dislocker icon indicating copy to clipboard operation
dislocker copied to clipboard

Published 20 hours ago verified publisher icon Aorimn

Unlocking via Recovery Key

Open eddiek2000 opened this issue 7 years ago • 3 comments

I cannot seem to unlock bitlockered encrypted drives via the Recovery Key. I have a bitlockered OS drive that I want to be be able to use the recovery key to mount in order to perform sam password resets.

I have tried Debian Stretch and Jessie. I have tried compiling from source and using the available dislocker binary in Stretch.

I have verified the recovery key is correct numerous times. I always receive the "Macs's don't match" error.

As a test, I bitlockered a USB drive. I receive the same error when using the recovery key, but I am able to decrypt with the password option.

Any insight?

btw, Windows 10 is the win version.

eddiek2000 avatar Apr 05 '17 19:04 eddiek2000

dislocker-metadata -V /dev/sde1

Thu Apr 6 12:14:30 2017 [INFO] dislocker by Romain Coltel, v0.7.1 (compiled for Linux/x86_64) Thu Apr 6 12:14:30 2017 [INFO] Compiled version: master:747cbd6 Thu Apr 6 12:14:30 2017 [INFO] Volume GUID (INFORMATION OFFSET) supported Thu Apr 6 12:14:30 2017 [INFO] BitLocker metadata found and parsed. Thu Apr 6 12:14:30 2017 [INFO] =====[ Volume header informations ]===== Thu Apr 6 12:14:30 2017 [INFO] Signature: 'MSWIN4.1' Thu Apr 6 12:14:30 2017 [INFO] Sector size: 0x0200 (512) bytes Thu Apr 6 12:14:30 2017 [INFO] Sector per cluster: 0x40 (64) bytes Thu Apr 6 12:14:30 2017 [INFO] Reserved clusters: 0x005a (90) bytes Thu Apr 6 12:14:30 2017 [INFO] Fat count: 0x01 (1) bytes Thu Apr 6 12:14:30 2017 [INFO] Root entries: 0x0000 (0) bytes Thu Apr 6 12:14:30 2017 [INFO] Number of sectors (16 bits): 0x0000 (0) bytes Thu Apr 6 12:14:30 2017 [INFO] Media descriptor: 0xf8 (248) bytes Thu Apr 6 12:14:30 2017 [INFO] Sectors per fat: 0x0000 (0) bytes Thu Apr 6 12:14:30 2017 [INFO] Hidden sectors: 0x00000000 (0) bytes Thu Apr 6 12:14:30 2017 [INFO] Number of sectors (32 bits): 0x01d47ffe (30703614) bytes Thu Apr 6 12:14:30 2017 [INFO] Number of sectors (64 bits): 0x0000000200000000 (8589934592) bytes Thu Apr 6 12:14:30 2017 [INFO] MFT start cluster: 0x0000000000060001 (393217) bytes Thu Apr 6 12:14:30 2017 [INFO] Metadata Lcn: 0x0000000000000000 (0) bytes Thu Apr 6 12:14:30 2017 [INFO] Volume GUID: '00000000-0000-0000-0000-000000000000' Thu Apr 6 12:14:30 2017 [INFO] First metadata header offset: 0x0000000000000000 Thu Apr 6 12:14:30 2017 [INFO] Second metadata header offset: 0x0000000000000000 Thu Apr 6 12:14:30 2017 [INFO] Third metadata header offset: 0x0000000000000000 Thu Apr 6 12:14:30 2017 [INFO] Boot Partition Identifier: '0xaa55' Thu Apr 6 12:14:30 2017 [INFO] ======================================== Thu Apr 6 12:14:30 2017 [INFO] Thu Apr 6 12:14:30 2017 [INFO] =====================[ BitLocker information structure ]===================== Thu Apr 6 12:14:30 2017 [INFO] Signature: '-FVE-FS-' Thu Apr 6 12:14:30 2017 [INFO] Total Size: 0x06d0 (1744) bytes (including signature and data) Thu Apr 6 12:14:30 2017 [INFO] Version: 2 Thu Apr 6 12:14:30 2017 [INFO] Current state: ENCRYPTED (4) Thu Apr 6 12:14:30 2017 [INFO] Next state: ENCRYPTED (4) Thu Apr 6 12:14:30 2017 [INFO] Encrypted volume size: 15720250368 bytes (0x3a8fffc00), ~14991 MB Thu Apr 6 12:14:30 2017 [INFO] Size of convertion region: 0 (0) Thu Apr 6 12:14:30 2017 [INFO] Number of boot sectors backuped: 15294 sectors (0x3bbe) Thu Apr 6 12:14:30 2017 [INFO] First metadata header offset: 0x2200800 Thu Apr 6 12:14:30 2017 [INFO] Second metadata header offset: 0x42200800 Thu Apr 6 12:14:30 2017 [INFO] Third metadata header offset: 0x82200800 Thu Apr 6 12:14:30 2017 [INFO] Boot sectors backup address: 0x82a98800 Thu Apr 6 12:14:30 2017 [INFO] ----------------------------{ Dataset header }---------------------------- Thu Apr 6 12:14:30 2017 [INFO] Dataset size: 0x00000684 (1668) bytes (including data) Thu Apr 6 12:14:30 2017 [INFO] Unknown data: 0x00000001 (always 0x00000001) Thu Apr 6 12:14:30 2017 [INFO] Dataset header size: 0x00000030 (always 0x00000030) Thu Apr 6 12:14:30 2017 [INFO] Dataset copy size: 0x00000684 (1668) bytes Thu Apr 6 12:14:30 2017 [INFO] Dataset GUID: 'B2E2EB95-D3E7-4321-94B2-23AE815E42A9' Thu Apr 6 12:14:30 2017 [INFO] Next counter: 16 Thu Apr 6 12:14:30 2017 [INFO] Encryption Type: AES-XTS-128 (0x8004) Thu Apr 6 12:14:30 2017 [INFO] Epoch Timestamp: 1491412106 sec, that to say Wed Apr 5 17:08:26 2017 Thu Apr 6 12:14:30 2017 [INFO] -------------------------------------------------------------------------- Thu Apr 6 12:14:30 2017 [INFO] ============================================================================= Thu Apr 6 12:14:30 2017 [INFO] Thu Apr 6 12:14:30 2017 [INFO] Thu Apr 6 12:14:30 2017 [INFO] =======[ Datum n°1 informations ]======= Thu Apr 6 12:14:30 2017 [INFO] Total datum size: 0x004a (74) bytes Thu Apr 6 12:14:30 2017 [INFO] Datum entry type: 7 Thu Apr 6 12:14:30 2017 [INFO] --> ENTRY TYPE UNKNOWN Thu Apr 6 12:14:30 2017 [INFO] Datum value type: 2 Thu Apr 6 12:14:30 2017 [INFO] --> UNICODE -- Total size header: 8 -- Nested datum: no Thu Apr 6 12:14:30 2017 [INFO] Status: 0x1 Thu Apr 6 12:14:30 2017 [INFO] UTF-16 string: 'KUTRZYBA-W-LPT UNTITLED 4/5/2017' Thu Apr 6 12:14:30 2017 [INFO] ========================================= Thu Apr 6 12:14:30 2017 [INFO] Thu Apr 6 12:14:30 2017 [INFO] =======[ Datum n°2 informations ]======= Thu Apr 6 12:14:30 2017 [INFO] Total datum size: 0x015e (350) bytes Thu Apr 6 12:14:30 2017 [INFO] Datum entry type: 2 Thu Apr 6 12:14:30 2017 [INFO] --> ENTRY TYPE VMK Thu Apr 6 12:14:30 2017 [INFO] Datum value type: 8 Thu Apr 6 12:14:30 2017 [INFO] --> VMK -- Total size header: 36 -- Nested datum: yes Thu Apr 6 12:14:30 2017 [INFO] Status: 0x1 Thu Apr 6 12:14:30 2017 [INFO] Recovery Key GUID: 'F3CCE2EE-09EB-4C7E-9EB2-F95F11D7EB11' Thu Apr 6 12:14:30 2017 [INFO] Nonce: Thu Apr 6 12:14:30 2017 [INFO] b0 5b 0e 3e 2f ae d2 01 01 00 00 08 Thu Apr 6 12:14:30 2017 [INFO] ------ Nested datum(s) ------ Thu Apr 6 12:14:30 2017 [INFO] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thu Apr 6 12:14:30 2017 [INFO] Total datum size: 0x00ea (234) bytes Thu Apr 6 12:14:30 2017 [INFO] Datum entry type: 0 Thu Apr 6 12:14:30 2017 [INFO] --> ENTRY TYPE UNKNOWN 1 Thu Apr 6 12:14:30 2017 [INFO] Datum value type: 3 Thu Apr 6 12:14:30 2017 [INFO] --> STRETCH KEY -- Total size header: 28 -- Nested datum: yes Thu Apr 6 12:14:30 2017 [INFO] Status: 0x1 Thu Apr 6 12:14:30 2017 [INFO] Unkown: Thu Apr 6 12:14:30 2017 [INFO] 0x00000000 40 00 Thu Apr 6 12:14:30 2017 [INFO] Algo: 0x1000 Thu Apr 6 12:14:30 2017 [INFO] Salt: Thu Apr 6 12:14:30 2017 [INFO] 1b 65 d0 93 4e 16 55 64 36 c8 c4 16 fc 2c 47 7b Thu Apr 6 12:14:30 2017 [INFO] ------ Nested datum ------ Thu Apr 6 12:14:30 2017 [INFO] Total datum size: 0x0040 (64) bytes Thu Apr 6 12:14:30 2017 [INFO] Datum entry type: 18 Thu Apr 6 12:14:30 2017 [INFO] Datum value type: 5 Thu Apr 6 12:14:30 2017 [INFO] --> AES-CCM -- Total size header: 36 -- Nested datum: no Thu Apr 6 12:14:30 2017 [INFO] Status: 0x1 Thu Apr 6 12:14:30 2017 [INFO] Nonce: Thu Apr 6 12:14:30 2017 [INFO] c0 a0 09 3e 2f ae d2 01 02 00 00 00 Thu Apr 6 12:14:30 2017 [INFO] MAC: Thu Apr 6 12:14:30 2017 [INFO] a4 c9 03 7e 23 93 db 25 3e 4d 8b 2c 74 0b 0c 5f Thu Apr 6 12:14:30 2017 [INFO] Payload: Thu Apr 6 12:14:30 2017 [INFO] 0x00000000 4f 2c cf 70 3f 89 90 86-21 eb d8 cc 1e d8 0b 37 Thu Apr 6 12:14:30 2017 [INFO] 0x00000010 fd 25 8c 5c 09 44 38 69-80 70 62 f5 Thu Apr 6 12:14:30 2017 [INFO] --------------------------- Thu Apr 6 12:14:30 2017 [INFO] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thu Apr 6 12:14:30 2017 [INFO] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thu Apr 6 12:14:30 2017 [INFO] Total datum size: 0x0050 (80) bytes Thu Apr 6 12:14:30 2017 [INFO] Datum entry type: 0 Thu Apr 6 12:14:30 2017 [INFO] --> ENTRY TYPE UNKNOWN 1 Thu Apr 6 12:14:30 2017 [INFO] Datum value type: 5 Thu Apr 6 12:14:30 2017 [INFO] --> AES-CCM -- Total size header: 36 -- Nested datum: no Thu Apr 6 12:14:30 2017 [INFO] Status: 0x1 Thu Apr 6 12:14:30 2017 [INFO] Nonce: Thu Apr 6 12:14:30 2017 [INFO] c0 a0 09 3e 2f ae d2 01 04 00 00 00 Thu Apr 6 12:14:30 2017 [INFO] MAC: Thu Apr 6 12:14:30 2017 [INFO] b3 8e 1a 78 32 b5 45 66 bc f6 ad cb c7 5a ec a1 Thu Apr 6 12:14:30 2017 [INFO] Payload: Thu Apr 6 12:14:30 2017 [INFO] 0x00000000 70 f8 3c b5 ba c8 c2 c6-45 ce bc c8 88 77 f8 c9 Thu Apr 6 12:14:30 2017 [INFO] 0x00000010 4a 24 64 aa 0c 0e 06 80-52 7e 8d af 74 5a c7 84 Thu Apr 6 12:14:30 2017 [INFO] 0x00000020 d8 8e 44 07 7e bb 21 9f-85 38 b6 8b Thu Apr 6 12:14:30 2017 [INFO] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thu Apr 6 12:14:30 2017 [INFO] ------------------------------ Thu Apr 6 12:14:30 2017 [INFO] ========================================= Thu Apr 6 12:14:30 2017 [INFO] Thu Apr 6 12:14:30 2017 [INFO] =======[ Datum n°3 informations ]======= Thu Apr 6 12:14:30 2017 [INFO] Total datum size: 0x0328 (808) bytes Thu Apr 6 12:14:30 2017 [INFO] Datum entry type: 2 Thu Apr 6 12:14:30 2017 [INFO] --> ENTRY TYPE VMK Thu Apr 6 12:14:30 2017 [INFO] Datum value type: 8 Thu Apr 6 12:14:30 2017 [INFO] --> VMK -- Total size header: 36 -- Nested datum: yes Thu Apr 6 12:14:30 2017 [INFO] Status: 0x1 Thu Apr 6 12:14:30 2017 [INFO] Recovery Key GUID: '080665B4-EE51-400A-BB0E-C1D966C87A15' Thu Apr 6 12:14:30 2017 [INFO] Nonce: Thu Apr 6 12:14:30 2017 [INFO] a0 0e 31 55 2f ae d2 01 00 00 00 10 Thu Apr 6 12:14:30 2017 [INFO] ------ Nested datum(s) ------ Thu Apr 6 12:14:30 2017 [INFO] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thu Apr 6 12:14:30 2017 [INFO] Total datum size: 0x0108 (264) bytes Thu Apr 6 12:14:30 2017 [INFO] Datum entry type: 0 Thu Apr 6 12:14:30 2017 [INFO] --> ENTRY TYPE UNKNOWN 1 Thu Apr 6 12:14:30 2017 [INFO] Datum value type: 12 Thu Apr 6 12:14:30 2017 [INFO] --> ASYM ENC -- Total size header: 8 -- Nested datum: no Thu Apr 6 12:14:30 2017 [INFO] Status: 0x1 Thu Apr 6 12:14:30 2017 [INFO] Generic datum: Thu Apr 6 12:14:30 2017 [INFO] 0x00000000 49 a6 bc 4a e7 55 13 b3-3c 02 71 bf 6f 5f 29 cf Thu Apr 6 12:14:30 2017 [INFO] 0x00000010 f1 0a 3f 4c 5f 49 2c ad-f0 cd 16 f0 fd c7 1a e3 Thu Apr 6 12:14:30 2017 [INFO] 0x00000020 7e 61 e0 b7 7c 9a f9 1f-8e 89 31 3e 8f c3 34 7f Thu Apr 6 12:14:30 2017 [INFO] 0x00000030 94 2f d6 57 b4 4c 03 62-85 74 57 04 0e a9 f9 d0 Thu Apr 6 12:14:30 2017 [INFO] 0x00000040 84 76 36 68 6f 33 65 fb-9e 20 90 20 c8 59 f5 ac Thu Apr 6 12:14:30 2017 [INFO] 0x00000050 60 4f 27 1a bd a1 e7 07-92 8c 63 e8 e4 45 d7 7d Thu Apr 6 12:14:30 2017 [INFO] 0x00000060 7f d3 0b 1f 35 cb 78 5c-43 6e 86 c9 4b 5e 14 f4 Thu Apr 6 12:14:30 2017 [INFO] 0x00000070 fb f4 82 16 14 38 bf 8f-66 03 f4 e9 25 c1 69 e7 Thu Apr 6 12:14:30 2017 [INFO] 0x00000080 79 30 f2 6d a9 5b 99 b1-36 cd 8b b0 c0 0e 82 ac Thu Apr 6 12:14:30 2017 [INFO] 0x00000090 a3 42 46 8c 88 55 52 24-46 d1 54 04 dd c4 6a 47 Thu Apr 6 12:14:30 2017 [INFO] 0x000000a0 9e 95 e5 fe 3b 98 08 46-40 09 68 6e 35 dd cf 64 Thu Apr 6 12:14:30 2017 [INFO] 0x000000b0 27 fc 99 9f a8 18 27 a1-53 72 c7 70 af 6b a3 32 Thu Apr 6 12:14:30 2017 [INFO] 0x000000c0 0e 77 a9 af 14 e0 a1 da-84 7b 65 8d 7c 1f c8 c3 Thu Apr 6 12:14:30 2017 [INFO] 0x000000d0 51 58 28 e0 dc 59 56 78-49 be e1 e9 34 1c c9 dc Thu Apr 6 12:14:30 2017 [INFO] 0x000000e0 86 1c 56 0b 92 9e 7f 89-52 1a c2 00 78 5a 4d a0 Thu Apr 6 12:14:30 2017 [INFO] 0x000000f0 7d 8c af 29 81 43 dc cb-7b fa 88 db a4 db 3b 1b Thu Apr 6 12:14:30 2017 [INFO] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thu Apr 6 12:14:30 2017 [INFO] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thu Apr 6 12:14:30 2017 [INFO] Total datum size: 0x0123 (291) bytes Thu Apr 6 12:14:30 2017 [INFO] Datum entry type: 12 Thu Apr 6 12:14:30 2017 [INFO] Datum value type: 13 Thu Apr 6 12:14:30 2017 [INFO] --> EXPORTED KEY -- Total size header: 8 -- Nested datum: no Thu Apr 6 12:14:30 2017 [INFO] Status: 0x1 Thu Apr 6 12:14:30 2017 [INFO] Generic datum: Thu Apr 6 12:14:30 2017 [INFO] 0x00000000 52 53 41 31 00 08 00 00-03 00 00 00 00 01 00 00 Thu Apr 6 12:14:30 2017 [INFO] 0x00000010 00 00 00 00 00 00 00 00-01 00 01 a5 23 e0 40 dc Thu Apr 6 12:14:30 2017 [INFO] 0x00000020 29 3b b5 c6 08 2d 02 94-9c 11 cd 12 da 10 16 9b Thu Apr 6 12:14:30 2017 [INFO] 0x00000030 22 d2 28 92 27 31 3c 14-98 f2 19 0e 5e 12 93 a7 Thu Apr 6 12:14:30 2017 [INFO] 0x00000040 5b 98 0e 2d 5d b0 91 85-5d 79 fe f5 d3 05 49 8c Thu Apr 6 12:14:30 2017 [INFO] 0x00000050 9b e2 65 77 af c9 9f 74-9d 8b dc cf f6 e0 cf 2f Thu Apr 6 12:14:30 2017 [INFO] 0x00000060 23 c4 07 53 be b1 16 55-d5 b4 25 0d 3d 6c af 2d Thu Apr 6 12:14:30 2017 [INFO] 0x00000070 93 c3 43 7e 08 26 1b 14-4e 4b 6b 40 01 fd 0b 80 Thu Apr 6 12:14:30 2017 [INFO] 0x00000080 a1 7e 1d e9 74 37 c7 b8-c0 62 0d e2 2c cd 61 60 Thu Apr 6 12:14:30 2017 [INFO] 0x00000090 25 8b 4c c0 93 be 86 5c-59 38 aa 87 1f e1 5d 54 Thu Apr 6 12:14:30 2017 [INFO] 0x000000a0 05 4d 7f 7d 43 55 9b 0a-b4 57 da 90 ef 0f 17 0a Thu Apr 6 12:14:30 2017 [INFO] 0x000000b0 34 23 cb f6 e7 1e f9 1b-9e aa 4d 0b 31 ce 5b fe Thu Apr 6 12:14:30 2017 [INFO] 0x000000c0 71 39 8a af a2 20 5b 32-e9 ec 21 4e 12 28 e2 3d Thu Apr 6 12:14:30 2017 [INFO] 0x000000d0 19 29 df 71 74 f6 a3 db-a5 8c 7e 37 ed bf e1 31 Thu Apr 6 12:14:30 2017 [INFO] 0x000000e0 d0 e1 e1 ed 28 62 3e 00-37 22 9e 10 ba 7c 8d df Thu Apr 6 12:14:30 2017 [INFO] 0x000000f0 40 e1 ff af 8a 07 87 81-d9 65 49 86 35 76 6b 39 Thu Apr 6 12:14:30 2017 [INFO] 0x00000100 59 fb 03 c8 6f e3 e0 34-49 31 29 fa b4 06 57 7d Thu Apr 6 12:14:30 2017 [INFO] 0x00000110 be 46 29 4b 34 8d a1 4a-97 3f ff Thu Apr 6 12:14:30 2017 [INFO] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thu Apr 6 12:14:30 2017 [INFO] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thu Apr 6 12:14:30 2017 [INFO] Total datum size: 0x002d (45) bytes Thu Apr 6 12:14:30 2017 [INFO] Datum entry type: 0 Thu Apr 6 12:14:30 2017 [INFO] --> ENTRY TYPE UNKNOWN 1 Thu Apr 6 12:14:30 2017 [INFO] Datum value type: 14 Thu Apr 6 12:14:30 2017 [INFO] --> PUBLIC KEY -- Total size header: 8 -- Nested datum: no Thu Apr 6 12:14:30 2017 [INFO] Status: 0x1 Thu Apr 6 12:14:30 2017 [INFO] Generic datum: Thu Apr 6 12:14:30 2017 [INFO] 0x00000000 67 73 69 6e 25 00 00 00-02 00 00 00 14 00 00 00 Thu Apr 6 12:14:30 2017 [INFO] 0x00000010 a1 6b 5c 58 da 0c 41 dd-5b 38 a1 e1 3e ca 6c d9 Thu Apr 6 12:14:30 2017 [INFO] 0x00000020 4c 62 c6 d2 00 Thu Apr 6 12:14:30 2017 [INFO] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thu Apr 6 12:14:30 2017 [INFO] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thu Apr 6 12:14:30 2017 [INFO] Total datum size: 0x005c (92) bytes Thu Apr 6 12:14:30 2017 [INFO] Datum entry type: 0 Thu Apr 6 12:14:30 2017 [INFO] --> ENTRY TYPE UNKNOWN 1 Thu Apr 6 12:14:30 2017 [INFO] Datum value type: 4 Thu Apr 6 12:14:30 2017 [INFO] --> USE -- Total size header: 12 -- Nested datum: yes Thu Apr 6 12:14:30 2017 [INFO] Status: 0x1 Thu Apr 6 12:14:30 2017 [INFO] Algo: 0x2006 Thu Apr 6 12:14:30 2017 [INFO] Unknown: Thu Apr 6 12:14:30 2017 [INFO] 0x00000000 00 00 Thu Apr 6 12:14:30 2017 [INFO] ------ Nested datum ------ Thu Apr 6 12:14:30 2017 [INFO] Total datum size: 0x0050 (80) bytes Thu Apr 6 12:14:30 2017 [INFO] Datum entry type: 0 Thu Apr 6 12:14:30 2017 [INFO] --> ENTRY TYPE UNKNOWN 1 Thu Apr 6 12:14:30 2017 [INFO] Datum value type: 5 Thu Apr 6 12:14:30 2017 [INFO] --> AES-CCM -- Total size header: 36 -- Nested datum: no Thu Apr 6 12:14:30 2017 [INFO] Status: 0x1 Thu Apr 6 12:14:30 2017 [INFO] Nonce: Thu Apr 6 12:14:30 2017 [INFO] c0 a0 09 3e 2f ae d2 01 07 00 00 00 Thu Apr 6 12:14:30 2017 [INFO] MAC: Thu Apr 6 12:14:30 2017 [INFO] e2 fc 64 90 ca 76 7a 29 6f 2c 44 08 88 c9 2a 59 Thu Apr 6 12:14:30 2017 [INFO] Payload: Thu Apr 6 12:14:30 2017 [INFO] 0x00000000 f1 39 a7 77 42 70 d1 00-08 2c 8f 1c 39 27 a9 5b Thu Apr 6 12:14:30 2017 [INFO] 0x00000010 d0 b3 27 4c 0e d5 36 ae-72 92 5d be 2b 83 d6 70 Thu Apr 6 12:14:30 2017 [INFO] 0x00000020 97 81 f8 fc 30 84 e5 44-47 3d 4e 7b Thu Apr 6 12:14:30 2017 [INFO] --------------------------- Thu Apr 6 12:14:30 2017 [INFO] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thu Apr 6 12:14:30 2017 [INFO] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thu Apr 6 12:14:30 2017 [INFO] Total datum size: 0x0050 (80) bytes Thu Apr 6 12:14:30 2017 [INFO] Datum entry type: 0 Thu Apr 6 12:14:30 2017 [INFO] --> ENTRY TYPE UNKNOWN 1 Thu Apr 6 12:14:30 2017 [INFO] Datum value type: 5 Thu Apr 6 12:14:30 2017 [INFO] --> AES-CCM -- Total size header: 36 -- Nested datum: no Thu Apr 6 12:14:30 2017 [INFO] Status: 0x1 Thu Apr 6 12:14:30 2017 [INFO] Nonce: Thu Apr 6 12:14:30 2017 [INFO] c0 a0 09 3e 2f ae d2 01 08 00 00 00 Thu Apr 6 12:14:30 2017 [INFO] MAC: Thu Apr 6 12:14:30 2017 [INFO] b6 66 ee 4c b9 63 24 26 63 4e 7e 68 8e 93 0a f7 Thu Apr 6 12:14:30 2017 [INFO] Payload: Thu Apr 6 12:14:30 2017 [INFO] 0x00000000 b1 46 53 03 0a 8c 08 9e-43 24 d9 6f 08 74 6b ee Thu Apr 6 12:14:30 2017 [INFO] 0x00000010 b6 5e ef df 90 16 8b 03-4d ef 43 66 17 03 12 fc Thu Apr 6 12:14:30 2017 [INFO] 0x00000020 c2 77 b7 f1 58 71 f6 91-35 05 f4 b5 Thu Apr 6 12:14:30 2017 [INFO] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thu Apr 6 12:14:30 2017 [INFO] ------------------------------ Thu Apr 6 12:14:30 2017 [INFO] ========================================= Thu Apr 6 12:14:30 2017 [INFO] Thu Apr 6 12:14:30 2017 [INFO] =======[ Datum n°4 informations ]======= Thu Apr 6 12:14:30 2017 [INFO] Total datum size: 0x0050 (80) bytes Thu Apr 6 12:14:30 2017 [INFO] Datum entry type: 3 Thu Apr 6 12:14:30 2017 [INFO] --> ENTRY TYPE FVEK (FveDatasetVmkGetFvek) Thu Apr 6 12:14:30 2017 [INFO] Datum value type: 5 Thu Apr 6 12:14:30 2017 [INFO] --> AES-CCM -- Total size header: 36 -- Nested datum: no Thu Apr 6 12:14:30 2017 [INFO] Status: 0x1 Thu Apr 6 12:14:30 2017 [INFO] Nonce: Thu Apr 6 12:14:30 2017 [INFO] d0 83 9b 6d 2f ae d2 01 0b 00 00 00 Thu Apr 6 12:14:30 2017 [INFO] MAC: Thu Apr 6 12:14:30 2017 [INFO] 00 9a fe 90 1f ec 15 00 11 60 6a b0 e1 5b 9e 5c Thu Apr 6 12:14:30 2017 [INFO] Payload: Thu Apr 6 12:14:30 2017 [INFO] 0x00000000 7d 4b 4f b9 c3 95 eb ad-56 83 78 3e 91 a1 1e ad Thu Apr 6 12:14:30 2017 [INFO] 0x00000010 50 3b fc e1 1c 5a 76 5c-0b 53 ed 01 82 39 02 31 Thu Apr 6 12:14:30 2017 [INFO] 0x00000020 be 37 fb bd b0 d3 01 27-54 f2 e0 af Thu Apr 6 12:14:30 2017 [INFO] ========================================= Thu Apr 6 12:14:30 2017 [INFO] Thu Apr 6 12:14:30 2017 [INFO] =======[ Datum n°5 informations ]======= Thu Apr 6 12:14:30 2017 [INFO] Total datum size: 0x00e0 (224) bytes Thu Apr 6 12:14:30 2017 [INFO] Datum entry type: 2 Thu Apr 6 12:14:30 2017 [INFO] --> ENTRY TYPE VMK Thu Apr 6 12:14:30 2017 [INFO] Datum value type: 8 Thu Apr 6 12:14:30 2017 [INFO] --> VMK -- Total size header: 36 -- Nested datum: yes Thu Apr 6 12:14:30 2017 [INFO] Status: 0x1 Thu Apr 6 12:14:30 2017 [INFO] Recovery Key GUID: 'A5BCB2CE-CAEE-40BF-8EAF-BA52A0E0C36D' Thu Apr 6 12:14:30 2017 [INFO] Nonce: Thu Apr 6 12:14:30 2017 [INFO] 30 47 ff 9c cd ae d2 01 00 00 00 20 Thu Apr 6 12:14:30 2017 [INFO] ------ Nested datum(s) ------ Thu Apr 6 12:14:30 2017 [INFO] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thu Apr 6 12:14:30 2017 [INFO] Total datum size: 0x006c (108) bytes Thu Apr 6 12:14:30 2017 [INFO] Datum entry type: 0 Thu Apr 6 12:14:30 2017 [INFO] --> ENTRY TYPE UNKNOWN 1 Thu Apr 6 12:14:30 2017 [INFO] Datum value type: 3 Thu Apr 6 12:14:30 2017 [INFO] --> STRETCH KEY -- Total size header: 28 -- Nested datum: yes Thu Apr 6 12:14:30 2017 [INFO] Status: 0x1 Thu Apr 6 12:14:30 2017 [INFO] Unkown: Thu Apr 6 12:14:30 2017 [INFO] 0x00000000 00 00 Thu Apr 6 12:14:30 2017 [INFO] Algo: 0x1001 Thu Apr 6 12:14:30 2017 [INFO] Salt: Thu Apr 6 12:14:30 2017 [INFO] 86 bb dc 91 a3 87 6a fc 7c 7a d1 f6 fa fb dd e2 Thu Apr 6 12:14:30 2017 [INFO] ------ Nested datum ------ Thu Apr 6 12:14:30 2017 [INFO] Total datum size: 0x0050 (80) bytes Thu Apr 6 12:14:30 2017 [INFO] Datum entry type: 0 Thu Apr 6 12:14:30 2017 [INFO] --> ENTRY TYPE UNKNOWN 1 Thu Apr 6 12:14:30 2017 [INFO] Datum value type: 5 Thu Apr 6 12:14:30 2017 [INFO] --> AES-CCM -- Total size header: 36 -- Nested datum: no Thu Apr 6 12:14:30 2017 [INFO] Status: 0x1 Thu Apr 6 12:14:30 2017 [INFO] Nonce: Thu Apr 6 12:14:30 2017 [INFO] 30 47 ff 9c cd ae d2 01 0d 00 00 00 Thu Apr 6 12:14:30 2017 [INFO] MAC: Thu Apr 6 12:14:30 2017 [INFO] af 55 5f e0 64 dc 3f 15 67 56 ee ab bb 50 7e df Thu Apr 6 12:14:30 2017 [INFO] Payload: Thu Apr 6 12:14:30 2017 [INFO] 0x00000000 46 f6 a9 e2 17 7f 23 be-65 03 9c 14 f9 11 70 b8 Thu Apr 6 12:14:30 2017 [INFO] 0x00000010 8d a4 74 93 0e 42 98 97-e6 92 64 3e c9 73 b9 44 Thu Apr 6 12:14:30 2017 [INFO] 0x00000020 c7 f9 cf ea 47 53 a5 83-5d 24 31 78 Thu Apr 6 12:14:30 2017 [INFO] --------------------------- Thu Apr 6 12:14:30 2017 [INFO] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thu Apr 6 12:14:30 2017 [INFO] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thu Apr 6 12:14:30 2017 [INFO] Total datum size: 0x0050 (80) bytes Thu Apr 6 12:14:30 2017 [INFO] Datum entry type: 0 Thu Apr 6 12:14:30 2017 [INFO] --> ENTRY TYPE UNKNOWN 1 Thu Apr 6 12:14:30 2017 [INFO] Datum value type: 5 Thu Apr 6 12:14:30 2017 [INFO] --> AES-CCM -- Total size header: 36 -- Nested datum: no Thu Apr 6 12:14:30 2017 [INFO] Status: 0x1 Thu Apr 6 12:14:30 2017 [INFO] Nonce: Thu Apr 6 12:14:30 2017 [INFO] 30 47 ff 9c cd ae d2 01 0e 00 00 00 Thu Apr 6 12:14:30 2017 [INFO] MAC: Thu Apr 6 12:14:30 2017 [INFO] 94 e2 66 47 39 42 90 4b 17 5a 11 37 e5 88 f3 53 Thu Apr 6 12:14:30 2017 [INFO] Payload: Thu Apr 6 12:14:30 2017 [INFO] 0x00000000 ca 74 c6 b1 59 ad 3d a2-6a dd fa e8 ef 7a fb 8f Thu Apr 6 12:14:30 2017 [INFO] 0x00000010 d0 80 14 9c 51 28 8d 08-31 09 47 e9 a7 e4 b8 c3 Thu Apr 6 12:14:30 2017 [INFO] 0x00000020 c4 df 42 69 4a 35 86 ee-2c f6 ea 6d Thu Apr 6 12:14:30 2017 [INFO] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thu Apr 6 12:14:30 2017 [INFO] ------------------------------ Thu Apr 6 12:14:30 2017 [INFO] ========================================= Thu Apr 6 12:14:30 2017 [INFO] Thu Apr 6 12:14:30 2017 [INFO] =======[ Datum n°6 informations ]======= Thu Apr 6 12:14:30 2017 [INFO] Total datum size: 0x0054 (84) bytes Thu Apr 6 12:14:30 2017 [INFO] Datum entry type: 15 Thu Apr 6 12:14:30 2017 [INFO] Datum value type: 15 Thu Apr 6 12:14:30 2017 [INFO] `--> VIRTUALIZATION INFO -- Total size header: 24 -- Nested datum: no Thu Apr 6 12:14:30 2017 [INFO] Status: 0x1 Thu Apr 6 12:14:30 2017 [INFO] NTFS boot sectors address: 0x82a98800 Thu Apr 6 12:14:30 2017 [INFO] Number of backuped bytes: 0x777c00 (7830528) Thu Apr 6 12:14:30 2017 [INFO] Unknown: Thu Apr 6 12:14:30 2017 [INFO] 0x00000000 04 00 Thu Apr 6 12:14:30 2017 [INFO] Size: 0x003c (60) Thu Apr 6 12:14:30 2017 [INFO] Unknown: Thu Apr 6 12:14:30 2017 [INFO] 0x00000000 00 00 00 00 Thu Apr 6 12:14:30 2017 [INFO] Flags: 0xc49 (3145) Thu Apr 6 12:14:30 2017 [INFO] Convert Log offset: 0x0000000083210800 Thu Apr 6 12:14:30 2017 [INFO] Convert Log size: 0x00040c00 (265216) Thu Apr 6 12:14:30 2017 [INFO] Sector size (1): 0x200 (512) Thu Apr 6 12:14:30 2017 [INFO] Sector size (2): 0x200 (512) Thu Apr 6 12:14:30 2017 [INFO] ========================================= Thu Apr 6 12:14:30 2017 [INFO] No clear key found.

################################################ dislocker -vvv -V /dev/sde1 -p692747-324874-707025-490644-565268-097185-159940-214665 -- /mnt/dislocker Thu Apr 6 12:20:00 2017 [INFO] dislocker by Romain Coltel, v0.7.1 (compiled for Linux/x86_64) Thu Apr 6 12:20:00 2017 [INFO] Compiled version: master:747cbd6 Thu Apr 6 12:20:00 2017 [INFO] Volume GUID (INFORMATION OFFSET) supported Thu Apr 6 12:20:00 2017 [INFO] BitLocker metadata found and parsed. Thu Apr 6 12:20:00 2017 [INFO] Stretching the recovery password, it could take some time... Thu Apr 6 12:20:01 2017 [INFO] Stretching of the recovery password is now ok! Thu Apr 6 12:20:01 2017 [ERROR] The MACs don't match. Thu Apr 6 12:20:01 2017 [INFO] VMK found (but not good it seems): Thu Apr 6 12:20:01 2017 [INFO] 0x00000000 13 8e 17 bd ab 7d ab 2f-34 7c 57 e5 a8 71 67 e0 Thu Apr 6 12:20:01 2017 [INFO] 0x00000010 43 95 89 99 8b 74 0c ad-09 05 ac c5 3f 55 96 dd Thu Apr 6 12:20:01 2017 [INFO] 0x00000020 cb da 9d 27 26 58 e0 5e-85 6e 16 bc Thu Apr 6 12:20:01 2017 [ERROR] Can't decrypt correctly the VMK. Abort. Thu Apr 6 12:20:01 2017 [CRITICAL] None of the provided decryption mean is decrypting the keys. Abort. Thu Apr 6 12:20:01 2017 [CRITICAL] Unable to grab VMK or FVEK. Abort.

################################################## dislocker -vvv -V /dev/sde1 -upassword -- /mnt/dislocker Thu Apr 6 12:17:29 2017 [INFO] dislocker by Romain Coltel, v0.7.1 (compiled for Linux/x86_64) Thu Apr 6 12:17:29 2017 [INFO] Compiled version: master:747cbd6 Thu Apr 6 12:17:29 2017 [INFO] Volume GUID (INFORMATION OFFSET) supported Thu Apr 6 12:17:29 2017 [INFO] BitLocker metadata found and parsed. Thu Apr 6 12:17:29 2017 [INFO] Stretching the user password, it could take some time... Thu Apr 6 12:17:30 2017 [INFO] Stretching of the user password is now ok! Thu Apr 6 12:17:30 2017 [INFO] Used user password decryption method Thu Apr 6 12:17:30 2017 [INFO] Found volume's size: 0x3a8fffc00 (15720250368) bytes Thu Apr 6 12:17:30 2017 [INFO] Running FUSE with these arguments: Thu Apr 6 12:17:30 2017 [INFO] --> 'dislocker' Thu Apr 6 12:17:30 2017 [INFO] --> '/mnt/dislocker' fuse: bad mount point `/mnt/dislocker': No such file or directory ################################################### BitLocker Drive Encryption recovery key^@

To verify that this is the correct recovery key, compare the start of the following identifier with the identifier value displayed on your PC.

Identifier:

    F3CCE2EE-09EB-4C7E-9EB2-F95F11D7EB11

If the above identifier matches the one displayed by your PC, then use the following key to unlock your drive.

Recovery Key:

    692747-324874-707025-490644-565268-097185-159940-214665

If the above identifier doesn't match the one displayed by your PC, then this isn't the right key to unlock your drive. Try another recovery key, or refer to http://go.microsoft.com/fwlink/?LinkID=260589 for additional assistance. #######################################

Above is using the bitlocker USB test drive.

eddiek2000 avatar Apr 06 '17 16:04 eddiek2000

fuse: bad mount point `/mnt/dislocker': No such file or directory

May be you need to mkdir /mnt/dislocker first?

thinrope avatar Sep 21 '17 07:09 thinrope

I've same issue. Any idea?

Enter the recovery password: XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX
Valid password format, continuing.
Sun Feb 23 15:41:51 2020 [ERROR] The MACs don't match.
Sun Feb 23 15:41:51 2020 [ERROR] Can't decrypt correctly the VMK. Abort.
Sun Feb 23 15:41:51 2020 [CRITICAL] None of the provided decryption mean is decrypting the keys. Abort.
Sun Feb 23 15:41:51 2020 [CRITICAL] Unable to grab VMK or FVEK. Abort.

davispuh avatar Feb 23 '20 15:02 davispuh