Detecting BitLocker
Although the most appropriate way to detect BitLocker is to use the interfaces in BitLocker’s WMI provider, specifically the "GetEncryptionMethod", But sometimes, you might wish to detect a BitLocker volume when the WMI provider is not available – such as when running a disk tool from another OS.
I stress that the "GetEncryptionMethod" should always be used if it is available. GetEncryptionMethod asks the BitLocker filter driver to report the status of the volume, and using it will make your program much more "future proof". In contrast, a program that looks at the content of the physical disk directly will require revision whenever the BitLocker disk structures change. But, if the WMI provider is not running (that is, when you are not running Windows Vista), using a method like a direct disk read is required.
Now with all these cautions aside, how can we actually detect a BitLocker-protected volume? The simple answer is that a BitLocker volume can be detected because it will have an easily recognizable BIOS Parameter Block (BPB). Note that the partition type for a BitLocker will normally be the same as that used for NTFS, which is one of the Installable File System (IFS) partition types.
BitLocker BIOS Parameter Block
A BitLocker volume has a clear-text BPB much like FAT and NTFS. The BPB is located at the first 0x54 bytes of the first sector of the volume. A BitLocker volume has a BPB that has the following characteristics:
Offset |
Size |
Field |
Required Value for BitLocker |
0x003 |
8 |
Signature |
‘-‘,’F’,’V’,’E’,’-‘,’F’,’S’,’-‘ |
0x00B |
2 |
BytesPerSector |
|
0x00D |
1 |
SectorsPerCluster |
One of 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40 or 0x80 |
0x00E |
2 |
ReservedClusters |
0x0000 |
0x010 |
1 |
FatCount |
0x00 |
0x011 |
2 |
RootEntries |
0x0000 |
0x013 |
2 |
Sectors |
0x0000 |
0x016 |
2 |
SectorsPerFat |
0x0000 |
0x020 |
4 |
LargeSectors |
0x00000000 |
0x038 |
8 |
MetadataLcn |
|
Since other file systems, such as FAT, also use a BPB structure, it’s not enough to rely on the "Signature" field alone to determine that the volume is a BitLocker volume. All the fields above with a "Required Value" must be checked.
BitLocker Metadata Location
BitLocker stores multiple copies of the volume metadata, and the first copy can be located from information in the BPB. The byte offset of the first metadata location is calculated as MetadataLcn * SectorsPerCluster * BytesPerSector. The structure found at this byte offset has the following format:
Offset |
Size |
Field |
Content |
0x000 |
8 |
Signature |
‘-‘,’F’,’V’,’E’,’-‘,’F’,’S’,’-‘ |
0x008 |
2 |
Size |
Size of structure. Validation data follows this structure. |
0x002 |
2 |
Version |
0x0001 for current version. |
0x004 |
… |
|
Version specific content. |
Conclusion
By examining the BPB and the BitLocker Metadata – all of which is available in plain text – it is possible to conclusively determine that the volume has been configured as a BitLocker volume and what revision of the BitLocker structures apply to the volume.
-
Jamie Hunter