Trouble using bitlocker2john.py

[exaghost]

Hello,
I'm experimenting with a 500 GB full DD image (the whole disc, not only the bitlocker partition) with Bitlocker enabled. That's a TPM only setup, what as far I know unsupported/impossible to recover. Okay, I accept, but a warning/error message would be useful in this case. Tried bitlocker2john.py and bitlocker2john.exe. Latest git versions. Observations:

• The command bitlocker2john.exe -i e:\XXX\YYY.img runs okay, found 34 occurances of
  Signature found at 0x5f4202 Version: 79 Invalid version, looking for a signature with valid version... till Signature found at 0x27400003 Version: 8 Invalid version, looking for a signature with valid version... Then found 3 occurances of
  ** Signature found at 0x315de000 Version: 2 (Windows 7 or later)
  ** Signature found at 0x6cf4c000 Version: 2 (Windows 7 or later)
  ** Signature found at 0xae28f000 Version: 2 (Windows 7 or later)
  In the end Error while extracting data: No signature found! In the meantime I tried bitlocker2john.py.

• First bitlocker2john.py command was: bitlocker2john.py e:\XXX\YYY.img -o 828235776 (DEC of 0x315de000)
  [!] Supplied image path is not a BitLocker partition. Try specifiying the offset of the BitLocker partition with -o

Tried inc./decreasing offset, and voilà:
bitlocker2john.py e:\XXX\YYY.img -o 828235773
[+] BitLocker signature found: -FVE-FS-
[+] Identified volume GUID: 65124796-AA2D-2B6D-1F49-65C44EEEB3A7 = None
[+] FVE metadata info found at offsets ['0x49b683ab5a80b8aa', '0x9ef49ce942710b33', '0x20007007974a835']

Parsing FVE block...

Parsing FVE metadata header...
Traceback (most recent call last):
File "C:\ [...] bitlocker2john.py", line 240, in
main()
File "C:\ [...] bitlocker2john.py", line 225, in main
parse_fve_metadata_block(FVE_metadata_block)
File "C:\ [...] bitlocker2john.py", line 136, in parse_fve_metadata_block
metadata_size = parse_fve_metadata_header(fve_metadata_header)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\ [...] bitlocker2john.py", line 174, in parse_fve_metadata_header
metadata_size = uint_to_int(block[0:4])
^^^^^^^^^^^^^^^
File "C:\ [...] bitlocker2john.py", line 56, in uint_to_int
return int(b[::-1].hex(), 16)
^^^^^^^^^^^^^
ValueError: invalid literal for int() with base 16: ''

Strange behavior with the offsets.. All 3 off by 3 (828235776 vs 828235773). Also a HEX support for -o offsets would be great.
I don't consider this as a serious bug, but undefined behavior. Hope I can help improving the bitlocker2john tools.

[solardiz]

Thank you @exaghost!

@holly-o Please take a look at the issues reported in here. Thank you!

[holly-o]

Thank you - some things for me to look at!

It is off by 3 compared with bitlocker2john.exe since bitlocker2john.exe looks to match the signature "-FVE-FS-" whereas bitlocker2john.py will take the offset to the start of the volume, and the boot entry point (0xeb5890) is the first three bytes before the signature.

Since bitlocker2john.exe takes the approach just to search for the string "-FVE-FS-", I would suggest that maybe this is not an indication of the start of a BitLocker volume, but some other occurrence of that string. The volume GUID 65124796-AA2D-2B6D-1F49-65C44EEEB3A7 is not indicative of any particular volume type, in fact I can find no reference to it anywhere, and the offsets to FVE metadata exceed the bounds of the 500GB image. This suggests that at this point the script is not in fact reading the start of a BitLocker volume.

My approach to find the BitLocker volume within the image is to use mmls to see the partitions or open the image in something like FTK imager to find the exact offset to use.

I will take a look at adding the option to read the offset as hex, and also to make sure that it is not trying to seek out of bounds of the size of the image, so that the script does not error in the way you have seen here. I may also add a check that the GUID is one of the recognised GUIDs before proceeding.

[exaghost]

Hello, @holly-o !
Thank you for the fast replay. I made some progress, and interesting findings! With the new version of your script, I reexamined result of bitlocker2john.exe. Neither of the three "valid" offsets worked, BUT the last "invalid" did worked.

Signature found at 0x27400003
Version: 8
Invalid version, looking for a signature with valid version...

c:[..]\bitlocker2john.py g:\XXX\YYY.img -o 0x27400003 (Yes I tweaked script to accept offset as is, by subtracting 3.)
[+] BitLocker signature found: -FVE-FS-
[+] Identified volume GUID: 4967D63B-2E29-4AD8-8399-F6A339E3D001 = BitLocker
[+] FVE metadata info found at offsets ['0x315de000', '0x6cf4c000', '0xae28f000']

Parsing FVE block...

Parsing FVE metadata header...
Metadata size: 16830
Volume GUID: 5DE525AB-1170-4ED9-AF92-F41A46839E73
Encryption method: 0x8004

Parsing FVE metadata entry...
Entry size: 80
Entry type: 0xb = FVEK backup
Value type: 0x5 = AES-CCM encrypted key
Parsing AES CCM key...

Parsing FVEK...
Mac: d22308002ae2672d728f5de21d247c67
Nonce: 50d9d8ff118ed90102000000
Encrypted data: bc9674708ccce72ee3065816622daa6d2b1f4965c44eeeb3a7add82229ab83b649362b1311e99cf49e38c816

Parsing FVE metadata entry...
Entry size: 72
Entry type: 0x7 = Computer description
Value type: 0x2 = UTF-16 string

Parsing description...
Info: OMITTED but it was the actual hostname.

Parsing FVE metadata entry...
Entry size: 80
Entry type: 0x3 = FVEK
Value type: 0x5 = AES-CCM encrypted key
Parsing AES CCM key...

Parsing FVEK...
Mac: 8053efd490bb4a98fa999e9cf258c751
Nonce: 90ab9a08128ed90109000000
Encrypted data: 48ceb3fc4bcafa5328b7e32f83e9d00e4b3de33b4857476d8d0de7e37bbfde0aac6cee2bc6556b4d6d02956a

Parsing FVE metadata entry...
Entry size: 7568
Entry type: 0x4 = Validation
Value type: 0x7 = Validation

No hashes associated with the user password or recovery password found. Exiting...

Observation:
Seems like bitlocker2john.exe is buggy, does not recognize valid bitlocker offset, but bitlocker2john.py does. I'm going to further investigate on partition scheme of image.