Volatility Framework plugin for extracting BitLocker FVEK

This plugin, developed by Marcin Ulikowski, finds and extracts Full Volume Encryption Key (FVEK) from memory dumps and/or hibernation files. This allows rapid unlocking of systems that had BitLocker encrypted volumes mounted at the time of acquisition.

Bitlocker_decryption_weare4n6

It supports the following memory images:

  • Windows 10 (work in progress)
  • Windows 8.1
  • Windows Server 2012 R2
  • Windows 8
  • Windows Server 2012
  • Windows 7
  • Windows Server 2008 R2
  • Windows Server 2008
  • Windows Vista

For more info use this link.