Decrypting Damaged BitLocker Protected Volumes

Recently I had the chance to examine a Windows 7 system protected by Bitlocker Drive Encryption (BDE). While I was ultimately successful in recovering the encrypted drive, the case showed me how some of my 2009 paper on BDE [1] was inaccurate or omitted pertinent information. The remainder of this post corrects and fills in the gaps of that paper and provides some details about the changes Microsoft has made to Bitlocker since it was published. Before getting started with those details, I have to credit Nitin and Vipin Kumar for posting details and source code for reading Bitlocker protected volumes [2]. Their work was invaluable when writing the original paper, and proved so again in this case.

First, in my paper I was incorrect when I stated the size of the Full Volume Encryption Key (FVEK) was always 512 bits. As Kumar and Kumar note, the size of the key varies based on the algorithm being used. The FVEK is 512 bits if either of the Elephant diffuser modes is used. But if they are being used, the key is the same size as the encryption strength. That is, when working in AES128 mode the FVEK is 128 bits, and when in AES256 mode, the FVEK is 256 bits.

Second, when the Elephant diffuser is not in use, each sector is encrypted and decrypted using AES in CBC mode with the initialization vector set to all zeros. The sector number has no impact on the encryption process. As a side note, the practical effect of this decision is that identical sectors will appear identical in both ciphertext and plaintext. Whether or not that's a practical advantage for an attacker is debatable, but my personal recommendation is to use one of the Elephant diffuser modes.

Third, my paper did not specify how Windows would deal with a BDE protected volume if the volume header becomes damaged. My current case involved such a damaged drive and I now have an idea of how Windows handles this situation: it doesn't. Neither BDE nor the repair-bde [3] program were able to make heads or tails of the volume. I had to write a custom program, “Scarlet,” which could decrypt the volume [4].

Finally, the changes in Bitlocker version two are documented in my presentation on BitLocker to go [5]. These include things like the new metadata format and passwords as volume protectors.

(Cross posted at: http://jessekornblum.livejournal.com/281123.html)

[1] Jesse Kornblum, Implementing BitLocker Drive Encryption for Forensic Analysis, Journal of Digital Investigation, 2009, (5)3,pp. 75-84. http://jessekornblum.com/publications/di09.html. [2] Nitin and Vipin Kumar, Analysis of Window Vista Bitlocker Drive Encryption, http://nvlabs.in/ [3] Microsoft Corporation, How to use the BitLocker Repair Tool to help recover data from an encrypted volume in Windows Vista or in Windows Server 2008, 2010, http://support.microsoft.com/kb/928201. [4] Why Scarlet? Because frankly, I don't give a damn how you get the keys, but you have to have the keys to decrypt the drive. Margaret Mitchell (novel) and Sidney Howard (screenplay), Gone with the Wind, Warner Brothers pictures, 1939. [5] Jesse Kornblum, BitLocker to Go, DoD Cyber Crime Conference, 2010 http://jessekornblum.com/presentations/dodcc10-1.pdf.