Tuesday, April 22, 2014

Using dislocker to mount BitLocker encrypted devices on Linux

dislocker is a free utility, which can be used to mount BitLocker encrypted volumes on Linux. Here is a quick guide how to use it. I installed it on Kali Linux, but it can be installed anywhere.

To download the application visit:
http://www.hsc.fr/ressources/outils/dislocker/download/
http://www.hsc.fr/ressources/outils/dislocker/download/dislocker.tar.gz

Once downloaded extract the file:

root@kali:~# tar -xvf dislocker.tar.gz 

We have to options for comiling: w/ or w/o FUSE. Basically if we use FUSE we will be able to mount it, and browse it, if not, then the only way to check the contents is to decrypt the full drive, which is not that efficient. So let's go for FUSE here. Edit the Makefile, and set __RUN_FUSE to 1 and __RUN_FILE to 0:

dislocker/src/Makefile

# Choose between one of them (done automatically by using `make fuse' or `make file')
__RUN_FUSE = 1


Then compile the app:

root@kali:~/dislocker/src# make
gcc -Wall -Werror -Wextra -Wconversion -DPROGNAME=\"dislocker\" -DVERSION=\"0.3\" -D_FILE_OFFSET_BITS=64 -I/usr/include -I. -L/usr/lib64 -D__ARCH_X86_64 -D__RUN_FUSE -DFUSE_USE_VERSION=26 -c -o outputs/fuse/fuse.o outputs/fuse/fuse.c
In file included from ./dislocker.h:28:0,
                 from outputs/fuse/fuse.c:33:
./outputs/fuse/fuse.h:32:19: fatal error: fuse.h: No such file or directory
compilation terminated.
make: *** [outputs/fuse/fuse.o] Error 1

If you get the error above you will need the FUSE header files, to install those run:

apt-get install libfuse-dev

and then compile dislocker, it should be good now.

root@kali:~/dislocker/src# make
root@kali:~/dislocker/src# make install

Once it's installed let's the help:


For decryption you can use the recovery key (decryption key), the user supplied password or the bekfile.

I created a VHD test image for this, here are the details:

root@kali:~# fdisk -l

Disk /dev/sdb: 104 MB, 104857600 bytes
255 heads, 63 sectors/track, 12 cylinders, total 204800 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x6fa418dc

   Device Boot      Start         End      Blocks   Id  System
/dev/sdb1             128      198783       99328    7  HPFS/NTFS/exFAT

I will need to decrypt /dev/sdb1. First I will try it using the decryption keys. The steps are to read the volume, and then mount it with fuse. When we first read in the volume (decrypt) we will get a single file, called "dislocker-file", which can be mounted later. There is a single file on my test drive.

root@kali:~# dislocker -v -V /dev/sdb1 -p275374-090651-082764-392205-130460-581966-062942-402083 -- /mnt/tmp
root@kali:~# ls /mnt/tmp/
dislocker-file
root@kali:~# mount -o loop,ro /mnt/tmp/dislocker-file /mnt/dis
root@kali:~# ls /mnt/dis/
my super secret file.txt.txt  $RECYCLE.BIN  System Volume Information
root@kali:~# cat /mnt/dis/my\ super\ secret\ file.txt.txt 
You got it!


The process is very similar if we use the actual password, which is "password" in this case.

root@kali:~# dislocker -v -V /dev/sdb1 -upassword -- /mnt/tmp2root@kali:~# mount -o loop,ro /mnt/tmp/dislocker-file /mnt/dis2
root@kali:~# ls /mnt/dis2/
my super secret file.txt.txt  $RECYCLE.BIN  System Volume Information
root@kali:~# cat /mnt/dis2/my\ super\ secret\ file.txt.txt 
You got it!


36 comments:

Mike said...

Thank you for your clear description of this process - it may have helped me this morning.

The operation seemed to have been successful. There were no errors, and the new drive appears in the folder tree. However, when I navigate to it, I get the error "The specified directory /xx/xxx is not valid". I can hear the computer humming away, so I assume it's still decrypting. Does this seem reasonable? Any idea how long this might take for a 300GB drive?

Csaba Fitzl said...

Mike,

I always used dislocker with fuse, in which case it won't decrypt the drive ahead, it should work right away. Have you created the directories, where you mounted them? In my example I had to create these folders, before mounting to them: /mnt/tmp/ and /mnt/dis/

Mike said...

Hmm - my attempt was also with fuse. I did create the folders in advance. Perhaps it's related to the fact that I'm using a live USB, rather than a real linux install. I didn't use /mnt/*, but tried mounting within /home/desktop/*

Mike said...

YAY! It did work as described. I had just neglected to enter the final mnt command (i.e. mount -o loop,ro /mnt/tmp/dislocker-file /mnt/dis)

Thanks so much!

Csaba Fitzl said...

Welcome! Glad that it worked :)

Tom said...

I am testing this app, but without success. I installed dislocker fuse on Kali Linux 1.07 running on USB Live. I install libfuse-dev and "make fuse" and "make install". Everything seem to be ok as the instructions states. I know the user password and "fdisk -l" shows sda1, so I try

"dislocker -v -V /dev/sda1 -u"my_password" -- /mnt/tmp2".

The response is:
"[ERROR] Error, cant find a valid and matching VMK datum. Abort.
[CRITICAL] None of the provided decryption mean is decrypting the keys. Abort"

I tried both with and without "-- /mnt/tmp2", no difference. If I do not specify the password parameter "-upassword", it of course asks for the password, but the response in the same.

Any ideas?

Csaba Fitzl said...

Tom,

Is the password correct? isn't the disk corrupted? Can you try my test image if that gives the same error?

Marvin said...

I can't mount the dislocker-file. I must specify the filesystem type but when I use ntfs it shows me following:

ubuntu@ubuntu:~/Desktop/dislocker/src$ sudo mount -o loop,ro /mnt/tmp/dislocker-file /mnt/dis -t ntfs
Failed to read last sector (3886049279): Invalid argument
HINTS: Either the volume is a RAID/LDM but it wasn't setup yet,
or it was not setup correctly (e.g. by not using mdadm --build ...),
or a wrong device is tried to be mounted,
or the partition table is corrupt (partition is smaller than NTFS),
or the NTFS boot sector is corrupt (NTFS size is not valid).
Failed to mount '/dev/loop1': Invalid argument
The device '/dev/loop1' doesn't seem to have a valid NTFS.
Maybe the wrong device is used? Or the whole disk instead of a
partition (e.g. /dev/sda, not /dev/sda1)? Or the other way around?

Can somebody help me plz? Thanks

Michael said...

When using that mount point it throws the error:

dislocker -v -V /dev/sdd1 -upassword /mnt/tmp2
fuse: bad mount point `/mnt/tmp2': No such file or directory

I solver it creating the mount point at /root/tmp2/

Also, does it support mounting as read/write? Would be awesome.

Kiernan Annas said...

Michael,

You can mount read/write, although this doesn't work with Windows 8.

When you mount a Win 8 drive it will silently mount as ro (even though mount shows as rw).

The source code says that Windows 8 isn't supported yet.

Aftersox said...

Thanks for the post. I was able to mount a drive that was sent to me on Ubuntu 14.04 server. Here is a brief synopsis of what I did.

After installation:

sudo su
cd /media
mkdir dis1
mkdir dis2
dislocker -v -V /dev/sdf1 -upassword /media/dis1
mount -o loop,ro /media/dis1/dislocker-file /media/dis2
cd /media/dis2
ls

Aftersox said...

Thanks for the post. I was able to mount a drive that was sent to me on Ubuntu 14.04 server. Here is a brief synopsis of what I did.

After installation:

sudo su
cd /media
mkdir dis1
mkdir dis2
dislocker -v -V /dev/sdf1 -upassword /media/dis1
mount -o loop,ro /media/dis1/dislocker-file /media/dis2
cd /media/dis2
ls

Dushyant Bangal said...

It wont complie even after using
apt-get install libfuse-dev

Here's what i get:

ubuntu@ubuntu:~/dislocker/src$ sudo make
make[1]: Entering directory `/home/ubuntu/dislocker/src/polarssl'
make[1]: Leaving directory `/home/ubuntu/dislocker/src/polarssl'
make[1]: Entering directory `/home/ubuntu/dislocker/src/accesses'
make[2]: Entering directory `/home/ubuntu/dislocker/src/accesses/bek'
make[2]: Leaving directory `/home/ubuntu/dislocker/src/accesses/bek'
make[2]: Entering directory `/home/ubuntu/dislocker/src/accesses/rp'
make[2]: Leaving directory `/home/ubuntu/dislocker/src/accesses/rp'
make[2]: Entering directory `/home/ubuntu/dislocker/src/accesses/user_pass'
make[2]: Leaving directory `/home/ubuntu/dislocker/src/accesses/user_pass'
make[1]: Leaving directory `/home/ubuntu/dislocker/src/accesses'
make[1]: Entering directory `/home/ubuntu/dislocker/src/metadata'
make[1]: Leaving directory `/home/ubuntu/dislocker/src/metadata'
make[1]: Entering directory `/home/ubuntu/dislocker/src/ntfs'
make[1]: Leaving directory `/home/ubuntu/dislocker/src/ntfs'
make[1]: Entering directory `/home/ubuntu/dislocker/src/encryption'
make[1]: Leaving directory `/home/ubuntu/dislocker/src/encryption'
gcc -Wall -Werror -Wextra -Wconversion -DPROGNAME=\"dislocker\" -DVERSION=\"0.3\" -D_FILE_OFFSET_BITS=64 -I/usr/include -I. -L/usr/lib64 -D__ARCH_X86_64 -D__RUN_FUSE -DFUSE_USE_VERSION=26 -o dislocker dislocker.o common.o sectors.o config.o xstd/xstdio.o xstd/xstdlib.o outputs/fuse/fuse.o metadata/datums.o metadata/metadata.o metadata/vmk.o metadata/fvek.o metadata/extended_info.o accesses/rp/recovery_password.o accesses/bek/read_bekfile.o accesses/user_pass/user_pass.o accesses/stretch_key.o encryption/decrypt.o encryption/encrypt.o encryption/diffuser.o encryption/crc32.o ntfs/guid.o ntfs/clock.o ntfs/encoding.o polarssl/aes.o polarssl/sha2.o -lpthread -lfuse
dislocker.o: In function `main':
dislocker.c:(.text+0x87e): undefined reference to `file_main'
collect2: error: ld returned 1 exit status
make: *** [dislocker] Error 1

Anonymous said...

Hi, Great page, but would you mind updating this with some changes?

1. polarssl-dev not included in Trusty universe so likely should be compiled and installed from polarssl. Pull from git and install.

2. Therefore Makefile should be edited, but I don't know where:
I discovered this won't work:
LIB = -lpthread -lpolarssl -L. -L/usr/local/lib -L/usr/local/include/polarssl/

Fuse related varibles no longer included so cannot enable FUSE like _RUN

Anonymous said...

Hi,

This happened when I tried polarssl-dev.

root@ubuntu:/usr/lib# apt-get install polarssl-dev
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package polarssl-dev

I have 14.04 LTS universe added into sources.lst && apt-get update.

No idea.

Anonymous said...

Something has changed since the creating of the make file. The process does not currently work but when manually installing libfuse-dev and libpolarssl-dev the rest of the process works as normal.

Process that worked for us was:

Extract the files to the desktop
Cd to the src directory in the dislocker extracted folder on the desktop
Enable universe (community maintained open-source software)
In terminal perform the following commands
apt-get install libfuse-dev
apt-get install libpolarssl-dev
make
make install
mkdir /mnt/tmp
dislocker –v –V /dev/sda2 –p -- /mnt/tmp
Enter the recovery password for the computer (access this via Active Directory on another computer)

Anonymous said...

hi and thanks for your description.
I can't write folders and files, (read only)..
(Muralex, using Linux Manjaro)

Peter MacDonald said...

Looks promising, but.. I am getting this error and Google reveals nothing!

[CRITICAL] The signature of the volume (MSWIN4.1) doesn't match the BitLocker's one (-FVE-FS-). Abort.

Any ideas?
Peter

Brandon said...

Hello,

I am getting the exact same error as Tom. The compile and make and all that went smoothly but I still get that error that Tom also had. The password is correct too.

Anonymous said...

I am also getting the same error as Tom.

James Dixon said...

Dushyant, try instaling polarisssl-dev and see if it compiles. I had a similar problem, and that fixed it for me.

Dopefish said...

Hey guys...

I'm new to Linux and just worked out a way to update Kali Linux and install dislocker. I'll leave it here, in case it can help someone else...


Using Kali Linux 1.0.9a i386 bootable DVD

Edit "/etc/apt/sources.list" and add "deb http://us.archive.ubuntu.com/ubuntu trusty main universe"

Install programs using Terminal
"apt-get update"
"apt-get install git libfuse-dev libpolarssl-dev" Continue through update text, allow services to restart if needed
"git clone git://github.com/Aorimn/dislocker.git"
"cd /dislocker/src"
"make"
"make install"

Find drive Bitlocker volume
"fdisk -l"

Make folders in /MNT
"TMP"
"DIS"

Run dislocker
"dislocker -v -V /dev/ -p -- /mnt/tmp"

Check if file exists to confirm proper Bitlocker key
"ls /mnt/tmp"
Should return "dislocker-file" if correct

Mount volume
"mount -o loop,ro /mnt/tmp/dislocker-file /mnt/dis"

Browse to "/mnt/dis" for access to files

Csaba Fitzl said...

The error:
[CRITICAL] The signature of the volume (MSWIN4.1) doesn't match the BitLocker's one (-FVE-FS-). Abort.

Is most likely because dislocker doesn't support FAT file system.

See here:
https://github.com/Aorimn/dislocker/issues/3

Shargon said...

How to do a bruteforce with this tool?

Mayuresh Srivastava said...

Hi All

I ma getting below error while using make and make install:

[root@mayuresh src]# make
cc -Wall -Werror -Wextra -Wconversion -DPROGNAME=\"dislocker\" -DVERSION=\"0.4.1\" -D_FILE_OFFSET_BITS=64 -DAUTHOR="\"Romain Coltel\"" -D__OS=\"Linux\" -D__ARCH=\"i686\" -D__ARCH_I686 -D__LINUX -I. -I/usr/local/include -fstack-protector -fPIC -D_FORTIFY_SOURCE=2 -O1 -c -o accesses/stretch_key.o accesses/stretch_key.c
accesses/stretch_key.c: In function ‘stretch_key’:
accesses/stretch_key.c:137:3: error: conversion to ‘int’ from ‘size_t’ may change the sign of the result [-Werror=sign-conversion]
cc1: all warnings being treated as errors
make: *** [accesses/stretch_key.o] Error 1

[root@mayuresh src]# make install
cc -Wall -Werror -Wextra -Wconversion -DPROGNAME=\"dislocker\" -DVERSION=\"0.4.1\" -D_FILE_OFFSET_BITS=64 -DAUTHOR="\"Romain Coltel\"" -D__OS=\"Linux\" -D__ARCH=\"i686\" -D__ARCH_I686 -D__LINUX -I. -I/usr/local/include -fstack-protector -fPIC -D_FORTIFY_SOURCE=2 -O1 -c -o accesses/stretch_key.o accesses/stretch_key.c
accesses/stretch_key.c: In function ‘stretch_key’:
accesses/stretch_key.c:137:3: error: conversion to ‘int’ from ‘size_t’ may change the sign of the result [-Werror=sign-conversion]
cc1: all warnings being treated as errors
make: *** [accesses/stretch_key.o] Error 1

[root@mayuresh src]# date
Mon Jul 6 22:58:32 IST 2015
[root@mayuresh src]# pwd

/home/mayur/Downloads/dislocker/src
[root@mayuresh src]#

Can anyone help me?

emre said...

Is it suppose to be read only? I can't write.

gigasea said...

@e m r e

Yes, It's supposed to be read only.

Thanks for the tutorial,It helped me to migrate all my bit locker data to Linux, saves me from installing a VM :D

aloudw said...

Hello, Sir..
Thank you for the tutorial. I can now open my BitLocker drive.
I am using Ubuntu 15.04 and while installing and encountered errors I am just install libpolarssl-dev and libfuse-dev and everything works just fine.

But for a moment I mount the drive, would you explain what is "loop" in mount option? I've tried using and not using this option and both works. Is it matters while mounting an encrypted device?
Thanks again..

Anonymous said...

Please can you explai your step by steps as i keep getting issues with ubuntu 15

Unknown said...

hey i am having issues trying to run the make file command i get this error permission denied

Anonymous said...

Hi,

I've done the decryption using:
sudo dislocker -r -V /dev/sdb2 -pxxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx -- /media/bitlocker

But, I never got the dislocker-file in /media/bitlocker

Please help with this it is critical!!


Tad Ball said...

Kayot

I'm trying to mount a GPT partition. I use the following command;

dislocker -v -V /dev/sdb1 -u -- /media/bit/

I get the error;

[ERROR] The sector size found is null.
[CRITICAL] Cannot parse volume header. Abort.

Does dislocker not work with GPT disks?

Andrei1 said...

Hi, I'm new to linux but when I try to enter: "dislocker/src/Makefile" I get a error:"No such file or directory"
What should I do?

Andrei1 said...

Hi, I'm new to linux, but when I try to enter: "dislocker/src/Makefile" I get a error:"No such file or directory"
What should I do?
Thanks in advance!

Anonymous said...

Is it possible to shrink the drive using gParted or so? Just to free up space for another (unencrypted) partition.

Anonymous said...

Hi: Thanks for the article. Does it have to be read-only at both the dislocker and mount commands? Thanks in advance. SRoy