Skip to main content

Crate bitlocker_forensic

Crate bitlocker_forensic 

Source
Expand description

§bitlocker-forensic — BitLocker metadata anomaly auditor

Emits severity-graded forensicnomicon::report::Findings over the key-protector and cipher metadata decoded by bitlocker. Findings are OBSERVATIONS, never verdicts — the examiner draws conclusions.

The analyzer never decrypts; it audits the protector inventory and cipher that are visible without any credential:

  • BDE-CLEAR-KEY-PRESENT — a clear-key protector ⇒ the VMK is unprotected, so the volume is effectively unencrypted (High).
  • BDE-PROTECTOR-INVENTORY — one per key protector (password / recovery / TPM / startup key / …) (Info).
  • BDE-WEAK-CIPHER — AES-CBC ± Elephant Diffuser is weaker than AES-XTS, consistent with an older Windows version (Low).
  • BDE-TO-GO — a BitLocker To Go removable-media volume (Info).
use std::fs::File;
let mut image = File::open("bdetogo.raw")?;
for anomaly in bitlocker_forensic::audit_reader(&mut image)? {
    println!("{}: {}", anomaly.code, anomaly.note);
}

Structs§

Anomaly
A BitLocker forensic anomaly: an observation graded by severity, with a stable code and note derived from its AnomalyKind so they cannot drift.

Enums§

AnomalyKind
A classified BitLocker metadata observation.

Constants§

ANALYZER
The producing analyzer name embedded in emitted findings’ Source.

Functions§

audit
Audit already-parsed metadata (and whether the volume is BitLocker To Go), returning classified anomalies. Pure and side-effect-free.
audit_findings
Audit a BitLocker volume and map each anomaly to a canonical Finding, tagged with the producing Source (scope names the evidence).
audit_reader
Parse a BitLocker volume from reader and audit its metadata.
cipher_name
Human name for a BitLocker encryption method.
protector_name
Human name for a BitLocker key-protection type.