Detecting BitLocker


Although the most appropriate way to detect BitLocker is to use the interfaces in BitLocker’s WMI provider, specifically the “GetEncryptionMethod”, But sometimes, you might wish to detect a BitLocker volume when the WMI provider is not available – such as when running a disk tool from another OS.


I stress that the “GetEncryptionMethod” should always be used if it is available. GetEncryptionMethod asks the BitLocker filter driver to report the status of the volume, and using it will make your program much more “future proof”. In contrast, a program that looks at the content of the physical disk directly will require revision whenever the BitLocker disk structures change. But, if the WMI provider is not running (that is, when you are not running Windows Vista), using a method like a direct disk read is required.


Now with all these cautions aside, how can we actually detect a BitLocker-protected volume? The simple answer is that a BitLocker volume can be detected because it will have an easily recognizable BIOS Parameter Block (BPB). Note that the partition type for a BitLocker will normally be the same as that used for NTFS, which is one of the Installable File System (IFS) partition types.


BitLocker BIOS Parameter Block


A BitLocker volume has a clear-text BPB much like FAT and NTFS. The BPB is located at the first 0x54 bytes of the first sector of the volume.  A BitLocker volume has a BPB that has the following characteristics:




























































Offset


Size


Field


Required Value for BitLocker


0x003


8


Signature


‘-‘,’F’,’V’,’E’,’-‘,’F’,’S’,’-‘


0x00B


2


BytesPerSector


 


0x00D


1


SectorsPerCluster


One of 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40 or 0x80


0x00E


2


ReservedClusters


0x0000


0x010


1


FatCount


0x00


0x011


2


RootEntries


0x0000


0x013


2


Sectors


0x0000


0x016


2


SectorsPerFat


0x0000


0x020


4


LargeSectors


0x00000000


0x038


8


MetadataLcn


 


Since other file systems, such as FAT, also use a BPB structure, it’s not enough to rely on the “Signature” field alone to determine that the volume is a BitLocker volume. All the fields above with a “Required Value” must be checked.


BitLocker Metadata Location


BitLocker stores multiple copies of the volume metadata, and the first copy can be located from information in the BPB. The byte offset of the first metadata location is calculated as MetadataLcn * SectorsPerCluster * BytesPerSector. The structure found at this byte offset has the following format:






























Offset


Size


Field


Content


0x000


8


Signature


‘-‘,’F’,’V’,’E’,’-‘,’F’,’S’,’-‘


0x008


2


Size


Size of structure. Validation data follows this structure.


0x002


2


Version


0x0001 for current version.


0x004



 


Version specific content.


Conclusion


By examining the BPB and the BitLocker Metadata – all of which is available in plain text – it is possible to conclusively determine that the volume has been configured as a BitLocker volume and what revision of the BitLocker structures apply to the volume.



Jamie Hunter


Comments (0)