Get Help Now
    24/7 Support

    Volatility plugin for recovering BitLocker keys

    Thomas White has developed a Volatility plugin which can extract BitLocker keys from Windows 7. Also the plugin can be used for Windows 8 – 10, but, according to the author, isn’t entirely reliable.

    Here is how the plugin operates:

    • Obtains Windows version from profile metadata.
    • If the version is lower than Windows 8:
      • Searches for FVEc pool tag
      • Identifies BitLocker mode
      • Extracts FVEK of appropriate length and TWEAK key if applicable
    • If the version is higher than Windows 8:
      • Searches for Cngb pool tag with a pool size of 672
      • Attempts to identify key length (Does not work properly for XTS-AES in Win10)
      • Extracts either 128-bit or 256-bit key
      • Is unable to guarantee it is a BitLocker FVEK.
    • Prints the results.

    Here is the example of a Windows 10 image (CBC):

    Win10CBC_weare4n6_digital_forensics

    More info about recovering BitLocker keys on Windows 8.1 and 10 at Thomas’ blog.

    [su_button url=”https://github.com/tribalchicken/volatility-bitlocker” target=”blank” style=”flat” background=”#222348″ size=”7″ radius=”0″]Download plugin[/su_button]