BYUCTF 2024 | Not again! I've been BitLockered out of my own computer! writeup

Forensic/Not again! I’ve been BitLockered out of my own computer!

Challenge Description:-

Install Bitlocker they said… it will protect your data they said… Well, now I don’t have access to any of my data because I forgot my password… again! Can you find my FVEK keys? I managed to capture my RAM so they should be in there

Flag format - byuctf{key1_key2_key3} (order not significant)


As the user has captured the RAM, provided to us as the 20240327.mem file, I started searching for BitLocker. We found a plugin for the Volatility2 tool at plugin. Since the file is also a memory file, it was straightforward to use the plugin.

First, we needed the profile, so I used the following command in my terminal(using Volatility2):

$ python2 -f 20240327.mem imageinfo

It took a lot of time about 7-8 minutes—but eventually, it provided the profile Win10x64_19041. After that, I used the BitLocker plugin:

$ python2 -f 20240327.mem --profile=Win10x64_19041 bitlocker

We got 5 FVEK keys, but after trying some possible combinations, I realized only Win8+ was accepted.

I’ve provided the ss of my solution.