-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Trouble using bitlocker2john.py #5644
Comments
Thank you - some things for me to look at! It is off by 3 compared with bitlocker2john.exe since bitlocker2john.exe looks to match the signature "-FVE-FS-" whereas bitlocker2john.py will take the offset to the start of the volume, and the boot entry point (0xeb5890) is the first three bytes before the signature. Since bitlocker2john.exe takes the approach just to search for the string "-FVE-FS-", I would suggest that maybe this is not an indication of the start of a BitLocker volume, but some other occurrence of that string. The volume GUID 65124796-AA2D-2B6D-1F49-65C44EEEB3A7 is not indicative of any particular volume type, in fact I can find no reference to it anywhere, and the offsets to FVE metadata exceed the bounds of the 500GB image. This suggests that at this point the script is not in fact reading the start of a BitLocker volume. My approach to find the BitLocker volume within the image is to use mmls to see the partitions or open the image in something like FTK imager to find the exact offset to use. I will take a look at adding the option to read the offset as hex, and also to make sure that it is not trying to seek out of bounds of the size of the image, so that the script does not error in the way you have seen here. I may also add a check that the GUID is one of the recognised GUIDs before proceeding. |
Hello, @holly-o ! Signature found at 0x27400003 c:[..]\bitlocker2john.py g:\XXX\YYY.img -o 0x27400003 (Yes I tweaked script to accept offset as is, by subtracting 3.) Parsing FVE block... Parsing FVE metadata header... Parsing FVE metadata entry... Parsing FVEK... Parsing FVE metadata entry... Parsing description... Parsing FVE metadata entry... Parsing FVEK... Parsing FVE metadata entry... No hashes associated with the user password or recovery password found. Exiting... Observation: |
A quick look on image partition scheme: $ mmls XXX.img
000: Meta 0000000000 0000000000 0000000001 Safety Table |
That offset seems ok then for partition 006, since 512 * 1286144 = 658,505,728 = 0x27400000 |
Yes sorry it was in a separate PR. I have implemented the suggestions from
above
…On Mon, 20 Jan 2025, 23:08 Solar Designer, ***@***.***> wrote:
I think this issue was taken care of by a commit in #5623
<#5623> (even though it should have
been a separate PR). Please confirm. Thank you @holly-o
<https://github.com/holly-o> and @exaghost <https://github.com/exaghost>!
—
Reply to this email directly, view it on GitHub
<#5644 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/A6UHQ3BWWBZ2V6JTO6WOQGT2LVXUPAVCNFSM6AAAAABUMPQSW6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMMBTGI4TAMJQHE>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Hello,
I'm experimenting with a 500 GB full DD image (the whole disc, not only the bitlocker partition) with Bitlocker enabled. That's a TPM only setup, what as far I know unsupported/impossible to recover. Okay, I accept, but a warning/error message would be useful in this case. Tried
bitlocker2john.py
andbitlocker2john.exe
. Latest git versions. Observations:The command
bitlocker2john.exe -i e:\XXX\YYY.img
runs okay, found 34 occurances ofSignature found at 0x5f4202 Version: 79 Invalid version, looking for a signature with valid version...
tillSignature found at 0x27400003 Version: 8 Invalid version, looking for a signature with valid version...
Then found 3 occurances of**
Signature found at 0x315de000 Version: 2 (Windows 7 or later)
**
Signature found at 0x6cf4c000 Version: 2 (Windows 7 or later)
**
Signature found at 0xae28f000 Version: 2 (Windows 7 or later)
In the end
Error while extracting data: No signature found!
In the meantime I triedbitlocker2john.py
.First
bitlocker2john.py
command was:bitlocker2john.py e:\XXX\YYY.img -o 828235776
(DEC of 0x315de000)[!] Supplied image path is not a BitLocker partition. Try specifiying the offset of the BitLocker partition with -o
Tried inc./decreasing offset, and voilà:
bitlocker2john.py e:\XXX\YYY.img -o 828235773
[+] BitLocker signature found: -FVE-FS-
[+] Identified volume GUID: 65124796-AA2D-2B6D-1F49-65C44EEEB3A7 = None
[+] FVE metadata info found at offsets ['0x49b683ab5a80b8aa', '0x9ef49ce942710b33', '0x20007007974a835']
Parsing FVE block...
Parsing FVE metadata header...
Traceback (most recent call last):
File "C:\ [...] bitlocker2john.py", line 240, in
main()
File "C:\ [...] bitlocker2john.py", line 225, in main
parse_fve_metadata_block(FVE_metadata_block)
File "C:\ [...] bitlocker2john.py", line 136, in parse_fve_metadata_block
metadata_size = parse_fve_metadata_header(fve_metadata_header)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\ [...] bitlocker2john.py", line 174, in parse_fve_metadata_header
metadata_size = uint_to_int(block[0:4])
^^^^^^^^^^^^^^^
File "C:\ [...] bitlocker2john.py", line 56, in uint_to_int
return int(b[::-1].hex(), 16)
^^^^^^^^^^^^^
ValueError: invalid literal for int() with base 16: ''
Strange behavior with the offsets.. All 3 off by 3 (828235776 vs 828235773). Also a HEX support for -o offsets would be great.
I don't consider this as a serious bug, but undefined behavior. Hope I can help improving the
bitlocker2john
tools.The text was updated successfully, but these errors were encountered: