Dissect, an open-source incident response framework, has been enhanced to support common disk encryption methods like BitLocker and LUKS, which empower users to extract artifacts from encrypted devices, expanding the tool’s capabilities for comprehensive incident response investigations.
The demand from the community has led to this development, which demonstrates Dissect’s dedication to providing security professionals with tools that are both robust and adaptable.
It was used to analyze a VMware virtual machine file (.vmwarevm) named “Windows 11 x64.vmwarevm,” and the analysis revealed an encrypted volume (“Basic data partition”) protected with BitLocker, which Dissect could not decrypt.
While a small FAT filesystem partition and an unidentifiable filesystem partition were found, the main data partition (“Basic data partition” with size 679GB) remained inaccessible due to BitLocker encryption.
Dissect could not identify the operating system or its version within the virtual machine, as the encrypted disk can be decrypted using the latest BitLocker version and offers three decryption methods: user passphrase, recovery key, or BitLocker file.
A keychain CSV file containing the recovery key (395791-328042-677721-279895-554466-214599-232023-709148) has been created for potential decryption.
It was used to analyze a Windows 11 virtual machine named “Windows 11 x64.vmwarevm.” While Dissect successfully identified basic information like hostname, domain, OS version, and installed languages, it encountered issues accessing critical file systems.
It couldn’t identify the file system on the “Microsoft reserved partition” and found the “sysvol/windows/SECURITY” and “sysvol/windows/SYSTEM” hives empty.
An analysis identifies several data partitions, some formatted with NTFS, which might hold relevant data and demonstrates two primary commands to interact with an encrypted Windows 11 virtual disk image.
The first command retrieves detailed information about the specified disk image using a recovery key, while the second command opens a shell within the mounted disk image, allowing for file operations like reading the content of a specific file on the user’s desktop.
Dissect, a forensic analysis tool, was used to analyze a virtual machine image named “Ubuntu 64-bit 24.04.1.vmwarevm” by revealing a LUKS encrypted volume named “ubuntu–vg-ubuntu–lv,” which was unlocked using a passphrase retrieved from the keychain (“glad-design-paper-airplane”).
It was unable to identify the filesystem type for a smaller volume (“part_00100000”) and encountered issues with the mount device for the LVM volume. However, it successfully extracted the content of a file named “secretLinuxfile” located on the user’s Desktop (“/home/personnel/Desktop/secretLinuxfile”).
According to Fox-IT, Dissect’s fve-dd utility enables the decryption of entire disk images within supported containers, which allows for a broader range of external tools to be used for analysis.
After extracting individual VMDK files from a .vmwarevm container, fve-dd can decrypt the primary VMDK, creating a decrypted DD image, which can then be further analyzed using tools like target-info to reveal detailed information about the disk’s volumes, file systems, and system configuration, such as hostname, operating system, and installation date.