How to open BitLocker drives and read their contents from Linux

How to open BitLocker drives and read their contents from Linux

BitLocker is a cryptographic feature offered by Windows designed to protect data stored on hard drives and SSDs, including system drives. The main objective of BitLocker is to prevent unauthorized parties from coming into possession of other people’s data, even if they are physically in possession of the victim’s device.

A tool like BitLocker is not immune to any attack attempt: bypassing BitLocker is possible with a logic analyzer and a little time dedicated to the “business” and on some older systems it is even possible to read the content in clear text present on the bus using a Raspberry Pi Pico, so as to steal the encryption password. These types of attacks, however, are not possible if the use of the chip TPM more PIN pre-boot.

Access the contents of BitLocker drives with Linux

If you are having problems with Windows, you may need to access the encrypted data with BitLocker from a different operating system. Linux offers a fairly simple way to access BitLocker data without necessarily having to go through the Microsoft platform.

The main tool for read a BitLocker partition from whatever distribution based on the “penguin” it is called dislocker. However, knowledge of the recovery code or the PIN used on the system protected with BitLocker: otherwise, access to the encrypted data will be impossible.

dislocker is an open source tool designed to enable access and reading of data on encrypted BitLocker partitions, using Linux systems. The application manages the data decoding either with the recovery code or key (recovery key), or with the PIN.

Once the decoding phase of the BitLocker drive has been successfully completed, dislocker allows access to the data stored in it as if they were stored in a normal partition.

How to read BitLocker encrypted drives with the dislocker utility

A utility like dislocker can obviously be used with the vast majority of Linux distributions. In the example we propose below, we used the most recent LTS version of lubuntu (distribution derived from Ubuntu) but it is possible to use practically any other GNU/Linux project.

After downloading the file ISO of lubuntu (or your favorite Linux distribution), you need to prepare a bootable USB stick containing the operating system. To do this and start the distribution also on systems where Secure Boot is enabled UEFI, you can use balenaEtcher for example. It is a tool which, without too many frills, allows you to boot the main Linux distributions from a external USB support.

Boot a live Linux distribution from USB media

L’booting lubuntu is achieved by setting the correct boot sequence in the BIOS/UEFI (first the USB media; then all the other storage drives…).

When the Lubuntu desktop appears (select the option Try lubuntu without installing from the start menu), you must first establish a network connection, Ethernet or WiFi. To configure a WiFi, just click on the icon at the bottom right, choose the SSID of the network you want to connect to, select Preferences, Advanced Network Configuration from the main menu, click on the gear symbol and indicate – in the tab WiFi Security – the password to access the wireless network.

lbuntu, network connection WiFi configuration

Dal menu System tools, QTerminalyou can open a terminal window by then typing the following commands to choose the keyboard layout Europen:

sudo loadkeys it
sudo setxkbmap it

Install GParted and unlocker

GPartedacronym for GNOME Partition Editor, is an open source software for managing partitions on Linux systems. We recommend installing it to immediately visually check the identifiers associated with each partition present in the units connected to the system. To proceed with the installation, just type the following in the terminal window:

sudo apt install gparted -y

You can also take this opportunity to immediately download and install theunlocker utility:

sudo apt install dislocker -y

In the example in the figure, you can see that the BitLocker encrypted partition is present on the drive indicated as /dev/sda and has identifier /dev/sda3 (under the column File systemit reads clearly BitLocker).

Read BitLocker encrypted drives from Linux

Decrypting the BitLocker partition

L’decoding operation actual begins with the creation of colons mount for unlocker using the following commands:

sudo mkdir /media/bitlocker
sudo chown lubuntu:lubuntu /media/bitlocker
sudo mkdir /media/bitlockerloop
sudo chown lubuntu:lubuntu /media/bitlockerloop

These commands create two directories, one to mount the decrypted BitLocker partition (/media/bitlocker) and the other for the loopback mount (/media/bitlockerloop). In commands chownthe first occurrence of lubuntu is the name of the user to whom ownership of the specified folder is being assigned; the second occurrence corresponds to the group name.

The following step involves using one of the following two commands:

sudo dislocker -V /dev/sda3 -p123456-123456-123456-123456-123456-123456-123456-123456 -- /media/bitlocker

sudo dislocker -V /dev/sda3 -u123456 -- /media/bitlocker

In both commands, the -V option is used to indicate the identifier of the BitLocker drive to decrypt (in our example, as we saw previously, it is /dev/sda3). I parameters -p e -u allow you to specify the recovery code or PIN, respectively. As mentioned, one or the other command must be used, making the appropriate substitutions.

Decrypt BitLocker on Linux

Il loopback mount it is a mechanism that allows you to mount a file, making its contents visible to Linux as if it were a physical partition.

Mount the decoded BitLocker drive and access its contents

If everything went well, the previous commands do not send any kind of confirmation. You can then proceed with the mounting of the newly decrypted BitLocker drive. The command to use is the following:

sudo mount -o loop /media/bitlocker/dislocker-file /media/bitlockerloop

The instruction does nothing more than mount the contents of the unlocker file containing the image of the BitLocker encrypted drive, inside the folder /media/bitlockerloop.

At this point, accessing the file manager of lubuntu (or your chosen Linux distro), you will find the drive bitlockerloop containing all Windows files, which are in turn stored in the BitLocker partition.

Access BitLocker partition contents from Linux

Opening image credit: – BlackJack3D

Leave a Reply

Your email address will not be published. Required fields are marked *