Home‎ > ‎CIS 77‎ > ‎

Busting BitLocker

In this lab you'll use dislocker on Linux to decrypt a drive encrypted with Microsoft's BitLocker.

Introduction

BitLocker is an excellent way to protect your data, but no protection is perfect. BitLocker has no known backdoors so in this lab you'll use the front door --the key-- to decrypt a forensic image that's encrypted using BitLocker.  

Retrieve The Image

Download the image from Opus using the wget command: 

wget http://opus.cis.cabrillo.edu/cis77/misc/BitLocker.zip 

The image is zipped to make it smaller. You must unzip it before you can operate on it. 

unzip BitLocker.zip 

Verify that BitLocker.img is a filesystem image with the file command: 

file BitLocker.img 
BitLocker.img: x86 boot sector

On PCs every partition begins with boot code (even if it's not bootable). Therefore you should see "x86 boot sector" in the output of file. Take a screenshot of the output of file

Recover the Key

Without the password you'd be cooked. Fortunately, a password recovery disk was found with the encrypted computer and a forensic image of the disk was made. Download the forensic image of the disk from Opus with wget: 

wget http://opus.cis.cabrillo.edu/cis77/misc/PasswordDisk.zip

Use a loopback device to mount the image as you did in class. The image contains a single text file. The text file contains the recovery key. You'll use that key in the next step. 

Unlock the Image 

Now that you have the recovery key you can unlock the image with dislocker. The dislocker command is like mount. You give it a file and a mount point. Dislocker makes a single file appear in the mount point. The file is an image of the unencrypted data. You can then mount that image like any other forensic image. Here's the procedure: 

Start by unzipping the image file:

unzip BitLocker.zip

You should now have a BitLocker.img file. Use dislocker and the recovery key from the last step to unlock the image:

mkdir /mnt/dislocker
dislocker -v -V BitLocker.img -p<put-the-recovery-password-here> -- /mnt/dislocker

Note: There is no space between the -p and the password! If you are successful you will see a file in the /mnt/dislocker directory:

ls /mnt/dislocker
dislocker-file 

Check that the dislocker file is a partition: 

file /mnt/dislocker/dislocker-file 
/mnt/dislocker/dislocker-file: x86 boot sector

Now you can mount the dislocker file to see it's contents:

mkdir /mnt/decrypted
mount -o loop,ro /mnt/dislocker/dislocker-file /mnt/decrypted 

Take a screenshot of the output of the following command

ls -la /mnt/dislocker/decrypted 

The screenshot should show a capture of a web page. What page is it? 

Turn In

  1. Your screenshot of the output of file
  2. Your screenshot showing the decrypted files. 
  3. The answer to the question.
Submit your homework on canvas.

Grading

  • 5 points for the first screenshot 
  • 15 points for the decrypted files and answer. 
Comments