How to restore the bitlocker drive's private key on win 8.1 and win 10

How to restore the bitlocker drive's private key on win 8.1 and win 10

 

 

This article does not intend to study the internal operating mechanism of disk encryption in depth, but focuses on retrieving FVEK (complete volume encryption key) from the memory ). In Windows 7, key recovery is a simple task (for more information, see the end of the article). when processing a Windows 7 memory image, we can roughly search for the FVEc pool tag as an indicator in the memory where FVEK exists, from where we can continue to extract the key.

However, since Windows 8, BitLocker's encryption operations seem to have been outsourced to Microsoft's Cryptography Next Generation module. This is a long-term replacement of CryptoAPI, rather than being executed within the fvevol driver.

This means that searching for the FVEc pool tag in Windows 8 or later does not produce any effect!

AESKeyFind still works. Although it depends on your memory image, you still need to adjust the threshold settings.

Real-time kernel debugging and recovery key

I'm not sure you will find the kernel with a debugger, but you still cannot disable BitLocker, retrieve the recovery password, or add your own password protection device. There will be something strange. On the other hand, if you want to obtain FVEK for other reasons-such as replacing the persistent access key protection device (this is more convenient than kernel debugging)

However, I used windbg to study the changes of BitLocker on Windows 8/10, used this method to retrieve FVEK, and also proved the existence of CNG.

Now, this is an example of calling the stack in Windows 7-encryption/decryption functions are all processed in fvevol. This example uses the default encryption method (AES 128-bit)

 

In the Windows 8.1 example, CNG is involved in the encryption/Decryption function:

 

In fact, at this moment, we can retrieve FVEK and pass it from the second parameter to SymCryptEcbDecrypt (it contains a pointer pointing to the Key location in the memory ). The rdx Registry (64-bit machine) contains a pointer pointing to the FVEK position in the memory! SymCryptEcbDecrypt: Set a breakpoint and obtain the value of rdx. Then we can extract FVEK (note that this is a 256-bit key)

 

This is a Windows 8.1 example, when playing Windows 10 in XTS-AES mode, jump to cng! SymCryptXtsAesDecrypt and detect the rcx Registry (in my tests, the key is passed as the first parameter to the XTS function)

 

The memory image is offset backward. We can see that this part of the memory is marked as a Cngb pool tag. As expected, the detection pool tag definition confirms that Cngb is used for CNG Configuration:

Cngb-ksecdd. sys-CNG kmode crypto pool tag

The following is a more practical stage!

Use the memory pool to allocate a recovery key

As mentioned above, most encryption work is carried out around the CNG driver. However, in earlier Windows versions, the fvevol driver included its own installation and activation. Searching for tags in the Cngb pool produces a large number of results, because CNG is a wild beast, which is too complicated. It does not only work on BitLocker, But the pool size should be consistent, which means we can regard them as key location indicators.

The size of the Cngb pool seems to be 672, regardless of the encryption type-Volatility poolpeek plug-in can help you find these pools

 

Although I have not yet determined a way to differentiate the BitLocker mode from the content of the Cngb pool. There seems to be a reliable distinction. The offset location in the pool is 0 × 68, and the key length is either 128-bit or 256-bi. The value '10' seems to indicate that the key length is 128-bit, and '20' indicates that the key length is 256-bit.

Interestingly, all the other keys except FVEK are in the same format, which is valid only when Bitlocker is enabled by the system. This may be because another Key is using Bitlocker, such as the Volume Master Key (VMK), but I cannot analyze the functions of these keys.

Volatility plugin

This plug-in is also an experimental test version.

Based on the information at hand, I have enabled a Volatility plug-in that can extract BitLocker keys from Windows 7 (in theory, Windwos and later. For Windows 8 to Windows 10, this plug-in is not completely reliable. In most cases, there may be some minor issues:

Except FVEK, AES Keys are returned (see the previous article. These Keys only exist in systems protected by Bitlocker) for Windows 10 XTS-AES encryption is not successful every time not sure how BitLocker is operated in Windows 7 or later versions

The plugin operation is as follows:

1. Obtain the Windows version from the profile metadata

2. if the version is earlier than Windows 8

Search for the FVEc pool tag analysis BitLocker mode and extract FVEK with proper length

3. if the version is later than Windows 8

Searching the Cngb pool tag in pool size 672 attempts to analyze the key length (not working properly in Winodws 10 XTS-AES mode) extracting a 128-bit or 256-bit key cannot ensure it is a BitLocker FVEK.

4. Print the result

Windows 7 EXAMPLE:

 

Windows 8.1 example:

 

Windows 10 (CBC) Example:

 

This is the above FVEK data used by Windows 8.1 to protect the volume:

 

The excellent libbde library can use FVEK and TWEAK data in Linux to load protection volumes.

I have never said that this plug-in is perfect, but it may become a very good plug-in the future!

GitHub here: https://github.com/tribalchicken/volatility-bitlocker

References Practical Cryptographic Key Recovery-Jesse Kornblum Implementing Bitlocker Drive Encryption for Forensic Analysis-Jesse Kornblum libyal/libbde Cryptography API: Next Generation-Microsoft