Expand description
§bitlocker-forensic — BitLocker metadata anomaly auditor
Emits severity-graded forensicnomicon::report::Findings over the
key-protector and cipher metadata decoded by bitlocker.
Findings are OBSERVATIONS, never verdicts — the examiner draws conclusions.
The analyzer never decrypts; it audits the protector inventory and cipher that are visible without any credential:
BDE-CLEAR-KEY-PRESENT— a clear-key protector ⇒ the VMK is unprotected, so the volume is effectively unencrypted (High).BDE-PROTECTOR-INVENTORY— one per key protector (password / recovery / TPM / startup key / …) (Info).BDE-WEAK-CIPHER— AES-CBC ± Elephant Diffuser is weaker than AES-XTS, consistent with an older Windows version (Low).BDE-TO-GO— a BitLocker To Go removable-media volume (Info).
use std::fs::File;
let mut image = File::open("bdetogo.raw")?;
for anomaly in bitlocker_forensic::audit_reader(&mut image)? {
println!("{}: {}", anomaly.code, anomaly.note);
}Structs§
- Anomaly
- A BitLocker forensic anomaly: an observation graded by severity, with a stable
code and note derived from its
AnomalyKindso they cannot drift.
Enums§
- Anomaly
Kind - A classified BitLocker metadata observation.
Constants§
- ANALYZER
- The producing analyzer name embedded in emitted findings’
Source.
Functions§
- audit
- Audit already-parsed metadata (and whether the volume is BitLocker To Go), returning classified anomalies. Pure and side-effect-free.
- audit_
findings - Audit a BitLocker volume and map each anomaly to a canonical
Finding, tagged with the producingSource(scopenames the evidence). - audit_
reader - Parse a BitLocker volume from
readerand audit its metadata. - cipher_
name - Human name for a BitLocker encryption method.
- protector_
name - Human name for a BitLocker key-protection type.