{"id":2005,"date":"2024-12-11T07:30:00","date_gmt":"2024-12-11T07:30:00","guid":{"rendered":"https:\/\/www.linkcyb.com\/decrypting-full-disk-encryption-with-dissect\/"},"modified":"2024-12-11T07:30:00","modified_gmt":"2024-12-11T07:30:00","slug":"decrypting-full-disk-encryption-with-dissect","status":"publish","type":"post","link":"https:\/\/www.linkcyb.com\/decrypting-full-disk-encryption-with-dissect\/","title":{"rendered":"Decrypting Full Disk Encryption with Dissect"},"content":{"rendered":"<div>\n<p>Author: <strong>Guus Beckers<\/strong><\/p>\n<p>Back in\u00a02022\u00a0Fox-IT decided to open source its proprietary incident response tooling known as Dissect. Since then it has been adopted by many different companies in their regular workflow. For those of you who are not yet familiar with Dissect, it is an incident response framework built with incident response engagements of any scale in mind. It allows you to extract artifacts from a variety of data formats and export them to a format of your choosing. Ever since Dissect has been open sourced a large number of individuals and institutions have contributed to the Dissect framework, culminating in the first Dissect partner day earlier in 2024.\u00a0\u00a0<\/p>\n<p>One of the most popular requests has been the capability to use Dissect in combination with common disk encryption methods like Microsoft\u2019s BitLocker or its Linux equivalent LUKS. Internally at Fox-IT we were able to already use these capabilities. With the release of Dissect version 3.17 these capabilities are now also available to the community at large.\u00a0\u00a0<\/p>\n<p>Of course, a blog post is not complete without a demo. In this scenario a data acquisition has been performed against a disk protected with BitLocker. We are interested in a specific file located on the user\u2019s desktop.\u00a0During this scenario, a virtual machine was created with VMware Fusion which uses the <code>.vmwarevm<\/code> file format. Dissect can parse this format thanks to its associated loader.<\/p>\n<p>First, we use Dissect to examine the disk properties:\u00a0\u00a0<\/p>\n<pre class=\"wp-block-code\"><code>$ target-info \"Windows 11 x64.vmwarevm\" -v                                                                                                                                               \n2024-11-27T11:57:18.474060Z [error    ] Failed to open an encrypted volume &lt;Volume name='Basic data partition' size=67921509888 fs=None&gt; with volume manager bitlocker: Failed to unlock BDE volume [dissect.target.volume] \n2024-11-27T11:57:18.634092Z [warning  ] &lt;Target Windows 11 x64.vmwarevm&gt;: Can't identify filesystem: &lt;Volume name='Microsoft reserved partition' size=16776704 fs=None&gt; [dissect.target.target] \n2024-11-27T11:57:19.416120Z [warning  ] &lt;Target Windows 11 x64.vmwarevm&gt;: Failed to find OS plugin, falling back to default [dissect.target.target] \n&lt;Target Windows 11 x64.vmwarevm&gt; \n \n \nDisks \n- &lt;Disk type=\"VmdkContainer\" size=\"68719476736\"&gt; \n \n \nVolumes \n- &lt;Volume name=\"Basic data partition\" size=\"104857088\" fs=\"FatFilesystem\"&gt; \n- &lt;Volume name=\"Microsoft reserved partition\" size=\"16776704\" fs=\"NoneType\"&gt; \n- &lt;Volume name=\"Basic data partition\" size=\"67921509888\" fs=\"NoneType\"&gt; \n- &lt;Volume name=\"part_fd7c00000\" size=\"673185280\" fs=\"NtfsFilesystem\"&gt; \n \n \nHostname       : None \nDomain         : None \nIps            : \nOs family      : default \nOs version     : None \nArchitecture   : None \nLanguage       : \nTimezone       : None \nInstall date   : 1970-01-01T00:00:00.000000+00:00 \nLast activity  : None <\/code><\/pre>\n<p>It seems the disk is encrypted, now we can use the latest version of\u00a0BitLocker\u00a0to decrypt the information.\u00a0 Dissect supports three different types of decryption capabilities. An analyst can either use the user\u2019s passphrase, the recovery key or can use a BitLocker file. Please check the updated documentation on the Dissect Docs page for more information.\u00a0 For now we have created a keychain CSV file with the following information:\u00a0\u00a0<\/p>\n<pre class=\"wp-block-code\"><code>$ cat keychain.csv \nbitlocker,recovery_key,,395791-328042-677721-279895-554466-214599-232023-709148 <\/code><\/pre>\n<p>We can use\u00a0Dissect\u2019s\u00a0commands like\u00a0target-info\u00a0to check if the keychain works:\u00a0<\/p>\n<pre class=\"wp-block-code\"><code>$ target-info \"Windows 11 x64.vmwarevm\" -K keychain.csv                                                                                                                                     \n2024-11-27T10:18:01.698079Z [warning  ] &lt;Target Windows 11 x64.vmwarevm&gt;: Can't identify filesystem: &lt;Volume name='Microsoft reserved partition' size=16776704 fs=None&gt; [dissect.target.target] \n2024-11-27T10:18:02.731474Z [warning  ] &lt;Target Windows 11 x64.vmwarevm&gt;: Empty hive: sysvol\/windows\/SECURITY [dissect.target.target] \n2024-11-27T10:18:02.737980Z [warning  ] &lt;Target Windows 11 x64.vmwarevm&gt;: Empty hive: sysvol\/windows\/SYSTEM [dissect.target.target] \n&lt;Target Windows 11 x64.vmwarevm&gt; \n \n \nDisks \n- &lt;Disk type=\"VmdkContainer\" size=\"68719476736\"&gt; \n \n \nVolumes \n- &lt;Volume name=\"Basic data partition\" size=\"104857088\" fs=\"FatFilesystem\"&gt; \n- &lt;Volume name=\"Microsoft reserved partition\" size=\"16776704\" fs=\"NoneType\"&gt; \n- &lt;Volume name=\"Basic data partition\" size=\"67921509888\" fs=\"NoneType\"&gt; \n- &lt;Volume name=\"part_fd7c00000\" size=\"673185280\" fs=\"NtfsFilesystem\"&gt; \n- &lt;Volume name=\"Basic data partition\" size=\"67921509888\" fs=\"NtfsFilesystem\"&gt; \n \n \nHostname       : SECRETDATAVM \nDomain         : None \nIps            : 192.168.212.129 \nOs family      : windows \nOs version     : Windows 11 Pro (NT 10.0) 26100.2314 \nArchitecture   : amd64-win64 \nLanguage       : en_GB, en_NL, en_US \nTimezone       : Europe\/Berlin \nInstall date   : 2024-11-27T17:34:07.000000+00:00 \nLast activity  : 2024-11-27T17:33:31.670376+00:00 <\/code><\/pre>\n<p>Alternatively, we can pass the recovery key value directly like this:\u00a0<\/p>\n<pre class=\"wp-block-code\"><code>$ target-info \"Windows 11 x64.vmwarevm\" -Kv 395791-328042-677721-279895-554466-214599-232023-709148 -v<\/code><\/pre>\n<p>Now we can browse through the decrypted filesystem and view the file on the user\u2019s desktop:\u00a0<\/p>\n<pre class=\"wp-block-code\"><code>$ target-shell \"Windows 11 x64.vmwarevm\" -Kv 395791-328042-677721-279895-554466-214599-232023-709148 -q\n                                                                                       \nSECRETDATAVM:\/$ cat c:\/Users\/Staff\/Desktop\/SuperSecretFile.txt \nLorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.<\/code><\/pre>\n<p>As you can imagine this also works with Linux in the exact same manner.\u00a0 This time we use a LUKS passphrase in conjunction with Dissect:<\/p>\n<pre class=\"wp-block-code\"><code>$ target-info \"Ubuntu 64-bit 24.04.1.vmwarevm\" -Kv glad-design-paper-airplane                                                                                                                          \n2024-11-27T11:48:07.224355Z [warning  ] Failed to decode raw key as hex, ignoring: glad-design-paper-airplane [dissect.target.helpers.keychain] \n2024-11-27T11:48:08.910029Z [warning  ] &lt;Target Ubuntu 64-bit 24.04.1.vmwarevm&gt;: Can't identify filesystem: &lt;Volume name='part_00100000' size=1048064 fs=None&gt; [dissect.target.target] \n2024-11-27T11:48:09.826056Z [warning  ] &lt;Target Ubuntu 64-bit 24.04.1.vmwarevm&gt;: Unsupported mount device: \/dev\/disk\/by-id\/dm-uuid-LVM-YZiSLhoYFljS62k2vIjl3IcTwSkd0QguADKOf0a8t9am1jNdm9J1zerrDU7SWWFd \/ [dissect.target.target] \n&lt;Target Ubuntu 64-bit 24.04.1.vmwarevm&gt; \n2024-11-27T11:48:13.916382Z [warning  ] No timestamp found in one of the lines in \/var\/log\/syslog! [dissect.target.helpers.utils] \n2024-11-27T11:48:13.925913Z [warning  ] Timestamp '27 2024 12:40:57' does not match format '%b %d %H:%M:%S', skipping line. [dissect.target.helpers.utils] \n2024-11-27T11:48:13.936096Z [warning  ] Timestamp 'Nov 2024 11:40:35' does not match format '%b %d %H:%M:%S', skipping line. [dissect.target.helpers.utils] \n2024-11-27T11:48:13.936416Z [warning  ] Timestamp 'Nov 2024 11:40:35' does not match format '%b %d %H:%M:%S', skipping line. [dissect.target.helpers.utils] \n2024-11-27T11:48:13.944841Z [warning  ] Timestamp 'Nov 2024 11:40:15' does not match format '%b %d %H:%M:%S', skipping line. [dissect.target.helpers.utils] \n2024-11-27T11:48:13.950083Z [warning  ] Timestamp 'Nov 2024 11:40:11' does not match format '%b %d %H:%M:%S', skipping line. [dissect.target.helpers.utils] \n2024-11-27T11:48:13.985809Z [warning  ] Timestamp 'Nov 2024 11:40:04' does not match format '%b %d %H:%M:%S', skipping line. [dissect.target.helpers.utils] \n2024-11-27T11:48:14.037897Z [warning  ] &lt;Target Ubuntu 64-bit 24.04.1.vmwarevm&gt;: Could not match cloud-init log line in file: \/var\/log\/cloud-init.log [dissect.target.target] \n2024-11-27T11:48:14.037992Z [warning  ] &lt;Target Ubuntu 64-bit 24.04.1.vmwarevm&gt;: Could not match cloud-init log line in file: \/var\/log\/cloud-init.log [dissect.target.target] \n2024-11-27T11:48:14.038056Z [warning  ] &lt;Target Ubuntu 64-bit 24.04.1.vmwarevm&gt;: Could not match cloud-init log line in file: \/var\/log\/cloud-init.log [dissect.target.target] \n \nDisks \n- &lt;Disk type=\"VmdkContainer\" size=\"21474836480\"&gt; \n \nVolumes \n- &lt;Volume name=\"part_00100000\" size=\"1048064\" fs=\"NoneType\"&gt; \n- &lt;Volume name=\"part_00200000\" size=\"1902116352\" fs=\"ExtFilesystem\"&gt; \n- &lt;Volume name=\"part_71800000\" size=\"19569573376\" fs=\"NoneType\"&gt; \n- &lt;Volume name=\"part_71800000\" size=\"19552796160\" fs=\"NoneType\"&gt; \n- &lt;Volume name=\"ubuntu--vg-ubuntu--lv\" size=\"19549650944\" fs=\"ExtFilesystem\"&gt;\n \nHostname       : personnel-VMware-Virtual-Platform \nDomain         : None \nIps            : \nOs family      : linux \nOs version     : Ubuntu 24.04.1 LTS (Noble Numbat) \nArchitecture   : x86_64-linux \nLanguage       : en_US, en_US \nTimezone       : Europe\/Amsterdam \nInstall date   : 2024-11-27T11:33:29.665213+00:00 \nLast activity  : 2024-11-27T11:45:34.821181+00:00 <\/code><\/pre>\n<p>We can use the same technique to extract another file from the Ubuntu desktop:\u00a0<\/p>\n<pre class=\"wp-block-code\"><code>$ target-shell \"Ubuntu 64-bit 24.04.1.vmwarevm\" -K keychain.csv -v                                                                                                                           \n2024-11-27T11:59:52.227142Z [info     ] Registered key Key(key_type=&lt;KeyType.PASSPHRASE: 'passphrase'&gt;, value='glad-design-paper-airplane', provider='luks', identifier=None, is_wildcard=False) [dissect.target.helpers.keychain] \n2024-11-27T11:59:52.227562Z [info     ] Registered key Key(key_type=&lt;KeyType.RECOVERY_KEY: 'recovery_key'&gt;, value='395791-328042-677721-279895-554466-214599-232023-709148', provider='bitlocker', identifier=None, is_wildcard=False) [dissect.target.helpers.keychain] \n2024-11-27T11:59:53.719915Z [info     ] Volume &lt;Volume name='part_71800000' size=19569573376 fs=None&gt; unlocked with Key(key_type=&lt;KeyType.PASSPHRASE: 'passphrase'&gt;, value='glad-design-paper-airplane', provider='luks', identifier=None, is_wildcard=False) (keyslot: 0) [dissect.target.volumes.luks] \n2024-11-27T11:59:53.922164Z [warning  ] &lt;Target Ubuntu 64-bit 24.04.1.vmwarevm&gt;: Can't identify filesystem: &lt;Volume name='part_00100000' size=1048064 fs=None&gt; [dissect.target.target] \n2024-11-27T11:59:54.733524Z [info     ] &lt;Target Ubuntu 64-bit 24.04.1.vmwarevm&gt;: Found compatible OS plugin: DebianPlugin [dissect.target.target] \n2024-11-27T11:59:54.770648Z [info     ] &lt;Target Ubuntu 64-bit 24.04.1.vmwarevm&gt;: Found compatible OS plugin: LinuxPlugin [dissect.target.target] \n2024-11-27T11:59:54.791479Z [info     ] &lt;Target Ubuntu 64-bit 24.04.1.vmwarevm&gt;: Found compatible OS plugin: UnixPlugin [dissect.target.target] \n2024-11-27T11:59:54.802888Z [warning  ] &lt;Target Ubuntu 64-bit 24.04.1.vmwarevm&gt;: Unsupported mount device: \/dev\/disk\/by-id\/dm-uuid-LVM-YZiSLhoYFljS62k2vIjl3IcTwSkd0QguADKOf0a8t9am1jNdm9J1zerrDU7SWWFd \/ [dissect.target.target] \n\npersonnel-VMware-Virtual-Platform:\/$ cat \/home\/personnel\/Desktop\/secretLinuxfile \n\"Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.\"<\/code><\/pre>\n<p>Last but not least, Dissect also contains the <code>fve-dd<\/code> utility. \u00a0<code>fve-dd<\/code> can be used to decrypt an entire disk which allows a wider range of external tools to be used. <code>fve-dd<\/code> works on any supported Dissect containers. The individual VMDK files can be extracted from the <code>.vmwarevm<\/code> container:<\/p>\n<pre class=\"wp-block-code\"><code>$ ls                                                                                                                                                                                           \nVirtual Disk-s001.vmdk Virtual Disk-s002.vmdk Virtual Disk-s003.vmdk Virtual Disk-s004.vmdk Virtual Disk-s005.vmdk Virtual Disk-s006.vmdk Virtual Disk.vmdk<\/code><\/pre>\n<p>Now the disk can be decrypted using fve-dd. The decryption can take some time depending on the size of the disk:<\/p>\n<pre class=\"wp-block-code\"><code>$ fve-dd -p glad-design-paper-airplane -o decrypted.dd \"Virtual Disk.vmdk\" -v<\/code><\/pre>\n<p>Dissect and other tools can be used on the decrypted disk:<\/p>\n<pre class=\"wp-block-code\"><code>$ target-info decrypted.dd                                                                                                                                                                     \n[\u2026]\n\nDisks\n- &lt;Disk type=\"RawContainer\" size=\"21458059264\"&gt;\n\nVolumes\n- &lt;Volume name=\"part_00100000\" size=\"1048064\" fs=\"NoneType\"&gt;\n- &lt;Volume name=\"part_00200000\" size=\"1902116352\" fs=\"ExtFilesystem\"&gt;\n- &lt;Volume name=\"part_71800000\" size=\"19569573376\" fs=\"NoneType\"&gt;\n- &lt;Volume name=\"ubuntu--vg-ubuntu--lv\" size=\"19549650944\" fs=\"ExtFilesystem\"&gt;\n\nHostname       : personnel-VMware-Virtual-Platform\nDomain         : None\nIps            :\nOs family      : linux\nOs version     : Ubuntu 24.04.1 LTS (Noble Numbat)\nArchitecture   : x86_64-linux\nLanguage       : en_US, en_US\nTimezone       : Europe\/Amsterdam\nInstall date   : 2024-11-27T11:33:29.665213+00:00\nLast activity  : 2024-11-27T11:45:34.821181+00:00<\/code><\/pre>\n<p>Have fun with the latest version of Dissect!\u00a0\u00a0<\/p>\n<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Author: Guus Beckers Back in\u00a02022\u00a0Fox-IT decided to open source its proprietary incident response tooling known as Dissect. Since then it has been adopted by many different companies in their regular workflow. For those of you who are not yet familiar with Dissect, it is an incident response framework built with incident response engagements of any [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[11,1],"tags":[12,13,14,16],"acf":[],"_links":{"self":[{"href":"https:\/\/www.linkcyb.com\/wp-json\/wp\/v2\/posts\/2005"}],"collection":[{"href":"https:\/\/www.linkcyb.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.linkcyb.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.linkcyb.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.linkcyb.com\/wp-json\/wp\/v2\/comments?post=2005"}],"version-history":[{"count":0,"href":"https:\/\/www.linkcyb.com\/wp-json\/wp\/v2\/posts\/2005\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.linkcyb.com\/wp-json\/wp\/v2\/media?parent=2005"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.linkcyb.com\/wp-json\/wp\/v2\/categories?post=2005"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.linkcyb.com\/wp-json\/wp\/v2\/tags?post=2005"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}