums always have the PROPERTY role.

Datums can also have a data segment. A data segment is present if a datum is not complex, but contains data beyond the size of that datums’ type structure.

Originally, this information is stored in a table, also containing a type’s minimal size. This implementation doesn’t currently do that, instead relying on the reading from a file handle with cstruct. Whatever is left on the file handle is the data segment.

__repr__() str
property text: str
class dissect.fve.bde.information.StretchKeyDatum(fh: BinaryIO)

Bases: Datum

Bitlocker Dataset Datum.

A Datum is the main metadata structure in Bitlocker. It’s a small data structure, specifying a size, role and type, followed by the necessary data to interpret that datum type.

Datums can be “complex”, in which case they can contain nested datums. These nested datums always have the PROPERTY role.

Datums can also have a data segment. A data segment is present if a datum is not complex, but contains data beyond the size of that datums’ type structure.

Originally, this information is stored in a table, also containing a type’s minimal size. This implementation doesn’t currently do that, instead relying on the reading from a file handle with cstruct. Whatever is left on the file handle is the data segment.

__struct__
__complex__ = True
__repr__() str
property key_type: dissect.fve.bde.c_bde.FVE_KEY_TYPE
property key_flags: dissect.fve.bde.c_bde.FVE_KEY_FLAG
property salt: bytes
class dissect.fve.bde.information.UseKeyDatum(fh: BinaryIO)

Bases: Datum

Bitlocker Dataset Datum.

A Datum is the main metadata structure in Bitlocker. It’s a small data structure, specifying a size, role and type, followed by the necessary data to interpret that datum type.

Datums can be “complex”, in which case they can contain nested datums. These nested datums always have the PROPERTY role.

Datums can also have a data segment. A data segment is present if a datum is not complex, but contains data beyond the size of that datums’ type structure.

Originally, this information is stored in a table, also containing a type’s minimal size. This implementation doesn’t currently do that, instead relying on the reading from a file handle with cstruct. Whatever is left on the file handle is the data segment.

__struct__
__complex__ = True
__repr__() str
property key_type: dissect.fve.bde.c_bde.FVE_KEY_TYPE
property key_flags: dissect.fve.bde.c_bde.FVE_KEY_FLAG
class dissect.fve.bde.information.AesCcmEncryptedDatum(fh: BinaryIO)

Bases: Datum

Bitlocker Dataset Datum.

A Datum is the main metadata structure in Bitlocker. It’s a small data structure, specifying a size, role and type, followed by the necessary data to interpret that datum type.

Datums can be “complex”, in which case they can contain nested datums. These nested datums always have the PROPERTY role.

Datums can also have a data segment. A data segment is present if a datum is not complex, but contains data beyond the size of that datums’ type structure.

Originally, this information is stored in a table, also containing a type’s minimal size. This implementation doesn’t currently do that, instead relying on the reading from a file handle with cstruct. Whatever is left on the file handle is the data segment.

__struct__
__repr__() str
property nonce: bytes
property nonce_time: datetime.datetime | int
property nonce_counter: int
property mac: bytes
property data: bytes
unbox(key: KeyDatum | bytes) Datum
class dissect.fve.bde.information.TpmEncryptedBlobDatum(fh: BinaryIO)

Bases: Datum

Bitlocker Dataset Datum.

A Datum is the main metadata structure in Bitlocker. It’s a small data structure, specifying a size, role and type, followed by the necessary data to interpret that datum type.

Datums can be “complex”, in which case they can contain nested datums. These nested datums always have the PROPERTY role.

Datums can also have a data segment. A data segment is present if a datum is not complex, but contains data beyond the size of that datums’ type structure.

Originally, this information is stored in a table, also containing a type’s minimal size. This implementation doesn’t currently do that, instead relying on the reading from a file handle with cstruct. Whatever is left on the file handle is the data segment.

__struct__
__repr__() str
property pcr_bitmap: int
property data: bytes
class dissect.fve.bde.information.ValidationEntry(fh)
__repr__() str
property hash: bytes
class dissect.fve.bde.information.ValidationInfoDatum(fh: BinaryIO)

Bases: Datum

Bitlocker Dataset Datum.

A Datum is the main metadata structure in Bitlocker. It’s a small data structure, specifying a size, role and type, followed by the necessary data to interpret that datum type.

Datums can be “complex”, in which case they can contain nested datums. These nested datums always have the PROPERTY role.

Datums can also have a data segment. A data segment is present if a datum is not complex, but contains data beyond the size of that datums’ type structure.

Originally, this information is stored in a table, also containing a type’s minimal size. This implementation doesn’t currently do that, instead relying on the reading from a file handle with cstruct. Whatever is left on the file handle is the data segment.

__repr__() str
property allow_list: list[ValidationEntry]
class dissect.fve.bde.information.VmkInfoDatum(fh: BinaryIO)

Bases: Datum

Bitlocker Dataset Datum.

A Datum is the main metadata structure in Bitlocker. It’s a small data structure, specifying a size, role and type, followed by the necessary data to interpret that datum type.

Datums can be “complex”, in which case they can contain nested datums. These nested datums always have the PROPERTY role.

Datums can also have a data segment. A data segment is present if a datum is not complex, but contains data beyond the size of that datums’ type structure.

Originally, this information is stored in a table, also containing a type’s minimal size. This implementation doesn’t currently do that, instead relying on the reading from a file handle with cstruct. Whatever is left on the file handle is the data segment.

__struct__
__complex__ = True
__repr__() str
property identifier: uuid.UUID
property datetime: datetime.datetime
property priority: dissect.fve.bde.c_bde.FVE_KEY_PROTECTOR
decrypt(key: KeyDatum | bytes) KeyDatum
label() str
asymmetric_encrypted_key() AsymmetricEncryptedDatum
exported_key() ExportedPublicKeyDatum
tpm_encrypted_blob() TpmEncryptedBlobDatum
aes_ccm_encrypted_key() AesCcmEncryptedDatum
public_key_info() PublicKeyInfoDatum
use_keys() list[UseKeyDatum]
use_key(key_type: dissect.fve.bde.c_bde.FVE_KEY_TYPE) UseKeyDatum
stretch_keys() list[StretchKeyDatum]
stretch_key(key_type: dissect.fve.bde.c_bde.FVE_KEY_TYPE) StretchKeyDatum
clear_key() KeyDatum
is_enhanced_pin() bool
is_enhanced_crypto() bool
uses_pbkdf2() bool
class dissect.fve.bde.information.ExternalInfoDatum(fh: BinaryIO)

Bases: Datum

Bitlocker Dataset Datum.

A Datum is the main metadata structure in Bitlocker. It’s a small data structure, specifying a size, role and type, followed by the necessary data to interpret that datum type.

Datums can be “complex”, in which case they can contain nested datums. These nested datums always have the PROPERTY role.

Datums can also have a data segment. A data segment is present if a datum is not complex, but contains data beyond the size of that datums’ type structure.

Originally, this information is stored in a table, also containing a type’s minimal size. This implementation doesn’t currently do that, instead relying on the reading from a file handle with cstruct. Whatever is left on the file handle is the data segment.

__struct__
__complex__ = True
__repr__() str
property identifier: uuid.UUID
property datetime: datetime.datetime
label() str | None
external_key() KeyDatum | None
class dissect.fve.bde.information.UpdateDatum(fh: BinaryIO)

Bases: Datum

Bitlocker Dataset Datum.

A Datum is the main metadata structure in Bitlocker. It’s a small data structure, specifying a size, role and type, followed by the necessary data to interpret that datum type.

Datums can be “complex”, in which case they can contain nested datums. These nested datums always have the PROPERTY role.

Datums can also have a data segment. A data segment is present if a datum is not complex, but contains data beyond the size of that datums’ type structure.

Originally, this information is stored in a table, also containing a type’s minimal size. This implementation doesn’t currently do that, instead relying on the reading from a file handle with cstruct. Whatever is left on the file handle is the data segment.

__struct__
__complex__ = True
__repr__() str
class dissect.fve.bde.information.ErrorLogDatum(fh: BinaryIO)

Bases: Datum

Bitlocker Dataset Datum.

A Datum is the main metadata structure in Bitlocker. It’s a small data structure, specifying a size, role and type, followed by the necessary data to interpret that datum type.

Datums can be “complex”, in which case they can contain nested datums. These nested datums always have the PROPERTY role.

Datums can also have a data segment. A data segment is present if a datum is not complex, but contains data beyond the size of that datums’ type structure.

Originally, this information is stored in a table, also containing a type’s minimal size. This implementation doesn’t currently do that, instead relying on the reading from a file handle with cstruct. Whatever is left on the file handle is the data segment.

__struct__
__repr__() str
class dissect.fve.bde.information.AsymmetricEncryptedDatum(fh: BinaryIO)

Bases: Datum

Bitlocker Dataset Datum.

A Datum is the main metadata structure in Bitlocker. It’s a small data structure, specifying a size, role and type, followed by the necessary data to interpret that datum type.

Datums can be “complex”, in which case they can contain nested datums. These nested datums always have the PROPERTY role.

Datums can also have a data segment. A data segment is present if a datum is not complex, but contains data beyond the size of that datums’ type structure.

Originally, this information is stored in a table, also containing a type’s minimal size. This implementation doesn’t currently do that, instead relying on the reading from a file handle with cstruct. Whatever is left on the file handle is the data segment.

__repr__() str
property data: bytes
class dissect.fve.bde.information.ExportedPublicKeyDatum(fh: BinaryIO)

Bases: Datum

Bitlocker Dataset Datum.

A Datum is the main metadata structure in Bitlocker. It’s a small data structure, specifying a size, role and type, followed by the necessary data to interpret that datum type.

Datums can be “complex”, in which case they can contain nested datums. These nested datums always have the PROPERTY role.

Datums can also have a data segment. A data segment is present if a datum is not complex, but contains data beyond the size of that datums’ type structure.

Originally, this information is stored in a table, also containing a type’s minimal size. This implementation doesn’t currently do that, instead relying on the reading from a file handle with cstruct. Whatever is left on the file handle is the data segment.

__repr__() str
property data: bytes
class dissect.fve.bde.information.PublicKeyInfoDatum(fh: BinaryIO)

Bases: Datum

Bitlocker Dataset Datum.

A Datum is the main metadata structure in Bitlocker. It’s a small data structure, specifying a size, role and type, followed by the necessary data to interpret that datum type.

Datums can be “complex”, in which case they can contain nested datums. These nested datums always have the PROPERTY role.

Datums can also have a data segment. A data segment is present if a datum is not complex, but contains data beyond the size of that datums’ type structure.

Originally, this information is stored in a table, also containing a type’s minimal size. This implementation doesn’t currently do that, instead relying on the reading from a file handle with cstruct. Whatever is left on the file handle is the data segment.

__repr__() str
property data: bytes
class dissect.fve.bde.information.VirtualizationInfoDatum(fh: BinaryIO)

Bases: Datum

Bitlocker Dataset Datum.

A Datum is the main metadata structure in Bitlocker. It’s a small data structure, specifying a size, role and type, followed by the necessary data to interpret that datum type.

Datums can be “complex”, in which case they can contain nested datums. These nested datums always have the PROPERTY role.

Datums can also have a data segment. A data segment is present if a datum is not complex, but contains data beyond the size of that datums’ type structure.

Originally, this information is stored in a table, also containing a type’s minimal size. This implementation doesn’t currently do that, instead relying on the reading from a file handle with cstruct. Whatever is left on the file handle is the data segment.

__struct__
__repr__() str
property virtualized_block_offset: int
property virtualized_block_size: int
class dissect.fve.bde.information.ConcatHashKeyDatum(fh: BinaryIO)

Bases: Datum

Bitlocker Dataset Datum.

A Datum is the main metadata structure in Bitlocker. It’s a small data structure, specifying a size, role and type, followed by the necessary data to interpret that datum type.

Datums can be “complex”, in which case they can contain nested datums. These nested datums always have the PROPERTY role.

Datums can also have a data segment. A data segment is present if a datum is not complex, but contains data beyond the size of that datums’ type structure.

Originally, this information is stored in a table, also containing a type’s minimal size. This implementation doesn’t currently do that, instead relying on the reading from a file handle with cstruct. Whatever is left on the file handle is the data segment.

__struct__
__repr__() str
class dissect.fve.bde.information.BackupInfoDatum(fh: BinaryIO)

Bases: Datum

Bitlocker Dataset Datum.

A Datum is the main metadata structure in Bitlocker. It’s a small data structure, specifying a size, role and type, followed by the necessary data to interpret that datum type.

Datums can be “complex”, in which case they can contain nested datums. These nested datums always have the PROPERTY role.

Datums can also have a data segment. A data segment is present if a datum is not complex, but contains data beyond the size of that datums’ type structure.

Originally, this information is stored in a table, also containing a type’s minimal size. This implementation doesn’t currently do that, instead relying on the reading from a file handle with cstruct. Whatever is left on the file handle is the data segment.

__struct__
__repr__() str
class dissect.fve.bde.information.AesCbc256HmacSha512EncryptedDatum(fh: BinaryIO)

Bases: Datum

Bitlocker Dataset Datum.

A Datum is the main metadata structure in Bitlocker. It’s a small data structure, specifying a size, role and type, followed by the necessary data to interpret that datum type.

Datums can be “complex”, in which case they can contain nested datums. These nested datums always have the PROPERTY role.

Datums can also have a data segment. A data segment is present if a datum is not complex, but contains data beyond the size of that datums’ type structure.

Originally, this information is stored in a table, also containing a type’s minimal size. This implementation doesn’t currently do that, instead relying on the reading from a file handle with cstruct. Whatever is left on the file handle is the data segment.

__struct__
__repr__() str
property iv: bytes
property mac: bytes
property data: bytes