Driver Installation
The software, which makes this possible, is called Dislocker. It is an opensource driver project maintained on Github by Aorimn. To obtain the source code:
git clone https://github.com/Aorimn/dislocker.git
Before you can build the driver it is necessary to install some dependencies, including the fuse and polarssl headers:
sudo apt-get install gcc cmake make libfuse-dev libpolarssl-dev ruby-dev
Assuming that these are installed correctly you can then build the project and install the driver as follows:
cd dislocker
cmake
make
sudo make install
According to Aorimn the current version of the Dislocker driver supports all versions of Bitlocker associated with Windows versions 7, 8 and 8.1.
Mounting a Volume for Standard Use
Much like mounting an E01 image under SIFT the mounting process for the bitlockered volume is a two stage process. Therefore you will require two directories to exist in the /mnt folder. I have used /mnt/bitlocker and /mnt/usb.
In order to use the volume for normal everyday use I use the fuse driver along with the normal user password:
sudo dislocker-fuse -V /dev/sdb1 -uPassword99 -- /mnt/bitlocker
This creates a new block device at /mnt/bitlocker/dislocker-file, to which access is handled on the fly by the fuse drivers.
If the user password is unknown it is possible to use the recovery password with the -p option or a BEK file with the -f option.
Once this has been done you can then mount the new block device with the standard mount command:
sudo mount /mnt/bitlocker/dislocker-file /mnt/usb -o loop
Once mounted the volume can be accessed via the /mnt/usb directory and can be read from and written to normally.
Forensic Use
In order to access the full volume you can use the same commands as above but specify the read only option during mounting:
sudo dislocker-fuse -V /dev/sdb1 -uPassword99 -- /mnt/bitlocker
sudo mount /mnt/bitlocker/dislocker-file /mnt/usb -o loop,ro
For imaging purposes it may be preferable to use the flat file driver, dislocker-file. This uses the same command line arguments but performs all the encryption in one go to produce a flat file, internally formatted with NTFS. The command for this would be:
sudo dislocker-file -V /dev/sdb1 -uPassword99 -- /mnt/bitlocker
The resulting /mnt/bitlocker/dislocker-file could then be mounted or imaged with the tool of your choice.
I’d like to thank Aorimn for making this driver available to the community.