Wednesday, July 25, 2018

Daily Blog #433: Bitlocker Experiments Part 4

Hello Reader,
               I've now extracted the FVE Metadata block from a vhd encrypted with bitlocker while bitlocker is active and is protecting the VHD with a password and after I turned off protection. I was expecting to find the clearkey attribute set on the volume master key as described in the libbde documentation. Instead the protection was the same but it appears as though the decryption keys were left unprotected.

I removed the bitlocker protection using the following command
manage-bde -protectors -disable d:


I then checked the status of the bitlocker volume wit the following command
manage-bde -status d:


The protectors are still place and the recovery key has not changed:


However, comparing the same metadata block before and after removing protection shows that alot of changes occurred in the metadata block:


I'm still breaking out all the values that changed to understand them all better but this different than what I expected. Let's see what tomorrows testing brings.