Need advice re: obt...
 
Notifications
Clear all

Need advice re: obtaining BitLocker recovery key  

  RSS
JimDandy
(@jimdandy)
New Member

I am a novice and am seeking to expand my knowledge. Here is an overview of the issue

The device is a Dell Inspiron 15 3000 series with 1TB HDD volume with a C-drive BitLocker partition. Windows 10 is installed, and the user (admin privileges) can’t get past the login screen. If entered, the user’s credentials are accepted, and Windows 10 partially loads but then warns that a reboot will be done in 1 minute and proceeds to do so without me being able to interrupt anything. The rebooting happens if the login screen is left alone, too, resulting in a reboot loop.

There is no BitLocker recovery key available and thus I’m unable to use the Microsoft recovery tools, like starting Windows 10 in safe mode and uninstalling problematic software.

I have yet to verify a working backup image.

My current course of action is to retrieve the BitLocker recovery key by using forensic tools to access the dd image (I have the laptop and can create more images). I was able to get a Guymager image, albeit in multiple files and so I can’t seem to load it into using Passware Kit to attempt a brute force attack.

When I load the split raw image in OSFMount, it tells me about the 6 partitions on the drive, and partition 1 (128MB) and 2 (917.9GB) are both showing as (Empty Partition). When I mount the whole image, or just partition 2 (the C-drive encrypted with BitLocker), my Windows workstation prompts me to format the empty drive. In OSFMount, the File System columns show N/A.

I am hoping for help from the community regarding what to do next. I'm going to see if I can join the dd image files into 1 file that would open in Passware Kit.

Quote
Posted : 11/04/2018 3:30 am
jaclaz
(@jaclaz)
Community Legend

OFSMount is not suitable for mounting those files, it is essentially a "volume" driver, it simpoly skips the "hidden sectors" in a "whole disk" image trying to access the volume(s), since the volumes are encrypted, it cannot obviously find a filesystem (the partition table in the MBR or GPT is not encrypted, so OFSmount can detect the extents of the volume(s), but the PBR or VBR or bootrecord is encrypted and so no filesystem can be found/detected, hence the N/A and the prompt to format the volume).

But if you can make a "monolithic image" it will be easier to use in other tools.

You don't need to image the whole disk (if it is divided in 6 partitions), you can image just the (I presume initial) part from sector 0 to the end of the 917 GB partition (that will comprise also the 128 GB partition).

To access a "disk" (the "whole thing") image you could use the Arsenal Recon driver
https://arsenalrecon.com/weapons/image-mounter/

The Author is the same of IMDISK (which is the "base" from which OFSMount was derived) Olof Lagerkvist.

jaclaz

ReplyQuote
Posted : 11/04/2018 8:56 am
JimDandy
(@jimdandy)
New Member

Thank you, jaclaz! I was able to mount the dd image so that it is now a recognizable drive in Windows. It shows as Local Disk and it is recognize that it is BitLocker encrypted.

I assume Passware would let me access a drive like a volume but it isn't (it wants a raw image file so I may still need to join those dd.xxx ones, but I haven't worked past the memory error I got when I tried it). I am researching what to do next and I am liking that Arsenal has at least gotten me this far.

As time permits my research, I will hopefully find a way to hack the BitLocker key. I was contemplating putting a PC together with an on-board IEEE port so that I could attempt capturing a physical memory dump. I'm checking if there's a way to get what Passware needs without going that route. I'm also looking at Passware alternatives to get the BitLocker key.

I've come across many interesting posts here and I wish I had multiple workstations set up to try different paths at the same time (especially when I was trying to join those dd image files).

ReplyQuote
Posted : 11/04/2018 11:17 pm
jaclaz
(@jaclaz)
Community Legend

I've come across many interesting posts here and I wish I had multiple workstations set up to try different paths at the same time (especially when I was trying to join those dd image files).

Well, I don't know which issues you may have with simply joining a bunch of dd files, the operation is normally very high demanding in terms of disk activity but shouldn't really need that much of memory as you seem to report.

I mean, if you are on windows even
COPY /B File1.dd + File2.dd Combined12.dd
would (should) work.

To minimize disk usage and time you could use
COPY /B File1.dd Combined1.dd
COPY /B Combined1.dd + file2.dd
COPY /B Combined1.dd + file3.dd
COPY /B Combined1.dd + file4.dd

I would prefer using a dd port or (still on windows) personally I would try using the DSFOK toolkit (old, maybe a tad bit on the slow side in terms of performance but that never failed me in many years)

http//members.ozemail.com.au/~nulifetv/freezip/freeware/index.html

Of course you need some space (possibly in a contiguous chunk) on some mass storage device.

jaclaz

ReplyQuote
Posted : 12/04/2018 9:28 am
Kenobyte
(@kenobyte)
Junior Member

Jim did you have any luck with this drive?

ReplyQuote
Posted : 10/08/2018 9:40 pm
Share: