dissect.fve

View on GitHub

A Dissect module implementing parsers for full volume encryption implementations, currently Microsoft’s BitLocker Disk Encryption (BDE) and Linux Unified Key Setup (LUKS1 and LUKS2).

  • Full volume and disk encryption schemes

    • Microsoft BitLocker Disk Encryption (all configurations and versions, including EOW): BDE

    • Linux Unified Key Setup (LUKS1 and LUKS2): LUKS

Installation

dissect.fve is available on PyPI.

$ pip install dissect.fve

This module is also automatically installed if you install the dissect package.

Usage

This package is a library with a CLI tool, so you primarily interact with it from Python. For example, to open and decrypt a BitLocker encrypted volume for reading:

from dissect.fve import BDE
from dissect.ntfs import NTFS

with open("path/to/bitlocker/file.dd", "rb") as fh:
    bde = BDE(fh)
    bde.unlock_with_passphrase("kusjesvansrt<3")

    fs = NTFS(bde.open())
    print(fs.get("/").listdir())

    file_fh = fs.get("/file.txt").open()  # This is just another file-like object
    print(file_fh.read())

Tools

fve-dd

The fve-dd tool is used to decrypt Microsoft BitLocker (BDE) or Linux Unified Key Setup (LUKS1 and LUKS2) volumes and write the decrypted content to a file.

If the input file is a disk with multiple volumes/partitions, the output file will be a disk image with the same partition layout, with the encrypted volumes replaced by their decrypted content. If the input file is a single encrypted volume, the output file will be a raw image of the decrypted volume.

fve-dd - CLI interface

Utility to decrypt BitLocker or LUKS volumes and write them to a file.

fve-dd [-h] [-p PASSPHRASE] [-r RECOVERY] [-f UNLOCK_FILE] [--key-slot KEY_SLOT]
       [--keyfile-offset KEYFILE_OFFSET] [--keyfile-size KEYFILE_SIZE] -o OUTPUT [-v]
       input
fve-dd positional arguments

  • input - path to container with encrypted volume (default: None)

fve-dd options

  • -h, --help - show this help message and exit

  • -p PASSPHRASE, --passphrase PASSPHRASE - user passphrase (default: None)

  • -r RECOVERY, --recovery RECOVERY - recovery passphrase (default: None)

  • -f UNLOCK_FILE, --unlock-file UNLOCK_FILE - unlock file (default: None)

  • --key-slot KEY_SLOT - LUKS keyslot (default: None)

  • --keyfile-offset KEYFILE_OFFSET - LUKS keyfile offset (default: None)

  • --keyfile-size KEYFILE_SIZE - LUKS keyfile size (default: None)

  • -o OUTPUT, --output OUTPUT - path to output file (default: None)

  • -v, --verbose - increase output verbosity (default: 3)

Examples

BitLocker or LUKS volumes with passphrase:

$ fve-dd encrypted.dd -p "mypassphrase" -o decrypted_volume.dd

BitLocker volumes with recovery password:

$ fve-dd encrypted.dd -r "123456-789012-345678-901234-567890-123456-789012-345678" -o decrypted.dd

BitLocker volumes with .BEK file:

BitLocker External Key (BEK) files can be used to unlock BitLocker encrypted volumes. These files are typically stored on removable media like USB drives.

$ fve-dd encrypted.dd -f /path/to/recovery_key.BEK -o decrypted.dd

LUKS volumes with key file:

LUKS key files contain the encryption key and can be used instead of a passphrase.

$ fve-dd encrypted.dd -f /path/to/keyfile -o decrypted.dd

LUKS volumes with specific key slot:

You can specify which key slot to use when unlocking a LUKS volume:

$ fve-dd encrypted.dd -f /path/to/keyfile --key-slot 0 -o decrypted.dd

LUKS volumes with key file offset and size:

Similar to the cryptsetup utility, you can specify the offset and size within a key file:

$ fve-dd encrypted.dd -f /path/to/keyfile --keyfile-offset 512 --keyfile-size 32 -o decrypted.dd

Reference

For more details, please refer to the API documentation of dissect.fve.