Sometimes in digital forensics there is a need to gain access to encrypted data sources. This can come in many forms including zip files, TrueCrypt/VeraCrypt, KeePass and BitLocker. OneDrive's Personal Vault is no exception. It is important to gain access to these encrypted containers because they can contain information that is important to our investigation.
What is Personal Vault?
According to Microsoft, "Personal Vault is a protected area in OneDrive where you can store your most important or sensitive files and photos without sacrificing the convenience of anywhere access." Personal Vault adds an extra layer of security by using Two-Factor Authentication (2FA). When accessed form the Windows client, Personal Vault is stored on the system in a BitLocker encrypted vhdx. It should be noted that Personal Vault is only available for OneDrive Personal.
Digging Deeper
What had caught my eye was that Microsoft is storing the data on a Windows device in a BitLocker encrypted vhdx. So where is this file located? The vhdx file is stored in a hidden folder at the root of the system drive. c:\OneDriveTemp\<SID>\<GUID>.vhdx
So now that we found the vhdx file, what can we do with it? We know it's protected by BitLocker so let's see what we can find out. The first thing I did was mount the vhdx and assign it a drive letter. This way, I could work with manage-bde to find out more information about the disk.
Now we can open up an administrative command prompt and start investigating the drive. The first command I used was manage-bde -status. This command provides information about BitLocker-capable volumes. This is the information for our Personal Vault.
Volume F: [Label Unknown]
[Data Volume]
Size: Unknown GB
BitLocker Version: 2.0
Conversion Status: Unknown
Percentage Encrypted: Unknown%
Encryption Method: XTS-AES 128
Protection Status: Unknown
Lock Status: Locked
Identification Field: Unknown
Automatic Unlock: Disabled
Key Protectors:
External Key
Interesting! So, it appears the volume is protected by an external key. Let's take a closer look at this with the following command manage-bde -protectors -get f:. And our results look like this:
BitLocker Drive Encryption: Configuration Tool version 10.0.19041
Copyright (C) 2013 Microsoft Corporation. All rights reserved.
Volume F: [Label Unknown]
All Key Protectors
External Key:
ID: {08F750D7-0483-4F0E-847B-174119BD2896}
External Key File Name:
08F750D7-0483-4F0E-847B-174119BD2896.BEK
Let's see if we can get this external key.
manage-bde -protectors -get f: -sek d:\Projects\PersonalVaultBEK
BitLocker Drive Encryption: Configuration Tool version 10.0.19041
Copyright (C) 2013 Microsoft Corporation. All rights reserved.
ERROR: The operation cannot be performed because the volume is locked.
Seems we hit a road block. We cannot save the key because the volume is locked.
Looking at it from an Unlocked Perspective
The next thing we will try is to unassign the drive letter, dismount and unlock the Personal Vault with OneDrive.
So now the Personal Vault is unlocked. What's interesting is that there is not a drive letter associated with the Personal Vault. Inside our OneDrive folder, there is a Personal Vault.lnk file. When the vault is locked, double clicking it will run through the steps of unlocking the vault. After the vault is unlocked, double clicking it will bring us to the vault. We'll take a look at the lnk file to see how the vhdx is being referenced.
Here is the output from LECmd.
The lnk file is pointing to a Personal Vault folder in my OneDrive. When I ran a directory listing this folder was not present. This is because the folder is hidden. If we run dir again, looking for hidden files/folders, we can see that the folder is actually a junction.
Next thing we'll do is go to an administrative command prompt and assign the volume a letter so we can look at it with manage-bde again.
Let's run manage-bde -status and see what we have. And here is the information returned for our Persona Vault.
Volume E: [OneDrive Personal Vault]
[Data Volume]
Size: 1024.00 GB
BitLocker Version: 2.0
Conversion Status: Used Space Only Encrypted
Percentage Encrypted: 100.0%
Encryption Method: XTS-AES 128
Protection Status: Protection On
Lock Status: Unlocked
Identification Field: Unknown
Automatic Unlock: Disabled
Key Protectors:
External Key
So far so good! Let's run manage-bde -protectors -get e: to list the protectors.
BitLocker Drive Encryption: Configuration Tool version 10.0.19041
Copyright (C) 2013 Microsoft Corporation. All rights reserved.
Volume E: [OneDrive Personal Vault]
All Key Protectors
External Key:
ID: {08F750D7-0483-4F0E-847B-174119BD2896}
External Key File Name:
08F750D7-0483-4F0E-847B-174119BD2896.BEK
We see the same external key again. Let's see if we can save the key this time.
manage-bde -protectors -get e: -sek d:\Projects\PersonalVaultBEK
BitLocker Drive Encryption: Configuration Tool version 10.0.19041
Copyright (C) 2013 Microsoft Corporation. All rights reserved.
Volume E: [OneDrive Personal Vault]
All Key Protectors
External Key:
ID: {08F750D7-0483-4F0E-847B-174119BD2896}
External Key File Name:
08F750D7-0483-4F0E-847B-174119BD2896.BEK
Saved to directory d:\Projects\PersonalVaultBEK
Success! The BEK file is created as a hidden file. We'll do a quick directory listing to confirm it is there.
Using The BEK File to Gain Access
Now we will test if the BEK file will unlock the Personal Vault vhdx. Again, we will mount the vhdx by double clicking on it and assigning a drive letter. If we double click the drive, we will be prompted to "Load key from USB drive".
We'll open a command prompt again and use manage-bde to unlock the drive with the key we save.
And with that, the vault is unlocked and we can see the contents.
Conclusion
There is a way to get the encryption key for OneDrive's Persona Vault but certain criterial needs to be met. We have to have administrative access and the vault has to be unlocked. It may not be ideal but it is the best method I have come up with so far. There is also a script you can download to automate the process of saving the key. That script can be found here.
No comments:
Post a Comment