Jul11

Decrypt BitLocker encrypted drive through Linux

Posted on by
Standard

Once I had a situation, my work laptop (based on M$ win7 as per choice of organisation) entered into most infamous “Blue screen of Death”. The hard disk was BitLocker encrypted and the data on it was very important for me due to its research value. Do you know how Linux helped me to recover my data ?

Dislocker can access BitLocker

Thanks to Romain Coltel who has designed dislocker to read BitLocker encrypted partition under Linux and Mac OSX systems

http://www.hsc.fr/ressources/outils/dislocker/

Dislocker into  Live Linux

Any Live Linux image with gcc compiler, make, FUSE & PolarSSL Headers works well. I preferred lightweight Lubuntu/Xubuntu. 16.04 was the version I worked with. Download the iso image and prepare the USB bootable stick with unetbootin

Boot the system with this Live stick and become root

sudo -i

Install following for compiling dislocker. FILE or FUSE two decryption modes are available for dislocker.  I went with fuse because each request for a piece of data in this mode takes the time to decrypt that data only.

apt-get install gcc cmake make libfuse-dev libmbedtls-dev ruby-dev

Download Dislocker, compile and install

wget http://www.hsc.fr/ressources/outils/dislocker/download/dislocker-0.7.1.tar.gz
tar -xzf dislocker-0.7.1.tar.gz
cd dislocker-0.7.1
cmake <strong>.</strong> #check the dot
make
make install

Find the target partition by

 fdisk -l

decrypt BitLocker disk (assuming the partition /dev/sdcX in this example) either by user_password method -u or recovery_password -p

mkdir /mnt/bitlocker

dislocker-fuse -r -V /dev/sdcX -u<password> -- /mnt/bitlocker
OR
dislocker-fuse -r -V /dev/sdcX -pxxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxx  -- /mnt/bitlocker


Note: replace xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxx
with BitLocker recovery_password 
-V = BitLocker volume 
-- = mark the end of program's options and the beginning of FUSE's ones 
-p = recovery_password
-u = user_password 
-r = read only BitLocker volume

This generates a file dislocker-file  which can be mounted by loop device for accessing the file as block device

mkdir /mnt/data
mount -r -o loop /mnt/bitlocker/dislocker-file /mnt/data

All decrypted data are now available at /mnt/data

Screenshot_2017-07-11_13-17-00

Advertisements

3 responses »

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s