dissect.fve

View on GitHub

A Dissect module implementing parsers for full volume encryption implementations, currently Microsoft’s Bitlocker Disk Encryption (BDE) and Linux Unified Key Setup (LUKS1 and LUKS2).

  • Full volume and disk encryption schemes

    • BDE (BitLocker disk encryption) (BDE)

    • LUKS (Linux Unified Key Setup) (LUKS)

Installation

dissect.fve is available on PyPI.

$ pip install dissect.fve

This module is also automatically installed if you install the dissect package.

Usage

This package is a library with a CLI tool, so you primarily interact with it from Python. For example, to open and decrypt a BitLocker encrypted volume for reading:

from dissect.fve import BDE
from dissect.ntfs import NTFS

with open("path/to/bitlocker/file.dd", "rb") as fh:
    bde = BDE(fh)
    bde.unlock_with_passphrase("kusjesvansrt<3")

    fs = NTFS(bde.open())
    print(fs.get("/").listdir())

    file_fh = fs.get("/file.txt").open()  # This is just another file-like object
    print(file_fh.read())

Tools

fve-dd - CLI interface

Utility to decrypt BitLocker or LUKS volumes and write them to a file.

fve-dd [-h] [-p PASSPHRASE] [-r RECOVERY] [-f UNLOCK_FILE] [--key-slot KEY_SLOT]
       [--keyfile-offset KEYFILE_OFFSET] [--keyfile-size KEYFILE_SIZE] -o OUTPUT [-v]
       input

fve-dd positional arguments

  • input - path to container with encrypted volume (default: None)

fve-dd optional arguments

  • -h, --help - show this help message and exit

  • -p PASSPHRASE, --passphrase PASSPHRASE - user passphrase (default: None)

  • -r RECOVERY, --recovery RECOVERY - recovery passphrase (default: None)

  • -f UNLOCK_FILE, --unlock-file UNLOCK_FILE - unlock file (default: None)

  • --key-slot KEY_SLOT - LUKS keyslot (default: None)

  • --keyfile-offset KEYFILE_OFFSET - LUKS keyfile offset (default: None)

  • --keyfile-size KEYFILE_SIZE - LUKS keyfile size (default: None)

  • -o OUTPUT, --output OUTPUT - path to output file (default: None)

  • -v, --verbose - increase output verbosity (default: 3)

Reference

For more details, please refer to the API documentation of dissect.fve.