Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failed to parse bitlocker encrypted image, but success with same image mounted with bdemount #4877

Open
certxlm opened this issue Apr 16, 2024 · 0 comments
Open

Failed to parse bitlocker encrypted image, but success with same image mounted with bdemount #4877

certxlm opened this issue Apr 16, 2024 · 0 comments
Assignees
@joachimmetz
Labels
needs closer look Issue that requires further analysis by a maintainer

Comments

@certxlm
Copy link

certxlm commented Apr 16, 2024
edited

Describe the problem:

When running on a bitlocker encrypted raw image (dd) and providing credentials, plaso fails to parse artifacts despite the image being correctly decrypted (at least, partially, see attached pinfo files where we can see MFT entries for target files).

However, using bdemount to mount the same image with the recovery key and running plaso again returns expected results.

To Reproduce:

The version of Plaso you used:

20240308

The operating system you are running Plaso on (Not the operating system of the image/files you're trying to analyze):

Ubuntu 22.04

Steps to reproduce the behavior including command line and arguments and output:

First we ran log2timeline with the prefetch parser (and adequate filter) on the raw image with the credential parameter:
log2timeline.py --credential recovery_password:XXXXXX-...-XXXXXX --parsers prefetch ...
Which produced an empty result (see below the attached pinfo.prefetch.rawimage.txt). However the files are listed which probably means the decryption is successful.

Then we mounted the device with bdemount and ran plaso again, which produced the expected results (see below the attached pinfo.prefetch.bdemount.txt).

The same behaviour is observed when running other parsers, such as the amcache (again, see below the attached files).

We hope the attached debug output is enough, if we can share more information we'll try but since the image is part of an ongoing investigation, we are not allowed to share it.

The method you used to install Plaso:

We used two versions, for the same results:

  • installed from [GiFT PPA][https://launchpad.net/~gift] stable track
  • installed from docker

Expected behavior:

We expect plaso to successfully parse encrypted data when provided with the correct recovery key.

Debug output/tracebacks:

output.plaso.prefetch.log.gz
pinfo.prefetch.bdemount.txt
pinfo.prefetch.rawimage.txt

output.plaso.winreg_amcache.log.gz
pinfo.amcache.bdemount.txt
pinfo.amcache.rawimage.txt

Additional context

This is the output of fdisk and hexdump of the start of the partition:
fdisk.txt

This is the output of bdeinfo:
bdeinfo.txt

Note:
The same diskimage decrypted with dislocker-file and run through plaso also produces correct results.
@joachimmetz joachimmetz self-assigned this Apr 16, 2024
@joachimmetz joachimmetz added the needs closer look Issue that requires further analysis by a maintainer label Apr 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@joachimmetz joachimmetz

Labels
needs closer look Issue that requires further analysis by a maintainer
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@joachimmetz @certxlm