Since BitLocker decryption key files are in UTF-16, they cannot be searched with grep -R, so use a script to search.

When encrypting Windows storage with BitLocker, you can save the key file as a file.

If you have multiple files and want to search for files with matching content, running something like

grep -R 'AABBCC' .

won't work because the file encoding is UTF-16.

A technique to make it match is described in the following StackOverflow post: https://stackoverflow.com/questions/3752913/grepping-binary-files-and-utf16

According to this post, it seems possible to achieve it with:

grep -Ra 'A.A.B.B.C.C.' .

However, I opted not to use this method and wrote a Python script instead. In Python, you can read the content by using decode('utf16', errors='ignore') to convert it to a string.

import glob
import os

bitlocker_key_save_dir = '<my-mounted-bitlocker-key-save-dir>'

needle = 'AABBCC'


def main():
    # Retrieve all files, including those in subdirectories, under bitlocker_key_save_dir
    for file_path in glob.glob(
        f'{bitlocker_key_save_dir}/**/*', recursive=True
    ):
        # Skip if file_path is not a file
        if not os.path.isfile(file_path):
            continue
        print(f'\r{file_path}', end='', flush=True)
        # Print the content
        content_bytes = open(file_path, 'rb').read()
        content = content_bytes.decode('utf16', errors='ignore')
        if needle in content:
            print('\n')
            print(content)


if __name__ == '__main__':
    main()