Daily Blog #433: Bitlocker Experiments Part 4

Bitlocker Experiments Part 4 by David Cowen - Hacking Exposed Computer Forensics Blog



Hello Reader,
               I've now extracted the FVE Metadata block from a vhd encrypted with bitlocker while bitlocker is active and is protecting the VHD with a password and after I turned off protection. I was expecting to find the clearkey attribute set on the volume master key as described in the libbde documentation. Instead the protection was the same but it appears as though the decryption keys were left unprotected.

I removed the bitlocker protection using the following command
manage-bde -protectors -disable d:

Bitlocker Experiments Part 4 by David Cowen - Hacking Exposed Computer Forensics Blog

I then checked the status of the bitlocker volume wit the following command
manage-bde -status d:

Bitlocker Experiments Part 4 by David Cowen - Hacking Exposed Computer Forensics Blog

The protectors are still place and the recovery key has not changed:
Bitlocker Experiments Part 4 by David Cowen - Hacking Exposed Computer Forensics Blog


However, comparing the same metadata block before and after removing protection shows that alot of changes occurred in the metadata block:

Bitlocker Experiments Part 4 by David Cowen - Hacking Exposed Computer Forensics Blog


I'm still breaking out all the values that changed to understand them all better but this different than what I expected. Let's see what tomorrows testing brings.

Post a Comment