📘
CAS Cybersecurity
  • Start
  • Reconnaissance
    • Opensource Intelligence
  • Docker basics and Images
    • Damn Vulnerable Webapp
    • bWAPP
    • Juice Webshop
    • Webgoat
    • Metasploitable 2
    • Metasploitable 3
    • MISP Docker (old)
    • MISP Docker (new)
  • Scanning and Enumeration
    • Scanning with zenmap
    • Scanning with nmap
    • Scanning with msf auxiliary
  • Vulnerability Scanning and Analysis
    • OpenVAS
    • nmap vulnerability scan
    • MSF Auxiliary Modules
  • Exploitation
    • Metasploitable 2
    • Redis Server
    • Print Nightmare
    • Baron Samedit
    • Polkit
    • Heartbleed
  • Man in the Middle
    • ARP Cache poisoning
    • RDP MitM Exercise
  • Windows Hacking
    • Throwback Network
      • Entering the breach
      • Exploring the caverns
      • Webshells and you!
      • First Contact
    • WinAttack LAB
      • Module 01
      • Module 02
      • Module 03
      • Module 04
      • Module 05
      • Module 06
      • Module 07
      • Module 08
      • Module 09
      • Module 10
  • Web Application Security
    • Burp Proxy Introduction
    • DVWA
      • DVWA Exercises 1
      • DVWA Exercises 2
      • DVWA Exercises 3
      • DVWA Exercises 4
      • DVWA Exercises 5
      • DVWA Exercises 6
      • DVWA Exercises 7
      • DVWA Exercises 8
  • CTF and Crypto Exercises
    • Cyberchef Challenge
    • HTB Invite Challenge
    • BSides London 2019 Challenge
    • Ninja Sec Challenge
  • Threat Intelligence
    • MISP Exercise 1
    • MISP Exercise 2
    • MISP Exercise 3
    • MISP Exercise 4
    • MISP Exercise 5
    • MISP Exercise 6
    • MISP Exercise 7
    • MISP Exercise 8
    • Virus Total Graph Exercise
    • RFI Incoming!
  • Forensic Exercises
    • Disk Forensics
      • The Sleuth Kit Intro
      • Filecarving with Foremost
      • Filecarving with scalpel
      • Bulk extractor
      • Disk acquisition with dd
      • Disk acquisition with dcfldd
      • Disk acquisition with ewftools
      • Disk acquisition with FTK Imager
      • Mount disk image (raw)
      • Unknown USB Stick
      • USB Stick Filecarving
      • Autopsy Exercise
    • Windows Forensics
      • Bitunlocker
      • Alternate Datastreams
    • Memory Forensics
      • Volatility2 Basics (Linux)
      • Volatility2 Exercise 1
      • Volatility3 Exercise 1
      • Volatility3 Exercise 2
      • Volatility3 Exercise 3
    • Image Forensics
      • Unswirl Image
      • Manual Filecarving 1
      • Manual Filecarving 2
    • Browser Forensics
    • Mail Header Analysis
    • Timestomping Exercise
    • Network Forensics
      • Tshark Exercise
  • Malware Analysis
    • Ransomware
      • General Introduction
      • Ryuk
      • RansomEXX
      • REvil
      • BlackMatter
      • Hades
      • Egregor
      • DoppelPaymer
    • YARA
      • YARA Install
      • yarGen
      • YARA with Cyberchef
      • TCP dump analysis
      • Memory dump analysis
    • Dosfuscated Scripts
  • Android Malware
    • LAB Setup 1
    • LAB Setup 2
    • Android Manifest
    • Android Permissions
    • APP Tracing with Frida
    • AES Key decryption
    • RedAlert
    • BlackRoseLucy
    • Crackme RE Challenge
  • Forensic Readiness
    • Windows Event Logs
    • Windows Sysmon
    • Sysmon: Capture Clipboard
    • Sysmon: Process Injection
    • Ransomware Detection
      • Signature based
  • Live Response
    • Velociraptor P1
    • Velociraptor P2
    • Velociraptor P3
    • Windows Response LAB
      • Lateral Movement Detection
      • Detect persistence
      • Volatility Analysis
Powered by GitBook
On this page
  • 1. Introduction
  • 2. Solution with windows
  • 3. Grab the flag in windows
  • 4. Solution with Linux
  • 5. Grab the flag in linux
  • 6. Where to find Bitlocker Recovery key

Was this helpful?

  1. Forensic Exercises
  2. Windows Forensics

Bitunlocker

PreviousWindows ForensicsNextAlternate Datastreams

Last updated 3 years ago

Was this helpful?

1. Introduction

  • During a forensic in investigation, an image of a BitLocker encrypted drive was created.

  • You can download the image file here:

  • Recently, the BitLocker Recovery Key was obtained. It is as follows 547294-589028-080982-263945-161810-145343-350845-470613.

Your task is to mount the image, decrypt the volume and optain the flag. To complete that challege you can use a windows box or a linux system.

2. Solution with windows

Mounting the image.

  • Open Arsenal image Mounter

  • Click File

  • Click Mount disk image file…

  • Select your image.dd file

  • Select to mount as read-only

Unlock the volume:

3. Grab the flag in windows

4. Solution with Linux

A bitlocker encrypted volume starts always with hex: EB 58 90 2D 46 56 45 2D 46 53 2D

`apt-get install dislocker`

mkidr /mnt/dislock dislocker-fuse -r -V bitlocker.dd -p547294-589028-080982-263945-161810-145343-350845-470613 -- /mnt/dislock

Mount volume with dislocker file:

mkdir /mnt/image mount -o ro,loop,show_sys_files,streams_interface=windows /mnt/dislock/dislocker-file /mnt/bitlock01

5. Grab the flag in linux

gio open Flag.pdf

6. Where to find Bitlocker Recovery key

Your BitLocker recovery key is a unique 48-digit numerical password that can be used to unlock your system if BitLocker is otherwise unable to confirm for certain that the attempt to access the system drive is authorized. This key may be stored in your Microsoft account, printed or saved as a file, or with an organization that is managing the device. The requirement for a recovery key in these cases is a critical component of the protection that BitLocker provides your data.

Download and install Arsenal Image Mounter from

https://arsenalrecon.com/downloads/
Finding your BitLocker recovery key in Windows
BitLocker.zipDropbox
Logo
Logo