11dissect.fve
2- ============
2+ ===========
33
44.. button-link :: https://github.com/fox-it/dissect.fve
55 :color: primary
66 :outline:
77
88 :octicon: `mark-github ` View on GitHub
99
10- A Dissect module implementing parsers for full volume encryption implementations,
11- currently Microsoft's Bitlocker Disk Encryption (BDE) and Linux Unified Key Setup (LUKS1 and LUKS2).
10+ A Dissect module implementing parsers for full volume encryption implementations,
11+ currently Microsoft's BitLocker Disk Encryption (BDE) and Linux Unified Key Setup (LUKS1 and LUKS2).
1212
1313* Full volume and disk encryption schemes
1414
15- * BDE ( BitLocker disk encryption) ( : class:~dissect.fve.bde.BDE `)
16- * LUKS ( Linux Unified Key Setup) ( : class:~dissect.fve.luks.LUKS `)
15+ * Microsoft BitLocker Disk Encryption (all configurations and versions, including EOW): : class:~dissect.fve.bde.BDE `
16+ * Linux Unified Key Setup (LUKS1 and LUKS2): : class:~dissect.fve.luks.LUKS `
1717
1818
1919Installation
@@ -27,11 +27,10 @@ Installation
2727
2828dissect `` package.
2929
30-
3130Usage
3231-----
3332
34- This package is a library with a CLI tool, so you primarily interact with it from Python. For example,
33+ This package is a library with a CLI tool, so you primarily interact with it from Python. For example,
3534to open and decrypt a BitLocker encrypted volume for reading:
3635
3736.. code-block :: python
@@ -42,7 +41,7 @@ to open and decrypt a BitLocker encrypted volume for reading:
4241 with open (" path/to/bitlocker/file.dd" " rb" as fh:
4342 bde = BDE(fh)
4443 bde.unlock_with_passphrase(" kusjesvansrt<3"
45-
44+
4645 fs = NTFS(bde.open())
4746 print (fs.get(" /"
4847
@@ -51,13 +50,71 @@ to open and decrypt a BitLocker encrypted volume for reading:
5150
5251
5352-----
53+
54+ fve-dd
55+ ~~~~~~
56+
57+ The ``fve-dd `` tool is used to decrypt Microsoft BitLocker (BDE) or Linux Unified Key Setup (LUKS1 and LUKS2) volumes
58+ and write the decrypted content to a file.
59+
60+ If the input file is a disk with multiple volumes/partitions, the output file will be a disk image with the same partition layout,
61+ with the encrypted volumes replaced by their decrypted content.
62+ If the input file is a single encrypted volume, the output file will be a raw image of the decrypted volume.
63+
5464.. sphinx_argparse_cli ::
5565 :module: dissect.fve.tools.dd
5666 :func: main
5767 :prog: fve-dd
5868 :description: Utility to decrypt BitLocker or LUKS volumes and write them to a file.
5969 :hook:
6070
71+ Examples
72+ ^^^^^^^^
73+
74+ **BitLocker or LUKS volumes with passphrase: **
75+
76+ .. code-block :: console
77+
78+ $ fve-dd encrypted.dd -p "mypassphrase" -o decrypted_volume.dd
79+
80+ BitLocker volumes with recovery password: **
81+
82+ .. code-block :: console
83+
84+ $ fve-dd encrypted.dd -r "123456-789012-345678-901234-567890-123456-789012-345678" -o decrypted.dd
85+
86+ BitLocker volumes with .BEK file: **
87+
88+ BitLocker External Key (BEK) files can be used to unlock BitLocker encrypted volumes.
89+ These files are typically stored on removable media like USB drives.
90+
91+ .. code-block :: console
92+
93+ $ fve-dd encrypted.dd -f /path/to/recovery_key.BEK -o decrypted.dd
94+
95+ LUKS volumes with key file: **
96+
97+ LUKS key files contain the encryption key and can be used instead of a passphrase.
98+
99+ .. code-block :: console
100+
101+ $ fve-dd encrypted.dd -f /path/to/keyfile -o decrypted.dd
102+
103+ LUKS volumes with specific key slot: **
104+
105+ You can specify which key slot to use when unlocking a LUKS volume:
106+
107+ .. code-block :: console
108+
109+ $ fve-dd encrypted.dd -f /path/to/keyfile --key-slot 0 -o decrypted.dd
110+
111+ LUKS volumes with key file offset and size: **
112+
113+ Similar to the ``cryptsetup `` utility, you can specify the offset and size within a key file:
114+
115+ .. code-block :: console
116+
117+ $ fve-dd encrypted.dd -f /path/to/keyfile --keyfile-offset 512 --keyfile-size 32 -o decrypted.dd
61118
62119
63120---------
0 commit comments