Inspecting BitLocker encrypted drive in Kali Linux

In this blog post we are inspecting the BitLocker encrypted drive we encrypted in part 2 using Kali Linux. In this tutorial we have booted the Kali Linux in Live CD/USB mode without persistent storage. We are going to use the Dislocker tool to inspect the encrypted BitLocker drive/partition.

Installing the Dislocker tool

Although Kali Linux includes plenty of different security tools it still misses Dislocker (as written 31/7/2017). This tutorial covers the steps needed to install Dislocker in Kali and Ubuntu derivates. If you are using different distribution the procedure may be different. First we need to install prerequisities for compiling dislocker.

apt-get install gcc make cmake ruby-dev libmbedtls-dev libfuse-dev # Install prerequisites
Installing Dislocker prerequisities.
wget # Download dislocker
tar xzvf dislocker-0.7.1.tar.gz # Decompress and extract tgz
Download of dislocker and decompressing it to the disk (in reality it is saving the data in to the memory because we are using Live CD).
cd dislocker-0.7.1/ # Change directory to dislocker dir
cmake . # <-- Dot is important
Generation of Makefile files using cmake.
make # Compile
make install # Install it to system
Compiling the dislocker (make) and installing it (make install).

Usage of the Dislocker

Identifying the encrypted BitLocker partitions

Linux recognizes encrypted BitLocker partitions as standard NTFS partitions. Below is the output of fdisk utility.

root@kali:~# fdisk /dev/sda

Welcome to fdisk (util-linux 2.29.2).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

Command (m for help): p
Disk /dev/sda: 32 GiB, 34359738368 bytes, 67108864 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xbd8380f0

Device Boot Start End Sectors Size Id Type
/dev/sda1 * 2048 1026047 1024000 500M 7 HPFS/NTFS/exFAT
/dev/sda2 1026048 67106815 66080768 31.5G 7 HPFS/NTFS/exFAT

Command (m for help):

Disk partition /dev/sda1 is Windows Boot-partition which contains BitLocker enabled bootloader.

mkdir /mnt/sda1 # Create mount target directory
mount /dev/sda1 /mnt/sda1 # Mount partition to the directory
ls -l /mnt/sda # Contents of the boot partition
Contents of the BitLocker encrypted Windows Boot partition.

When trying to mount the primary Windows partition mount tool gives error of wrong fs type.

mkdir /mnt/sda2
mount /dev/sda2 /mnt/sda2
Unable to mount encrypted partition as NTFS.

Dislocker-find tools can identify encrypted NTFS partitions, printing every encrypted partition in it’s own line.

Dislocker-find tool identifies encrypted BitLocker partitions.

BitLocker partition meta data

Dislocker-metadata can print BitLocker encrypted drive’s meta data, including used encryption algorithm.

dislocker-metadata -V /dev/sda2 | grep AES
Dislocker-metadata can identify and print BitLocker drive’s meta data.

Accessing encrypted BitLocker drive using Dislocker

Opening BitLocker encrypted drive requires at least one of following options:

  • BEK file. BEK file is saved on USB Flash Drive during encryption of BitLocker drive. BitLocker can use USB Flash Drive with BEK file to open / decrypt BitLocker during the boot.
  • FVEK (Full Volume Encryption Key). FVEK can be intercepted from memory, swap or hibernate files.
  • Recovery password
  • User password

Dislocker-fuse mode allows us to access encrypted drive without need to generate additional image file. Example of opening BitLocker drive using user’s password:

mkdir /mnt/dislocker
dislocker-fuse -V /dev/sda2 -u /mnt/dislocker
mkdir /mnt/decrypted
mount /mnt/dislocker/dislocker-file /mnt/decrypted
Decrypting BitLocker partition by using dislocker-fuse.

3 thoughts on “Inspecting BitLocker encrypted drive in Kali Linux

  1. I’m getting things like “Cannot parse volume header. Abort.” and “Failed to open /dev/sda1: Permission denied” along with “only root can use” which goes away if I insert sudo.

Leave a Reply

Your email address will not be published. Required fields are marked *