Dislocker USB with Bitlocker (LAB)

This lab will take you through using Dislocker to view data on a USB disk image that has Bitlocker encryption.  The password for Bitlocker will be provided.

 

Real life use: Hard drive with Bitlocker fails to boot.  You need to recover data from it.

 

Bitlocker USB DD image: https://drive.google.com/a/gameofpwnz.com/file/d/0B3KtykBk15nNamdMSVpYaXRPRlU/view?usp=sharing

MD5 Checksum: 90860ff85a78f1421e6f26f44c10b8ae

In Kali, you can use this to get the mount 🙂 :

losetup --partscan --find --show encrypted.001

The Bitlocker Password is password

Use this Procedure: https://gameofpwnz.com/dislocker-recovering-data-from-drive-with-bitlocker-requires-bitlocker-recovery-key-or-password/

The procedure can be altered slightly for this lab.  I used a Kali Linux Virtual Machine instead of a live USB to complete this lab.  In this lab, I use the password rather than the recovery key.  Notice the slight difference in the command when using each.

 

Lab created by @GameOfPWNZ

Dislocker: Recovering Data from Drive with Bitlocker – Requires Bitlocker Recovery Key or Password

This procedure is for recovering data from a disk drive with Microsoft Bitlocker Full Disk Encryption when the drive no longer boots.

Also, a lab for practicing this procedure will be provided here: https://gameofpwnz.com/dislockerlab/

Required tools

 

Procedures

  1. Make sure the hard drive with Bitlocker is connected. If you never removed it, then you’re good.
  2. Boot from Kali Linux Live USB or CD/DVD.
  3. Update:
    apt-get update
  4. Install git and dependencies:
    apt-get install git libfuse-dev libmbedtls-dev cmake

5. Git clone Dislocker:

git clone git://github.com/Aorimn/dislocker.git

6. Change working directory to the dislocker directory

cd dislocker

7. cmake the Dislocker directory

cmake .

8. Make and make install

  1. make
  2. make install

9.Find the drive with Bitlocker

fdisk -l (should look like /dev/sda# if SATA/SCSI)

10. Create directories tmp and dis

  1. mkdir /mnt/tmp
  2. mkdir /mnt/dis

11. Run Dislocker

  1. Using Recovery Key: dislocker -v -V /dev/(whichever is the one you found in Step 9) -p<Bitlocker Recovery Key> — /mnt/tmp
    1. Hopefully you saved your recovery key in Active Directory or somewhere you know. The Recovery key is 55 characters with the hyphens.
  2. Using Bitlocker Password: dislocker -v -V /dev/(whichever is the one you found in Step 9) -u<Bitlocker Password > — /mnt/tmp

12. Check if it worked

ls /mnt/tmp     (You should see a dislocker-file. If so, then it worked)

13. Mount the volume

mount -o loop,ro /mnt/tmp/dislocker-file /mnt/dis

14. Change working directory to the volume

cd /mnt/dis

15. List out directory listing

ls

16. Backup files

To make this easier, open up the GUI file explorer window (2x). In one, open the USB drive. In the 2nd, open up /mnt/dis. Then copy the files that you need to the USB.

17. Profit

If you found this tutorial useful, let me know in the comments 🙂 And make sure to check out the lab 🙂

References

 

http://www.alexandreviot.net/2015/06/10/active-directory-how-to-display-bitlocker-recovery-key/

https://technet.microsoft.com/en-us/library/dd759200(v=ws.11).aspx

Wireless Shack Doc – CD/DVD

Null-Byte Doc

Kali Doc

https://github.com/Aorimn/dislocker

https://linux.die.net/man/1/dislocker

https://askubuntu.com/questions/617950/use-windows-bitlocker-encrypted-drive-on-ubuntu-14-04-lts