Testing BitLocker Security

Digital forensics investigations need to collect computer-related evidence of crime without breaking the integrity of the device. Therefore folks clone disks with a special device that doesn’t have to write to disk option. An example below.

The original disk has to be labeled and put in a safe place. An investigation must be continued using cloned image only.

In this write-up I will showcase how to crack BitLocker image and mount disk image as read only drive on Linux file system. For this demonstration I choose a workstation with 4 cores of CPU and 8 GB of RAM. My environment will be prepared in VirtualBox.

Prepare environment

Download and import Kali Linux [1] and Windows 10 [2]. In this demo, my suspect device will be Windows VM.

Default VM credentials are:

user IEUser
passowrd Passw0rd!

Setup an encrypted disk

Once you logged in, please open disk management utility. We will shrink current. and create a new disk with 1GB of space.

Create a new volume using unused space, default settings are fine.

Manage BitLocker

Type BitLocker in the start menu, you should see an application “Manage BitLocker”. Use the “Turn On BitLocker” function to begin the process. Select password encryption. Then save the recovery key whatever place. Use the first mode. Faster and best for new PCs and drives.

Then a new encryption mode.

Start the encryption process.

Now, you can add any text file just for a demo later we will test.

Make disk read only

Turn off the VM and detached the disk.
open CMD and use commands below add read-only mode please make sure your disk is detached from Windows 10 VM and then make it immutable.

cd "%programfiles%\oracle\Virtualbox\"
VBoxManage modifymedium disk "%USERPROFILE%\VirtualBox VMs\MSEdge - Win10\MSEdge - Win10-disk001.vdi" --type immutable

Attach to Kali linux.

Choose a Windows disk.

Like this

Kali

Log in to Kali VM with default credentials.

user kali 
passowrd kali

Open terminal and type command.

lsblk

We will need root privileges for the next step.

sudo -s

enter password Kali

and then paste commands below

bitlocker2john -i /dev/sdb2

You will see long list of characteristics of locked partition

we are interested in this part

User Password hash:
$bitlocker$0$16$e41497352cb4e6c7e5cdb8f63446fa52$1048576$12$204c491885dad50103000000$60$9dfc6d4d2c16fc76b8bbdce16b3234bd4df708becf03fd127b1bac121c7f7e3d179eaa6c4b5438ef22bb053cff4776c861491afd80e1b419b99418b0

Create a text file and with only hash value.

Hashcat

We need to clone from GitHub repository to get the latest version which has BitLocker support.

git clone https://github.com/hashcat/hashcat

compile it

cd hashcat && make 

run hashcat

./hashcat -m 22100 ~/hash.txt -a 3 ?l?l?l?l?l?l?l?l --force

We see it will take ages. Yes it’s running on VM, on GPU not much faster. I tested on two RX 480. It was around 350 H/s

Session..........: hashcat
Status...........: Running
Hash.Name........: BitLocker
Hash.Target......: $bitlocker$0$16$e41497352cb4e6c7e5cdb8f63446fa52$10...9418b0
Time.Started.....: Mon Feb  3 07:39:47 2020, (40 secs)
Time.Estimated...: Mon May 27 06:29:24 2419, (399 years, 112 days)
Guess.Mask.......: ?l?l?l?l?l?l?l?l [8]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:       17 H/s (7.48ms) @ Accel:16 Loops:4096 Thr:1 Vec:8
Recovered........: 0/1 (0.00%) Digests
Progress.........: 640/208827064576 (0.00%)
Rejected.........: 0/640 (0.00%)
Restore.Point....: 0/8031810176 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:20-21 Iteration:921600-925696
Candidates.#1....: oarierin -> oranerin

With a lit bit adjustment

./hashcat -m 22100 ~/hash.txt -a 3 passwo?l?l --force

now it will take less than 10 mins

$bitlocker$0$16$e41497352cb4e6c7e5cdb8f63446fa52$1048576$12$204c491885dad50103000000$60$9dfc6d4d2c16fc76b8bbdce16b3234bd4df708becf03fd127b1bac121c7f7e3d179eaa6c4b5438ef22bb053cff4776c861491afd80e1b419b99418b0:password
                                                 
Session..........: hashcat
Status...........: Cracked
Hash.Name........: BitLocker
Hash.Target......: $bitlocker$0$16$e41497352cb4e6c7e5cdb8f63446fa52$10...9418b0
Time.Started.....: Mon Feb  3 07:55:15 2020, (2 secs)
Time.Estimated...: Mon Feb  3 07:55:17 2020, (0 secs)
Guess.Mask.......: passw?l?l?l [8]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:       17 H/s (7.34ms) @ Accel:16 Loops:4096 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 32/17576 (0.18%)
Rejected.........: 0/32 (0.00%)
Restore.Point....: 0/17576 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:1044480-1048576
Candidates.#1....: passwone -> passwhin

Alright, now we got the password and we can mount the disk and check the what’s inside:

sudo apt update && sudo apt install dislocker -y

create a folder for mounting point

mkdir -p /mnt/windowsDisk/
mkdir -p /mnt/bitlocker/

Mount drive on local.

dislocker /dev/sdb2 -upassword /mnt/bitlocker/
l-o loop /mnt/bitlocker/dislocker-file /mnt/windowsDisk/

Check disk content

ls /mnt/windowsDisk/
$RECYCLE.BIN/              System Volume Information/ test.rtf

This is our test file where we had created before.

Conclusion

BitLocker has strong encryption mechanism. We can use it to encrypt full disk of out laptop, but need to keep in mind backups policy has to be implemented and the recovery key has to be in safe place.

Enable Write to disk

cd "%programfiles%\oracle\Virtualbox\"
VBoxManage modifymedium disk "%USERPROFILE%\VirtualBox VMs\MSEdge - Win10\MSEdge - Win10-disk001.vdi" --type normal

Reference:

#1 https://images.offensive-security.com/virtual-images/kali-linux-2020.1-vbox-amd64.ova
#2 https://az792536.vo.msecnd.net/vms/VMBuild_20190311/VirtualBox/MSEdge/MSEdge.Win10.VirtualBox.zip
#3 https://openwall.info/wiki/john/OpenCL-BitLocker