AddThis

Saturday, September 10, 2016

Mounting a BitLocker Encrypted Image Using Dislocker

Sometimes it is necessary to boot a host into an alternate OS to acquire a raw disk image. If you need to mount the image for forensic analysis in Linux, this can present a problem if the disk was encrypted using Microsoft's BitLocker.

If you have the BitLocker recovery key, you can mount the image in Linux using Dislocker as follows. These steps were executed on an Ubuntu 14.04 LTS system.

Install Dislocker

Install Dislocker's dependencies.

aptitude install gcc cmake make libfuse-dev libpolarssl-dev ruby-dev

Clone the Dislocker Git repository.

git clone https://github.com/Aorimn/dislocker.git

Navigate to the dislocker directory you just created.

cd dislocker

Make and install the binaries on your system.

cmake .
make
sudo make install

output of 'man dislocker' command

Mount the Image

Create a temp directory where you will mount the image.

mkdir /mnt/dislocker

Read the encrypted raw image using dislocker.

dislocker -v -V /media/images/myimage.bin -p<BITLOCKER-RECOVERY-KEY>  /mnt/dislocker

Further details about the above command.

-v - Increase verbosity (CRITICAL errors are displayed by default)

-V - Volume to get metadata and keys from

​/media/images/myimage.bin - Path and file name of encrypted image

-p<BITLOCKER-RECOVERY-KEY> - BitLocker recovery key to unencrypt image. Replace <BITLOCKER-RECOVERY-KEY> with actual recovery key

/mnt/dislocker - Path to load dislocker file, which will be mounted later
Create a folder to mount the image.

mkdir /tmp/temp/

Mount the dislocker file as read only to the /mnt/temp directory

mount -o loop,ro /mnt/dislocker/dislocker-file /mnt/temp

Further details about the above command.

-o loop,ro - Mount the filesystem using the loopback device. Mount as read-only

/mnt/dislocker/dislocker-file - Path and file name of unencrypted dislocker file

/mnt/temp - Path to mount the unencrypted image as a drive

The unencrypted image is mounted under /mnt/temp

List the contents of the mounted image.

ls /mnt/temp

Acquire an Image of the Mounted Disk in an Unencrypted State

You may want to take another image of the mounted image in its unencrypted state. This can be useful if you need to load the image into a forensic tool for analysis.

You can use ddrescue to take a raw image of the mounted image as follows.

ddrescue -v /mnt/temp/dislocker-file /media/images/my_unencrypted_image.bin

Further details about the above command.

-v - Verbose logging

/mnt/temp/dislocker-file - Location of file you want to image in unencrypted state

/media/images/my_unencrypted_image.bin - Location to save new image file
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)