Volatility plugin for recovering BitLocker keys
Thomas White has developed a Volatility plugin which can extract BitLocker keys from Windows 7. Also the plugin can be used for Windows 8 – 10, but, according to the author, isn’t entirely reliable.
Here is how the plugin operates:
- Obtains Windows version from profile metadata.
- If the version is lower than Windows 8:
- Searches for FVEc pool tag
- Identifies BitLocker mode
- Extracts FVEK of appropriate length and TWEAK key if applicable
- If the version is higher than Windows 8:
- Searches for Cngb pool tag with a pool size of 672
- Attempts to identify key length (Does not work properly for XTS-AES in Win10)
- Extracts either 128-bit or 256-bit key
- Is unable to guarantee it is a BitLocker FVEK.
- Prints the results.
Here is the example of a Windows 10 image (CBC):
More info about recovering BitLocker keys on Windows 8.1 and 10 at Thomas’ blog.