Driver Installation

The software, which makes this possible, is called Dislocker. It is an opensource driver project maintained on Github by Aorimn. To obtain the source code:

git clone https://github.com/Aorimn/dislocker.git

Before you can build the driver it is necessary to install some dependencies, including the fuse and polarssl headers:

sudo apt-get install gcc cmake make libfuse-dev libpolarssl-dev ruby-dev

Assuming that these are installed correctly you can then build the project and install the driver as follows:

cd dislocker cmake 

make sudo make install

According to Aorimn the current version of the Dislocker driver supports all versions of Bitlocker associated with Windows versions 7, 8 and 8.1.

Mounting a Volume for Standard Use

Much like mounting an E01 image under SIFT the mounting process for the bitlockered volume is a two stage process. Therefore you will require two directories to exist in the /mnt folder. I have used /mnt/bitlocker and /mnt/usb.

In order to use the volume for normal everyday use I use the fuse driver along with the normal user password:

sudo dislocker-fuse -V /dev/sdb1 -uPassword99 -- /mnt/bitlocker

This creates a new block device at /mnt/bitlocker/dislocker-file, to which access is handled on the fly by the fuse drivers.

If the user password is unknown it is possible to use the recovery password with the -p option or a BEK file with the -f option.

Once this has been done you can then mount the new block device with the standard mount command:

sudo mount /mnt/bitlocker/dislocker-file /mnt/usb -o loop

Once mounted the volume can be accessed via the /mnt/usb directory and can be read from and written to normally.

Forensic Use

In order to access the full volume you can use the same commands as above but specify the read only option during mounting:

sudo dislocker-fuse -V /dev/sdb1 -uPassword99 -- /mnt/bitlocker 

sudo mount /mnt/bitlocker/dislocker-file /mnt/usb -o loop,ro

For imaging purposes it may be preferable to use the flat file driver, dislocker-file. This uses the same command line arguments but performs all the encryption in one go to produce a flat file, internally formatted with NTFS. The command for this would be:

sudo dislocker-file -V /dev/sdb1 -uPassword99 -- /mnt/bitlocker

The resulting /mnt/bitlocker/dislocker-file could then be mounted or imaged with the tool of your choice.

I'd like to thank Aorimn for making this driver available to the community.