Top Ad unit 728 × 90

Latest News


Daily Blog #433: Bitlocker Experiments Part 4

Hello Reader,
               I've now extracted the FVE Metadata block from a vhd encrypted with bitlocker while bitlocker is active and is protecting the VHD with a password and after I turned off protection. I was expecting to find the clearkey attribute set on the volume master key as described in the libbde documentation. Instead the protection was the same but it appears as though the decryption keys were left unprotected.

I removed the bitlocker protection using the following command
manage-bde -protectors -disable d:

I then checked the status of the bitlocker volume wit the following command
manage-bde -status d:

The protectors are still place and the recovery key has not changed:

However, comparing the same metadata block before and after removing protection shows that alot of changes occurred in the metadata block:

I'm still breaking out all the values that changed to understand them all better but this different than what I expected. Let's see what tomorrows testing brings.

Daily Blog #433: Bitlocker Experiments Part 4 Reviewed by David Cowen on July 25, 2018 Rating: 5

No comments:

All Rights Reserved by Hacking Exposed Computer Forensics Blog © 2014 - 2020
Powered By Blogger, Designed by Sweetheme

Contact Form


Email *

Message *

Powered by Blogger.