# Bitunlocker

### 1. Introduction * During a forensic in investigation, an image of a BitLocker encrypted drive was created. * You can download the image file here: {% embed url="" %} * Recently, the BitLocker Recovery Key was obtained. It is as follows\ **547294-589028-080982-263945-161810-145343-350845-470613**. Your task is to mount the image, decrypt the volume and optain the flag. To complete that challege you can use a windows box or a linux system. ### 2. Solution with windows Download and install Arsenal Image Mounter from Mounting the image. * Open Arsenal image Mounter * Click File * Click Mount disk image file… * Select your image.dd file * Select to mount as read-only

Unlock the volume:

### 3. Grab the flag in windows

### 4. Solution with Linux A bitlocker encrypted volume starts always with hex:\ `EB 58 90 2D 46 56 45 2D 46 53 2D` ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2F7h3gLnTc3kEk8T2b78Pn%2Fdislock01.png?alt=media\&token=d73be312-ee0f-48e6-a3bd-886a8484cf7d) `` `apt-get install dislocker` `` `mkidr /mnt/dislock dislocker-fuse -r -V bitlocker.dd -p547294-589028-080982-263945-161810-145343-350845-470613 -- /mnt/dislock` Mount volume with dislocker file: `mkdir /mnt/image mount -o ro,loop,show_sys_files,streams_interface=windows /mnt/dislock/dislocker-file /mnt/bitlock01` ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2Fu2FAhjok16eTJHNuyQJ3%2Fdislock02.png?alt=media\&token=e7cbec34-571c-4ea2-866f-951486416b6b) ### 5. Grab the flag in linux `gio open Flag.pdf` ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FXzcAEwG89HbnbGGmsIoD%2Fdislock03.png?alt=media\&token=f3e9d8bd-f399-42f9-b810-a3b96ab98c8f) ### 6. Where to find Bitlocker Recovery key Your BitLocker recovery key is a unique 48-digit numerical password that can be used to unlock your system if BitLocker is otherwise unable to confirm for certain that the attempt to access the system drive is authorized. This key may be stored in your Microsoft account, printed or saved as a file, or with an organization that is managing the device. The requirement for a recovery key in these cases is a critical component of the protection that BitLocker provides your data. {% embed url="" %}