Giters

log2timeline / plaso

Super timeline all the things

Home Page:https://plaso.readthedocs.io

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Failed to parse bitlocker encrypted image, but success with same image mounted with bdemount

certxlm opened this issue · comments

commented

Describe the problem:

When running on a bitlocker encrypted raw image (dd) and providing credentials, plaso fails to parse artifacts despite the image being correctly decrypted (at least, partially, see attached pinfo files where we can see MFT entries for target files).

However, using bdemount to mount the same image with the recovery key and running plaso again returns expected results.

To Reproduce:

The version of Plaso you used:

20240308

The operating system you are running Plaso on (Not the operating system of the image/files you're trying to analyze):

Ubuntu 22.04

Steps to reproduce the behavior including command line and arguments and output:

First we ran log2timeline with the prefetch parser (and adequate filter) on the raw image with the credential parameter:
log2timeline.py --credential recovery_password:XXXXXX-...-XXXXXX --parsers prefetch ...
Which produced an empty result (see below the attached pinfo.prefetch.rawimage.txt). However the files are listed which probably means the decryption is successful.

Then we mounted the device with bdemount and ran plaso again, which produced the expected results (see below the attached pinfo.prefetch.bdemount.txt).

The same behaviour is observed when running other parsers, such as the amcache (again, see below the attached files).

We hope the attached debug output is enough, if we can share more information we'll try but since the image is part of an ongoing investigation, we are not allowed to share it.

The method you used to install Plaso:

We used two versions, for the same results:

  • installed from [GiFT PPA][https://launchpad.net/~gift] stable track
  • installed from docker

Expected behavior:

We expect plaso to successfully parse encrypted data when provided with the correct recovery key.

Debug output/tracebacks:

output.plaso.prefetch.log.gz
pinfo.prefetch.bdemount.txt
pinfo.prefetch.rawimage.txt

output.plaso.winreg_amcache.log.gz
pinfo.amcache.bdemount.txt
pinfo.amcache.rawimage.txt

Additional context

This is the output of fdisk and hexdump of the start of the partition:
fdisk.txt

This is the output of bdeinfo:
bdeinfo.txt

Note:
The same diskimage decrypted with dislocker-file and run through plaso also produces correct results.