Bitunlocker

1. Introduction

• During a forensic in investigation, an image of a BitLocker encrypted drive was created.

• You can download the image file here:

BitLocker.zipDropbox

• Recently, the BitLocker Recovery Key was obtained. It is as follows 547294-589028-080982-263945-161810-145343-350845-470613.

Your task is to mount the image, decrypt the volume and optain the flag. To complete that challege you can use a windows box or a linux system.

2. Solution with windows

Download and install Arsenal Image Mounter from https://arsenalrecon.com/downloads/

Mounting the image.

• Open Arsenal image Mounter

• Click File

• Click Mount disk image file…

• Select your image.dd file

• Select to mount as read-only

Unlock the volume:

3. Grab the flag in windows

4. Solution with Linux

A bitlocker encrypted volume starts always with hex: EB 58 90 2D 46 56 45 2D 46 53 2D

`apt-get install dislocker`

mkidr /mnt/dislock dislocker-fuse -r -V bitlocker.dd -p547294-589028-080982-263945-161810-145343-350845-470613 -- /mnt/dislock

Mount volume with dislocker file:

mkdir /mnt/image mount -o ro,loop,show_sys_files,streams_interface=windows /mnt/dislock/dislocker-file /mnt/bitlock01

5. Grab the flag in linux

gio open Flag.pdf

6. Where to find Bitlocker Recovery key

Your BitLocker recovery key is a unique 48-digit numerical password that can be used to unlock your system if BitLocker is otherwise unable to confirm for certain that the attempt to access the system drive is authorized. This key may be stored in your Microsoft account, printed or saved as a file, or with an organization that is managing the device. The requirement for a recovery key in these cases is a critical component of the protection that BitLocker provides your data.

Finding your BitLocker recovery key in Windows