Skip to content

BitUnlocker Cheatsheet

BitUnlocker Cheatsheet

Overview

BitUnlocker is a tool that can be used to extract BitLocker secrets from the Windows Recovery Environment (WinRE). It was presented at DefCon 33 and is designed to help forensic investigators and incident responders gain access to BitLocker-encrypted volumes.

Key Features

  • BitLocker Secret Extraction: Can be used to extract BitLocker secrets, such as the recovery key and the startup key, from the Windows Recovery Environment.
  • Offline Analysis: Can be used to perform offline analysis of BitLocker-encrypted volumes.
  • Support for Multiple Windows Versions: Supports multiple versions of Windows, including Windows 10 and Windows 11.

Getting Started

  1. Boot into WinRE: Boot the target system into the Windows Recovery Environment.
  2. Launch a command prompt: Launch a command prompt from the WinRE menu.
  3. Run BitUnlocker: Run the BitUnlocker tool from the command prompt.
  4. Extract BitLocker secrets: Use the tool to extract the BitLocker secrets from the target volume.
  5. Use the secrets to unlock the volume: Use the extracted secrets to unlock the BitLocker-encrypted volume.

Common Commands

  • bitunlocker.exe /extract /volume <volume>: Extract the BitLocker secrets from a target volume.
  • bitunlocker.exe /unlock /volume <volume> /recoverykey <recovery_key>: Unlock a BitLocker-encrypted volume using the recovery key.
  • bitunlocker.exe /unlock /volume <volume> /startupkey <startup_key>: Unlock a BitLocker-encrypted volume using the startup key.

Example Use Case

Scenario: A forensic investigator needs to gain access to a BitLocker-encrypted volume on a suspect’s computer.

  1. Boot into WinRE: The investigator boots the suspect’s computer into the Windows Recovery Environment.
  2. Run BitUnlocker: The investigator runs the BitUnlocker tool from a command prompt.
  3. Extract BitLocker Secrets: The investigator uses the tool to extract the BitLocker recovery key from the target volume.
  4. Unlock the Volume: The investigator uses the extracted recovery key to unlock the BitLocker-encrypted volume and gain access to the data.

Additional Resources