1. Introduction
- During a forensic in investigation, an image of a BitLocker encrypted drive was created.
- You will find the image file under RESOURCES.
- Recently, the BitLocker Recovery Key was obtained. It is as follows
547294-589028-080982-263945-161810-145343-350845-470613.
Your task is to mount the image, decrypt the volume and optain the flag. To complete that challege you can use a windows box or a linux system.
2. Solution with windows
Download and install Arsenal Image Mounter from https://arsenalrecon.com/downloads/
Mounting the image.
- Open Arsenal image Mounter
- Click File
- Click Mount disk image file…
- Select your image.dd file
- Select to mount as read-only
Unlocking the volume.
- The BitLocker dialog should appear. Otherwise click on the volume in explorer.
- Click ‚More options‘ from the dialog
- Click Entrer recovery key
- Enter the provided BitLocker Recovery Key
Retrieve the flag for this challenge: 
2. Solution with Linux
mkidr /mnt/dislock
dislocker-fuse -r -V bitlocker.dd -p547294-589028-080982-263945-161810-145343-350845-470613 — /mnt/dislock
- Screenshot from command above:
Mount dislocker file:
mkdir /mnt/image
mount -o ro,loop,show_sys_files,streams_interface=windows /mnt/dislock/dislocker-file /mnt/image
- open mounted bitlocker volume to retrieve the flag:
3. Additional Information
A bitlocker encrypted volume starts with hex:
EB 58 90 2D 46 56 45 2D 46 53 2D
Your BitLocker recovery key is a unique 48-digit numerical password that can be used to unlock your system if BitLocker is otherwise unable to confirm for certain that the attempt to access the system drive is authorized. This key may be stored in your Microsoft account, printed or saved as a file, or with an organization that is managing the device. The requirement for a recovery key in these cases is a critical component of the protection that BitLocker provides your data.