Packages and Binaries:

dislocker

Dislocker has been designed to read BitLocker encrypted partitions under a Linux system. The driver used to read volumes encrypted in Windows system versions of the Vista to 10 and BitLocker-To-Go encrypted partitions, that’s USB/FAT32 partitions.

The software works with driver composed of a library, with multiple binaries using this library. Decrypting the partition, you have to give it a mount point where, once keys are decrypted, a file named dislocker-file appears. This file is a virtual NTFS partition, so you can mount it as any NTFS partition and then read from or write to it. Writing to the NTFS virtual file will change the underlying BitLocker partition content. To use dislocker-find Ruby is required.

This tool is useful in cryptography managing and forensics investigations.

Installed size: 94 KB
How to install: sudo apt install dislocker

Dependencies:
  • libc6
  • libdislocker0.7
  • libfuse2
  • libruby3.1
dislocker

Read/write BitLocker encrypted volumes under Linux, OSX and FreeBSD.

root@kali:~# dislocker -h
dislocker by Romain Coltel, v0.7.2 (compiled for Linux/x86_64)

Usage: dislocker [-hqrsv] [-l LOG_FILE] [-O OFFSET] [-V VOLUME DECRYPTMETHOD -F[N]] [-- ARGS...]
    with DECRYPTMETHOD = -p[RECOVERY_PASSWORD]|-f BEK_FILE|-u[USER_PASSWORD]|-k FVEK_FILE|-K VMK_FILE|-c

Options:
    -c, --clearkey        decrypt volume using a clear key (default)
    -f, --bekfile BEKFILE
                          decrypt volume using the bek file (on USB key)
    -F, --force-block=[N] force use of metadata block number N (1, 2 or 3)
    -h, --help            print this help and exit
    -k, --fvek FVEK_FILE  decrypt volume using the FVEK directly
    -K, --vmk VMK_FILE    decrypt volume using the VMK directly
    -l, --logfile LOG_FILE
                          put messages into this file (stdout by default)
    -O, --offset OFFSET   BitLocker partition offset, in bytes (default is 0)
    -p, --recovery-password=[RECOVERY_PASSWORD]
                          decrypt volume using the recovery password method
    -q, --quiet           do NOT display anything
    -r, --readonly        do not allow one to write on the BitLocker volume
    -s, --stateok         do not check the volume's state, assume it's ok to mount it
    -u, --user-password=[USER_PASSWORD]
                          decrypt volume using the user password method
    -v, --verbosity       increase verbosity (CRITICAL errors are displayed by default)
    -V, --volume VOLUME   volume to get metadata and keys from

    --                    end of program options, beginning of FUSE's ones

  ARGS are any arguments you want to pass to FUSE. You need to pass at least
the mount-point.


dislocker-bek

Reads .BEK files and prints information about them

root@kali:~# dislocker-bek -h
Usage: dislocker-bek [-h] [-f file.bek]
  Reads .BEK files and prints information about them

dislocker-file

Read BitLocker encrypted volumes under Linux, OSX and FreeBSD.

root@kali:~# dislocker-file -h
dislocker by Romain Coltel, v0.7.2 (compiled for Linux/x86_64)

Usage: dislocker [-hqrsv] [-l LOG_FILE] [-O OFFSET] [-V VOLUME DECRYPTMETHOD -F[N]] [-- ARGS...]
    with DECRYPTMETHOD = -p[RECOVERY_PASSWORD]|-f BEK_FILE|-u[USER_PASSWORD]|-k FVEK_FILE|-K VMK_FILE|-c

Options:
    -c, --clearkey        decrypt volume using a clear key (default)
    -f, --bekfile BEKFILE
                          decrypt volume using the bek file (on USB key)
    -F, --force-block=[N] force use of metadata block number N (1, 2 or 3)
    -h, --help            print this help and exit
    -k, --fvek FVEK_FILE  decrypt volume using the FVEK directly
    -K, --vmk VMK_FILE    decrypt volume using the VMK directly
    -l, --logfile LOG_FILE
                          put messages into this file (stdout by default)
    -O, --offset OFFSET   BitLocker partition offset, in bytes (default is 0)
    -p, --recovery-password=[RECOVERY_PASSWORD]
                          decrypt volume using the recovery password method
    -q, --quiet           do NOT display anything
    -r, --readonly        do not allow one to write on the BitLocker volume
    -s, --stateok         do not check the volume's state, assume it's ok to mount it
    -u, --user-password=[USER_PASSWORD]
                          decrypt volume using the user password method
    -v, --verbosity       increase verbosity (CRITICAL errors are displayed by default)
    -V, --volume VOLUME   volume to get metadata and keys from

    --                    end of program options, beginning of FUSE's ones

  ARGS are any arguments you want to pass to FUSE. You need to pass at least
the mount-point.


dislocker-find

Find BitLocker-encrypted volumes.

root@kali:~# dislocker-find -h
Usage: /usr/bin/dislocker-find [-h] [files...]
  Try to find partitions which are BitLocker-encrypted. Each found is
   printed on stdout.
  If one or more file is passed as argument, /usr/bin/dislocker-find will print each
   file which is a BitLocker-encrypted volume.
  The number of partition found is returned (in $? in sh).

dislocker-fuse

Read/write BitLocker encrypted volumes under Linux, OSX and FreeBSD.

root@kali:~# dislocker-fuse -h
dislocker by Romain Coltel, v0.7.2 (compiled for Linux/x86_64)

Usage: dislocker [-hqrsv] [-l LOG_FILE] [-O OFFSET] [-V VOLUME DECRYPTMETHOD -F[N]] [-- ARGS...]
    with DECRYPTMETHOD = -p[RECOVERY_PASSWORD]|-f BEK_FILE|-u[USER_PASSWORD]|-k FVEK_FILE|-K VMK_FILE|-c

Options:
    -c, --clearkey        decrypt volume using a clear key (default)
    -f, --bekfile BEKFILE
                          decrypt volume using the bek file (on USB key)
    -F, --force-block=[N] force use of metadata block number N (1, 2 or 3)
    -h, --help            print this help and exit
    -k, --fvek FVEK_FILE  decrypt volume using the FVEK directly
    -K, --vmk VMK_FILE    decrypt volume using the VMK directly
    -l, --logfile LOG_FILE
                          put messages into this file (stdout by default)
    -O, --offset OFFSET   BitLocker partition offset, in bytes (default is 0)
    -p, --recovery-password=[RECOVERY_PASSWORD]
                          decrypt volume using the recovery password method
    -q, --quiet           do NOT display anything
    -r, --readonly        do not allow one to write on the BitLocker volume
    -s, --stateok         do not check the volume's state, assume it's ok to mount it
    -u, --user-password=[USER_PASSWORD]
                          decrypt volume using the user password method
    -v, --verbosity       increase verbosity (CRITICAL errors are displayed by default)
    -V, --volume VOLUME   volume to get metadata and keys from

    --                    end of program options, beginning of FUSE's ones

  ARGS are any arguments you want to pass to FUSE. You need to pass at least
the mount-point.


dislocker-metadata

Printing information about a BitLocker-encrypted volume

root@kali:~# dislocker-metadata -h
Usage: dislocker [-hov] [-V VOLUME]

    -h         print this help and exit
    -o         partition offset
    -v         increase verbosity to debug level
    -V VOLUME  volume to get metadata from

libdislocker0-dev

Dislocker has been designed to read BitLocker encrypted partitions under a Linux system. The driver used to read volumes encrypted in Windows system versions of the Vista to 10 and BitLocker-To-Go encrypted partitions, that’s USB/FAT32 partitions.

The software works with driver composed of a library, with multiple binaries using this library. Decrypting the partition, you have to give it a mount point where, once keys are decrypted, a file named dislocker-file appears. This file is a virtual NTFS partition, so you can mount it as any NTFS partition and then read from or write to it. Writing to the NTFS virtual file will change the underlying BitLocker partition content.

This package provides the development files.

Installed size: 136 KB
How to install: sudo apt install libdislocker0-dev

Dependencies:
  • libdislocker0.7

libdislocker0.7

Dislocker has been designed to read BitLocker encrypted partitions under a Linux system. The driver used to read volumes encrypted in Windows system versions of the Vista to 10 and BitLocker-To-Go encrypted partitions, that’s USB/FAT32 partitions.

The software works with driver composed of a library, with multiple binaries using this library. Decrypting the partition, you have to give it a mount point where, once keys are decrypted, a file named dislocker-file appears. This file is a virtual NTFS partition, so you can mount it as any NTFS partition and then read from or write to it. Writing to the NTFS virtual file will change the underlying BitLocker partition content.

This package provides the runtime library.

Installed size: 139 KB
How to install: sudo apt install libdislocker0.7

Dependencies:
  • libc6
  • libmbedcrypto7
  • libruby3.1

Updated on: 2023-May-16