Software
Now Reading
Volatility plugin for recovering BitLocker keys
0

Volatility plugin for recovering BitLocker keys

Thomas White has developed a Volatility plugin which can extract BitLocker keys from Windows 7. Also the plugin can be used for Windows 8 – 10, but, according to the author, isn’t entirely reliable.

Here is how the plugin operates:

  • Obtains Windows version from profile metadata.
  • If the version is lower than Windows 8:
    • Searches for FVEc pool tag
    • Identifies BitLocker mode
    • Extracts FVEK of appropriate length and TWEAK key if applicable
  • If the version is higher than Windows 8:
    • Searches for Cngb pool tag with a pool size of 672
    • Attempts to identify key length (Does not work properly for XTS-AES in Win10)
    • Extracts either 128-bit or 256-bit key
    • Is unable to guarantee it is a BitLocker FVEK.
  • Prints the results.

Here is the example of a Windows 10 image (CBC):

Win10CBC_weare4n6_digital_forensics

More info about recovering BitLocker keys on Windows 8.1 and 10 at Thomas’ blog.

Download plugin