dislocker
Dislocker reads and writes BitLocker encrypted volumes under Linux. It creates a virtual NTFS file that can be mounted to access and modify the encrypted partition.
Description
Dislocker has been designed to read BitLocker encrypted partitions under a Linux system. The driver used to read volumes encrypted in Windows system versions from Vista to 10 and BitLocker-To-Go encrypted partitions, that's USB/FAT32 partitions. The software works with a driver composed of a library, with multiple binaries using this library.
Decrypting the partition requires giving it a mount point where, once keys are decrypted, a file named dislocker-file appears. This file is a virtual NTFS partition, so it can be mounted as any NTFS partition and then read from or written to. Writing to the NTFS virtual file will change the underlying BitLocker partition content. To use dislocker-find Ruby is required.
This tool is useful in cryptography managing and forensics investigations. It supports Linux, OSX and FreeBSD.
How It Works
Dislocker uses a library and multiple binaries to decrypt BitLocker volumes. It creates a virtual NTFS file at the specified mount point after decryption using methods like recovery password, BEK file, user password, FVEK, VMK, or clear key. This file represents the decrypted partition and can be mounted with FUSE, allowing read/write access that modifies the original encrypted content. Metadata blocks and offsets are handled for compatibility with various BitLocker implementations.
Installation
sudo apt install dislockerFlags
Examples
dislocker -hdislocker-bek -hdislocker-file -hdislocker-find -hdislocker-fuse -hdislocker-metadata -hdislocker-finddislocker-metadata -V /dev/sda1