Tags: bitlocker forensics
Rating:
Given an Encase E01 image file. Thus, using `ewfmount` we can mount and inspect the diskimage
```bash
$ mkdir mount media
$ ewfmount trollcat.E01 mount
$ mount mount/ewf1 media -o ro,loop,show_sys_files,streams_interace=windows
$ ls media/
$AttrDef $LogFile $Volume OneDrive Videos Windows Multimedia Platform
$BadClus $MFTMirr Downloads Pictures Windows Defender Windows NT
$Bitmap $RECYCLE.BIN Favorites Saved Games Windows Journal Windows Photo Viewer
$Boot $Secure Links Searches Windows Mail Windows Portable Devices
$Extend $UpCase Music System Volume Information Windows Media Player WindowsPowerShell
```
After a while, we found an interesting file inside `Favorites/drive` directory which is a `topsecret.zip`. After trying to decompress the ZIP file, we found a VHDX File which is encrypted by `Bitlocker` encryption. Using this fancy [script](https://raw.githubusercontent.com/e-ago/bitcracker/master/src_HashExtractor/bitcracker_hash.c), we can extract the appropriate `hash` before running a `John-the-Ripper`.
```bash
$ gcc -obitcracker bitcracker_hash.c
$ ./bitcracker -i topsecret.vhdx -o .
$ cat hash_user_pass.txt
$bitlocker$0$16$f69baf5d4226828d3bfa2cc373630ec8$1048576$12$1025632abafad60103000000$60$04465c3433f92c243ff384e34dc7c23f8d2ff94b3b2cfd7544aa2aff8da10de3a68ce356d5ab4d9cc9f83c07225ec72f04bd01f46bd2d9fbb61a098
$ john --wordlist=rockyou.txt hash_user_pass.txt
Using default input encoding: UTF-8
Loaded 1 password hash (BitLocker, BitLocker [SHA-256 AES 32/64])
johncena (?)
```
After several moments, we successfully recovered the password which is `johncena`. Finally, we can try to mount the VHDX file using these commands
```bash
$ modprobe nbd
$ qemu-nbd -c /dev/nbd0 topsecret.vhdx
$ mkdir vhd
$ dislocker -r -V /dev/nbd0p1 -ujohncena -- vhd
$ file vhd/dislocker-file
vhd/dislocker-file: DOS/MBR boot sector, code offset 0x52+2, OEM-ID "NTFS ", sectors/cluster 8, Media descriptor 0xf8, sectors/track 63, heads 255, hidden sectors 128, dos < 4.0 BootSector (0x80), FAT (1Y bit by descriptor); NTFS, sectors/track 63, sectors 96255, $MFT start cluster 4010, $MFTMirror start cluster 2, bytes/RecordSegment 2^(-1*246), clusters/index block 1, serial number 01cc677d4c677ad20; contains bootstrap BOOTMGR
```
For simplicity, we used `testdisk` to extract each of files from the `dislocker-file`
```bash
$ mkdir diskimage
$ testdisk vhd/dislocker-file
TestDisk 7.1, Data Recovery Utility, July 2019
Christophe GRENIER <[email protected]>
https://www.cgsecurity.org
P NTFS 0 0 1 5 252 55 96256 [New Volume]
Directory /
>dr-xr-xr-x 0 0 0 4-Feb-2021 12:56 .
dr-xr-xr-x 0 0 0 4-Feb-2021 12:56 ..
dr-xr-xr-x 0 0 0 4-Feb-2021 12:49 $RECYCLE.BIN
dr-xr-xr-x 0 0 0 4-Feb-2021 12:54 System Volume Information
-r--r--r-- 0 0 17 4-Feb-2021 12:56 please dont open it.txt
$ tree diskimage
diskimage
├── $RECYCLE.BIN
│ └── S-1-5-21-2566750344-2467620747-2735820958-1001
│ ├── $I2U6SDU.txt
│ ├── $R2U6SDU.txt
│ └── desktop.ini
├── please dont open it.txt
└── System Volume Information
├── FVE2.{24e6f0ae-6a00-4f73-984b-75ce9942852d}
├── FVE2.{aff97bac-a69b-45da-aba1-2cfbce434750}.1
├── FVE2.{aff97bac-a69b-45da-aba1-2cfbce434750}.2
├── FVE2.{e40ad34d-dae9-4bc7-95bd-b16218c10f72}.1
├── FVE2.{e40ad34d-dae9-4bc7-95bd-b16218c10f72}.2
├── FVE2.{e40ad34d-dae9-4bc7-95bd-b16218c10f72}.3
└── IndexerVolumeGuid
3 directories, 11 files
```
Finally, we found the correct flag
```bash
$ grep -Rh 'Trollcat' diskimage/
Trollcat{finallly_y0u_f0und_mY_s3ret!!!}
```