Since BitLocker decryption key files are in UTF-16, they cannot be searched with grep -R, so use a script to search.
2023-05-14 12:09 (1 years ago)
ytyng
When encrypting Windows storage with BitLocker, you can save the key file as a file.
If you have multiple files and want to search for files with matching content, running something like
grep -R 'AABBCC' .won't work because the file encoding is UTF-16.
A technique to make it match is described in the following StackOverflow post: https://stackoverflow.com/questions/3752913/grepping-binary-files-and-utf16
According to this post, it seems possible to achieve it with:
grep -Ra 'A.A.B.B.C.C.' .However, I opted not to use this method and wrote a Python script instead. In Python, you can read the content by using decode('utf16', errors='ignore') to convert it to a string.
import glob
import os
bitlocker_key_save_dir = '<my-mounted-bitlocker-key-save-dir>'
needle = 'AABBCC'
def main():
# Retrieve all files, including those in subdirectories, under bitlocker_key_save_dir
for file_path in glob.glob(
f'{bitlocker_key_save_dir}/**/*', recursive=True
):
# Skip if file_path is not a file
if not os.path.isfile(file_path):
continue
print(f'\r{file_path}', end='', flush=True)
# Print the content
content_bytes = open(file_path, 'rb').read()
content = content_bytes.decode('utf16', errors='ignore')
if needle in content:
print('\n')
print(content)
if __name__ == '__main__':
main()
Comments