Bitunlocker
1. Introduction
During a forensic in investigation, an image of a BitLocker encrypted drive was created.
You can download the image file here:
Recently, the BitLocker Recovery Key was obtained. It is as follows 547294-589028-080982-263945-161810-145343-350845-470613.
Your task is to mount the image, decrypt the volume and optain the flag. To complete that challege you can use a windows box or a linux system.
2. Solution with windows
Download and install Arsenal Image Mounter from https://arsenalrecon.com/downloads/
Mounting the image.
Open Arsenal image Mounter
Click File
Click Mount disk image file…
Select your image.dd file
Select to mount as read-only
Unlock the volume:
3. Grab the flag in windows
4. Solution with Linux
A bitlocker encrypted volume starts always with hex:
EB 58 90 2D 46 56 45 2D 46 53 2D
`apt-get install dislocker`
mkidr /mnt/dislock dislocker-fuse -r -V bitlocker.dd -p547294-589028-080982-263945-161810-145343-350845-470613 -- /mnt/dislock
Mount volume with dislocker file:
mkdir /mnt/image mount -o ro,loop,show_sys_files,streams_interface=windows /mnt/dislock/dislocker-file /mnt/bitlock01
5. Grab the flag in linux
gio open Flag.pdf
6. Where to find Bitlocker Recovery key
Your BitLocker recovery key is a unique 48-digit numerical password that can be used to unlock your system if BitLocker is otherwise unable to confirm for certain that the attempt to access the system drive is authorized. This key may be stored in your Microsoft account, printed or saved as a file, or with an organization that is managing the device. The requirement for a recovery key in these cases is a critical component of the protection that BitLocker provides your data.
Last updated