dislocker
dislocker copied to clipboard
Published
20 hours ago •
Aorimn
Aorimn
Weird volume header doesn't contain the bitlocker signiture
A few weeks ago I noticed my bitlocker drive didn't show up anymore and tried to figure out what happened. I've been using it for a long time with dislocker now and only recently used it a few times in a Windows VM.
Now every time I try to mount my drive I get this error:
Verbose dislocker output: 'The signature of the volume (v/sdc1 -) doesn't match the BitLocker's ones (-FVE-FS- or MSWIN4.1). Abort.'
$ sudo dislocker /dev/sdc1 /mnt/dislocker -vvvv -u
Wed Sep 14 18:57:43 2022 [DEBUG] Verbosity level to DEBUG (4) into 'stdout'
Wed Sep 14 18:57:43 2022 [INFO] dislocker by Romain Coltel, v0.7.2 (compiled for Linux/x86_64)
Wed Sep 14 18:57:43 2022 [INFO] Compiled version: master:7e4c637
Wed Sep 14 18:57:43 2022 [DEBUG] --- Config...
Wed Sep 14 18:57:43 2022 [DEBUG] Verbosity: 4
Wed Sep 14 18:57:43 2022 [DEBUG] Trying to decrypt '/dev/sdc1'
Wed Sep 14 18:57:43 2022 [DEBUG] using the user's password method
Wed Sep 14 18:57:43 2022 [DEBUG] -> '(null)'
Wed Sep 14 18:57:43 2022 [DEBUG] Using the first valid metadata block
Wed Sep 14 18:57:43 2022 [DEBUG] ... End config ---
Wed Sep 14 18:57:43 2022 [DEBUG] Trying to open '/dev/sdc1'...
Wed Sep 14 18:57:43 2022 [DEBUG] Trying to open '/dev/sdc1'...
Wed Sep 14 18:57:43 2022 [DEBUG] Opened (fd #3).
Wed Sep 14 18:57:43 2022 [DEBUG] Opened (fd #3).
Wed Sep 14 18:57:43 2022 [DEBUG] New memory allocation at 0x55cf5e1543c0 (0x18 bytes allocated)
Wed Sep 14 18:57:43 2022 [DEBUG] New memory allocation at 0x55cf5e1543e0 (0x90 bytes allocated)
Wed Sep 14 18:57:43 2022 [DEBUG] New memory allocation at 0x55cf5e154480 (0x200 bytes allocated)
Wed Sep 14 18:57:43 2022 [DEBUG] Positioning #3 at offset 0 from 0
Wed Sep 14 18:57:43 2022 [DEBUG] Reading volume header...
Wed Sep 14 18:57:43 2022 [DEBUG] Reading 0x200 bytes from #3 into 0x55cf5e154480
Wed Sep 14 18:57:43 2022 [DEBUG] Volume header read
Wed Sep 14 18:57:43 2022 [DEBUG] =====[ Volume header informations ]=====
Wed Sep 14 18:57:43 2022 [DEBUG] Signature: 'v/sdc1 -'
Wed Sep 14 18:57:43 2022 [DEBUG] Sector size: 0x020a (522) bytes
Wed Sep 14 18:57:43 2022 [DEBUG] Sector per cluster: 0x08 (8) bytes
Wed Sep 14 18:57:43 2022 [DEBUG] Reserved clusters: 0x0000 (0) bytes
Wed Sep 14 18:57:43 2022 [DEBUG] Fat count: 0x00 (0) bytes
Wed Sep 14 18:57:43 2022 [DEBUG] Root entries: 0x0000 (0) bytes
Wed Sep 14 18:57:43 2022 [DEBUG] Number of sectors (16 bits): 0x0000 (0) bytes
Wed Sep 14 18:57:43 2022 [DEBUG] Media descriptor: 0xf8 (248) bytes
Wed Sep 14 18:57:43 2022 [DEBUG] Sectors per fat: 0x0000 (0) bytes
Wed Sep 14 18:57:43 2022 [DEBUG] Hidden sectors: 0x00000800 (2048) bytes
Wed Sep 14 18:57:43 2022 [DEBUG] Number of sectors (32 bits): 0x00000000 (0) bytes
Wed Sep 14 18:57:43 2022 [DEBUG] Number of sectors (64 bits): 0x0000000000000000 (0) bytes
Wed Sep 14 18:57:43 2022 [DEBUG] MFT start cluster: 0x0000000000060001 (393217) bytes
Wed Sep 14 18:57:43 2022 [DEBUG] Metadata Lcn: 0x0000000000000000 (0) bytes
Wed Sep 14 18:57:43 2022 [DEBUG] Volume GUID: '4967D63B-2E29-4AD8-8399-F6A339E3D001'
Wed Sep 14 18:57:43 2022 [DEBUG] First metadata header offset: 0x0000000009500000
Wed Sep 14 18:57:43 2022 [DEBUG] Second metadata header offset: 0x0000004517e76000
Wed Sep 14 18:57:43 2022 [DEBUG] Third metadata header offset: 0x000000020a60e000
Wed Sep 14 18:57:43 2022 [DEBUG] Boot Partition Identifier: '0xaa55'
Wed Sep 14 18:57:43 2022 [DEBUG] ========================================
Wed Sep 14 18:57:43 2022 [ERROR] The signature of the volume (v/sdc1 -) doesn't match the BitLocker's ones (-FVE-FS- or MSWIN4.1). Abort.
Wed Sep 14 18:57:43 2022 [CRITICAL] Cannot parse volume header. Abort.
Wed Sep 14 18:57:43 2022 [DEBUG] Freeing pointer at address 0x55cf5e154480
Wed Sep 14 18:57:43 2022 [DEBUG] Freeing pointer at address 0x55cf5e1543c0
Wed Sep 14 18:57:43 2022 [DEBUG] Freeing pointer at address 0x55cf5e1543e0
Wed Sep 14 18:57:43 2022 [DEBUG] Freeing pointer at address 0x55cf5e1515c0
Wed Sep 14 18:57:43 2022 [DEBUG] Trying to close fd #3...
While trying to figure out what's wrong, I found other related issues (#104, #111, #178), but all of them didn't seem to have a similar signature to my drive which is a little confusing.
First thing I did was to boot the Windows VM and run chkdsk /f on the unlocked drive, which did a bunch of stuff, but didn't fix my issue.
But now I knew Windows was still able to mount it, so most likely I was just doing something wrong.
Luckily the error message also tells you what signatures are valid, so I decided to just grep for them and hope for the best:
$ grep -b -a -m 1 -e "-FVE-FS-" -e "MSWIN" /dev/sdc /dev/sdc1
/dev/sdc:157286398:O-FVE-FS-^P `E`
/dev/sdc1:156237822:O-FVE-FS-^P `E`
So at this point I had the offset for the signatures and dumped the volume header at offset 0 and 156237824 and compared them. I have never looked at partition headers or anything related to that before, so I didn't really know what to look for. But from just viewing the files in ImHex I could tell the header at the "grepped" offset should be correct, since it also contains the date the drive was encrypted, the computer name and the volume name.
Looking at the volume header of offset 0 didn't really answer any questions, so I'll upload the dump of the file and hope anyone has some hints as to where this header came from: sdc1-volume-header_0.dd.zip
But now that I know the correct offset for the volume header I wanted to try using it with dislocker, which resulted in a different error:
Verbose dislocker output: 'A problem occured during the retrieving of metadata. Abort.'
$ sudo dislocker /dev/sdc1 /mnt/dislocker -vvvv --offset 156237821 -u
Wed Sep 14 19:23:54 2022 [DEBUG] Verbosity level to DEBUG (4) into 'stdout'
Wed Sep 14 19:23:54 2022 [INFO] dislocker by Romain Coltel, v0.7.2 (compiled for Linux/x86_64)
Wed Sep 14 19:23:54 2022 [INFO] Compiled version: master:7e4c637
Wed Sep 14 19:23:54 2022 [DEBUG] --- Config...
Wed Sep 14 19:23:54 2022 [DEBUG] Verbosity: 4
Wed Sep 14 19:23:54 2022 [DEBUG] Trying to decrypt '/dev/sdc1'
Wed Sep 14 19:23:54 2022 [DEBUG] using the user's password method
Wed Sep 14 19:23:54 2022 [DEBUG] -> '(null)'
Wed Sep 14 19:23:54 2022 [DEBUG] Using the first valid metadata block
Wed Sep 14 19:23:54 2022 [DEBUG] ... End config ---
Wed Sep 14 19:23:54 2022 [DEBUG] Trying to open '/dev/sdc1'...
Wed Sep 14 19:23:54 2022 [DEBUG] Trying to open '/dev/sdc1'...
Wed Sep 14 19:23:54 2022 [DEBUG] Opened (fd #3).
Wed Sep 14 19:23:54 2022 [DEBUG] Opened (fd #3).
Wed Sep 14 19:23:54 2022 [DEBUG] New memory allocation at 0x55c3a7de93c0 (0x18 bytes allocated)
Wed Sep 14 19:23:54 2022 [DEBUG] New memory allocation at 0x55c3a7de93e0 (0x90 bytes allocated)
Wed Sep 14 19:23:54 2022 [DEBUG] New memory allocation at 0x55c3a7de9480 (0x200 bytes allocated)
Wed Sep 14 19:23:54 2022 [DEBUG] Positioning #3 at offset 156237821 from 0
Wed Sep 14 19:23:54 2022 [DEBUG] Reading volume header...
Wed Sep 14 19:23:54 2022 [DEBUG] Reading 0x200 bytes from #3 into 0x55c3a7de9480
Wed Sep 14 19:23:54 2022 [DEBUG] Volume header read
Wed Sep 14 19:23:54 2022 [DEBUG] =====[ Volume header informations ]=====
Wed Sep 14 19:23:54 2022 [DEBUG] Signature: '-FVE-FS-'
Wed Sep 14 19:23:54 2022 [DEBUG] Sector size: 0x005e (94) bytes
Wed Sep 14 19:23:54 2022 [DEBUG] Sector per cluster: 0x02 (2) bytes
Wed Sep 14 19:23:54 2022 [DEBUG] Reserved clusters: 0x0400 (1024) bytes
Wed Sep 14 19:23:54 2022 [DEBUG] Fat count: 0x00 (0) bytes
Wed Sep 14 19:23:54 2022 [DEBUG] Root entries: 0x0004 (4) bytes
Wed Sep 14 19:23:54 2022 [DEBUG] Number of sectors (16 bits): 0x0000 (0) bytes
Wed Sep 14 19:23:54 2022 [DEBUG] Media descriptor: 0xe0 (224) bytes
Wed Sep 14 19:23:54 2022 [DEBUG] Sectors per fat: 0xd1be (53694) bytes
Wed Sep 14 19:23:54 2022 [DEBUG] Hidden sectors: 0x10000000 (268435456) bytes
Wed Sep 14 19:23:54 2022 [DEBUG] Number of sectors (32 bits): 0x00000000 (0) bytes
Wed Sep 14 19:23:54 2022 [DEBUG] Number of sectors (64 bits): 0x4517e76000000000 (4978702312584249344) bytes
Wed Sep 14 19:23:54 2022 [DEBUG] MFT start cluster: 0x020a60e000000000 (147036453031903232) bytes
Wed Sep 14 19:23:54 2022 [DEBUG] Metadata Lcn: 0x0c79570000000000 (898845258148741120) bytes
Wed Sep 14 19:23:54 2022 [DEBUG] Volume GUID: '61006900-6E00-7300-0050-006C00610074'
Wed Sep 14 19:23:54 2022 [DEBUG] First metadata header offset: 0x3000200065007400
Wed Sep 14 19:23:54 2022 [DEBUG] Second metadata header offset: 0x350030002e003700
Wed Sep 14 19:23:54 2022 [DEBUG] Third metadata header offset: 0x3100300032002e00
Wed Sep 14 19:23:54 2022 [DEBUG] Boot Partition Identifier: '0x0000'
Wed Sep 14 19:23:54 2022 [DEBUG] ========================================
Wed Sep 14 19:23:54 2022 [DEBUG] MetadataLcn = 898845258148741120 | SectorsPerCluster = 2 | SectorSize = 94
Wed Sep 14 19:23:54 2022 [DEBUG] Changing first metadata offset from 0x3000200065007400 to 0x291be40000000000
Wed Sep 14 19:23:54 2022 [DEBUG] Positioning #3 at offset 2962211868733603837 from 0
Wed Sep 14 19:23:54 2022 [ERROR] Failed to seek in #3: Invalid argument
Wed Sep 14 19:23:54 2022 [DEBUG] Reading bitlocker header at 0x291be400094ffffd...
Wed Sep 14 19:23:54 2022 [DEBUG] Reading 0x70 bytes from #3 into 0x7ffd25801eb0
Wed Sep 14 19:23:54 2022 [DEBUG] New memory allocation at 0x55c3a7deb540 (0xf10f bytes allocated)
Wed Sep 14 19:23:54 2022 [DEBUG] Reading data...
Wed Sep 14 19:23:54 2022 [DEBUG] Reading 0xf09f bytes from #3 into 0x55c3a7deb5b0
Wed Sep 14 19:23:55 2022 [DEBUG] End get_metadata.
Wed Sep 14 19:23:55 2022 [DEBUG] Freeing pointer at address 0x55c3a7deb540
Wed Sep 14 19:23:55 2022 [DEBUG] Entering get_metadata_lazy_checked
Wed Sep 14 19:23:55 2022 [DEBUG] Positioning #3 at offset 2962211868733603837 from 0
Wed Sep 14 19:23:55 2022 [ERROR] Failed to seek in #3: Invalid argument
Wed Sep 14 19:23:55 2022 [DEBUG] Reading bitlocker header at 0x291be400094ffffd...
Wed Sep 14 19:23:55 2022 [DEBUG] Reading 0x70 bytes from #3 into 0x7ffd25801eb0
Wed Sep 14 19:23:55 2022 [ERROR] get_metadata::Error, metadata size is lesser than the size of the metadata header
Wed Sep 14 19:23:55 2022 [DEBUG] Positioning #3 at offset 1369182962838417124 from 0
Wed Sep 14 19:23:55 2022 [ERROR] Failed to seek in #3: Invalid argument
Wed Sep 14 19:23:55 2022 [DEBUG] Reading bitlocker header at 0x130050a684802ee4...
Wed Sep 14 19:23:55 2022 [DEBUG] Reading 0x70 bytes from #3 into 0x7ffd25801eb0
Wed Sep 14 19:23:55 2022 [ERROR] get_metadata::Error, metadata size is lesser than the size of the metadata header
Wed Sep 14 19:23:55 2022 [DEBUG] Positioning #3 at offset -1962971303035009795 from 0
Wed Sep 14 19:23:55 2022 [ERROR] Failed to seek in #3: Invalid argument
Wed Sep 14 19:23:55 2022 [DEBUG] Reading bitlocker header at 0xe4c220000a5004fd...
Wed Sep 14 19:23:55 2022 [DEBUG] Reading 0x70 bytes from #3 into 0x7ffd25801eb0
Wed Sep 14 19:23:55 2022 [ERROR] get_metadata::Error, metadata size is lesser than the size of the metadata header
Wed Sep 14 19:23:55 2022 [CRITICAL] A problem occured during the retrieving of metadata. Abort.
Wed Sep 14 19:23:55 2022 [DEBUG] Freeing pointer at address 0x55c3a7de9480
Wed Sep 14 19:23:55 2022 [DEBUG] Freeing pointer at address 0x55c3a7de93c0
Wed Sep 14 19:23:55 2022 [DEBUG] Freeing pointer at address 0x55c3a7de93e0
Wed Sep 14 19:23:55 2022 [DEBUG] Freeing pointer at address 0x55c3a7de65c0
Wed Sep 14 19:23:55 2022 [DEBUG] Trying to close fd #3...
How can I fix this issue and/or the incorrect volume header?
I hope the information I provided help to figure things out, but if not feel free to ask me to provide more! (I thought about uploading the bitlocker volume header at the "grepped" offset too, but I don't really want to share that publicly.)
