Cannot unlock with recovery key when password protector is set

[tobraha]

I am trying to mount a BitLocker partition after having mounted the disk image with ewfmount. When I enter the known recovery key to either bdeinfo or bdemount with -r <recovery-key>, I am prompted to enter the volume Password (which is not known).

I am using current versions of ewftools and bdetools built from source:

ewfmount 20230101
bdemount 20221231

Here is some of the image metadata:

Files & Mounts

$ tree
.
├── evidence
│   └── item001
│       ├── 001_laptop-ssd.E01
│       ├── 001_laptop-ssd.E01.txt
│       ├── 001_laptop-ssd.E02
    [ ... snip fragments ... ]
│       └── 001_laptop-ssd.E31
└── mnt
    ├── bde
    └── ewf
        └── ewf1

Partition Layout

$ mmls mnt/ewf/ewf1
GUID Partition Table (EFI)
Offset Sector: 0
Units are in 512-byte sectors

      Slot      Start        End          Length       Description
000:  Meta      0000000000   0000000000   0000000001   Safety Table
001:  -------   0000000000   0000002047   0000002048   Unallocated
002:  Meta      0000000001   0000000001   0000000001   GPT Header
003:  Meta      0000000002   0000000033   0000000032   Partition Table
004:  000       0000002048   0496651710   0496649663   楗摮睯s
005:  -------   0496651711   0496652287   0000000577   Unallocated
006:  001       0496652288   0498251775   0001599488
007:  -------   0498251776   0498253607   0000001832   Unallocated
008:  002       0498253608   0500115240   0001861633
009:  -------   0500115241   0500118191   0000002951   Unallocated

* curious, those Chinese characters... not sure I've ever seen that before from Sleuthkit

BitLocker Volume Info

$ bdeinfo -o $(( 512 * 2048 )) mnt/ewf/ewf1
bdeinfo 20221231

Volume is locked and a password is needed to unlock it.

Password:

Unable to unlock volume.

BitLocker Drive Encryption information:
        Volume identifier               : [snip]
        Encryption method               : AES-XTS 256-bit
        Creation time                   : Apr 22, 2022 15:01:15.359152000 UTC
        Description                     : [snip]
        Number of key protectors        : 2
        Is locked

Key protector 0:
        Identifier                      : [snip]
        Type                            : Recovery password

Key protector 1:
        Identifier                      : [snip]
        Type                            : Password

I don't recall ever trying to use bdemount on a volume that has both of these protectors enabled.

Am I missing something? Some compile option needed that I'm missing?

Thanks,
-Tommy

[tobraha]

UPDATE:

I ran bdemount again with debug+verbose output enabled. The bde metadata has a few references to 'SophosProtector', so that may be the cause of my issue.

Also, this may be related to #44

Thanks!

[joachimmetz]

@tobraha can you attach or send me a sanitize version of the debug output. I'll have a look when time permits.

[tobraha]

@joachimmetz - apologies for the delay. Here is the sanitized debug output:

bdemount_debug_output.zip

Not that the output contains any revealing info (I think), but I've encrypted this using your key here: https://github.com/joachimmetz.gpg.

If you're not able to decrypt for any reason, let me know and I will email you a copy of the output. After all, who really uses PGP anymore 🙃