An offline automatic decryption method and device for BitLocker encrypted partition

By loading the system disk or image file system, the cached data of the BitLocker encrypted partition is extracted and decrypted, solving the problem of BitLocker decryption in offline mode, realizing automatic decryption without password or recovery key, and improving data recovery efficiency.

CN122153929APending Publication Date: 2026-06-05XIAMEN MEIYA PICO INFORMATION CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
XIAMEN MEIYA PICO INFORMATION CO LTD
Filing Date
2026-01-14
Publication Date
2026-06-05

AI Technical Summary

Technical Problem

Existing technologies make it difficult to utilize BitLocker's automatic unlocking of cached data in offline states, which means that passwords or recovery keys must be used for decryption in offline forensic scenarios, making the operation complex and inconvenient.

Method used

By loading the system disk or image file system, offline DPAPI decryption data is extracted, key cache data in the registry is parsed, and offline DPAPI technology is used to decrypt the globally unique identifier and recovery key. Combined with disk partition table characteristics, BitLocker encrypted partitions are identified and decrypted.

Benefits of technology

It enables automatic decryption of BitLocker encrypted partitions without requiring users to enter passwords or recovery keys, improving data recovery efficiency and availability in offline scenarios.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122153929A_ABST
    Figure CN122153929A_ABST
Patent Text Reader

Abstract

The application discloses an offline automatic decryption method and device for BitLocker encrypted partition. The method extracts data required for offline DPAPI decryption and key cache data stored in a registry by loading a system disk or an image; the cache data is decrypted by using a DPAPI technology to obtain a globally unique identifier and a recovery key; the identifier is used to identify a target encrypted partition based on a preset encryption signature feature, and the recovery key is used to complete decryption and file system analysis. The application does not require a user to provide a password or rely on a network, realizes full-automatic decryption by analyzing a left cache of an automatic unlocking function, and significantly improves the efficiency of data evidence collection and recovery in an offline scene.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of data forensics, and in particular to an offline automatic decryption method and apparatus for BitLocker encrypted partitions. Background Technology

[0002] BitLocker is a full-disk encryption technology widely used in Microsoft Windows operating systems, designed to prevent unauthorized access to data when computer devices are lost or stolen. In a normal system environment, users can access encrypted data by entering a password, inserting a USB key, or using a key protected by a TPM chip.

[0003] However, in scenarios involving electronic data forensics, enterprise disaster recovery, or system crashes that prevent login, existing BitLocker decryption technology faces significant challenges: Relying on manual credentials: This typically requires the user to provide a password or a 48-bit recovery key. If the user forgets their password or refuses to provide it, and a backup of the recovery key cannot be found, the data is often unrecoverable.

[0004] Strong environmental dependence: Some decryption depends on an online environment (such as an Active Directory domain environment or a Microsoft account), and decryption credentials cannot be obtained in offline forensics or in environments without a network.

[0005] Complex operation: Traditional methods may require complex command-line operations or specific hardware environments, and compatibility differences between different operating system versions may lead to decryption failure.

[0006] Specifically, BitLocker technology includes an automatic unlocking mechanism that allows trusted systems to automatically decrypt data volumes upon startup. However, existing data recovery and forensics solutions often overlook the value of this mechanism in offline environments. When the operating system crashes or forensic personnel are only analyzing image files, the built-in Windows automatic unlocking function cannot be triggered because the original active system environment is no longer present.

[0007] Currently, there is a lack of existing technologies that can automatically locate and parse cached credentials left over from automatic unlocking in the registry in an offline state, thereby achieving passwordless decryption. This forces technicians to resort to inefficient methods such as relying on recovery keys or brute-force attacks in offline forensic scenarios, even if the target device has automatic unlocking enabled. Summary of the Invention

[0008] The purpose of this invention is to provide an offline automatic decryption method and apparatus for BitLocker encrypted partitions, aiming to solve the problem that existing technologies are difficult to use for automatic unlocking of cached data in offline states, resulting in the need to rely on passwords or recovery keys for decryption.

[0009] To achieve the above objectives, the first aspect of the present invention provides an offline automatic decryption method for BitLocker encrypted partitions, comprising the following steps: S1. Load and parse the file system of the system disk or system disk image; S2. Extract the data required for offline DPAPI decryption based on file system analysis; the data required for offline DPAPI decryption includes at least the user master key file and the user security identifier. S3. Obtain the registry based on the file system and extract the key cache data of the BitLocker encrypted partition stored in the registry; wherein, the key cache data is generated when the BitLocker automatic decryption function is enabled, and the key cache data includes a globally unique encrypted identifier and an encrypted BitLocker recovery key used to identify the corresponding BitLocker encrypted partition. S4. Based on the data required for offline DPAPI decryption, decrypt the key cache data using offline DPAPI technology to obtain the globally unique identifier and the BitLocker recovery key after decryption. S5. Obtain the disk partition table based on the file system, read the disk partition table, and identify the target BitLocker encrypted partition under the disk partition table based on the decrypted globally unique identifier and the preset BitLocker encryption signature feature. S6. Use the decrypted BitLocker recovery key to decrypt the target BitLocker encrypted partition, parse the file system of the decrypted target BitLocker encrypted partition, and generate a file list.

[0010] Further, step S3 extracts the key cache data stored in the registry by the BitLocker encrypted partition, specifically including: Retrieve the registry path associated with BitLocker auto-decryption; Parse the sub-items under the path and retrieve the key cache data.

[0011] Further, step S5 identifies the target BitLocker encrypted partition under the disk partition table based on the decrypted globally unique identifier and the preset BitLocker encryption signature feature, specifically including: Read the header data of each disk partition in the disk partition table; Determine whether the header data contains the preset BitLocker cryptographic signature characteristics; and verify whether the decrypted globally unique identifier matches the metadata of the corresponding disk partition; If the header data contains a preset BitLocker encryption signature and the decrypted globally unique identifier matches the metadata of the corresponding disk partition, then the corresponding partition is determined to be the target BitLocker encrypted partition.

[0012] Furthermore, the BitLocker cryptographic signature feature preset in step S5 is the string -FVE-FS-.

[0013] Furthermore, the method also includes: S7. Display a file list through an interactive interface and respond to external commands to perform file export or file preview operations.

[0014] Secondly, an offline automatic decryption device for BitLocker encrypted partitions is provided, comprising: The system loading module is configured to load and parse the file system of the system disk or system disk image; The DPAPI decryption data extraction module is configured to extract the data required for offline DPAPI decryption based on file system analysis; the data required for offline DPAPI decryption includes at least the user master key file and the user security identifier. The cache data extraction module is configured to retrieve the registry based on the file system and extract the key cache data stored in the registry for BitLocker encrypted partitions. The key cache data is generated when the BitLocker automatic decryption function is enabled, and includes a globally unique identifier for identifying the corresponding BitLocker encrypted partition and the encrypted BitLocker recovery key. The key decryption module is configured to decrypt the required data based on offline DPAPI. It decrypts the key cache data using offline DPAPI technology to obtain the decrypted globally unique identifier and the decrypted BitLocker recovery key. The partition identification module is configured to obtain the disk partition table based on the file system, read the disk partition table, and identify the target BitLocker encrypted partition under the disk partition table based on the decrypted globally unique identifier and the preset BitLocker encryption signature feature. The partition decryption and parsing module is configured to decrypt the target BitLocker encrypted partition using the decrypted BitLocker recovery key, parse the file system of the decrypted target BitLocker encrypted partition, and generate a file list.

[0015] Furthermore, the preset BitLocker cryptographic signature feature in the partition recognition module is the string -FVE-FS-.

[0016] Furthermore, the device also includes: The front-end module is configured to display a list of files through an interactive interface and respond to external commands to perform file export or file preview operations.

[0017] Thirdly, the present invention provides an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the program to implement the above-described method.

[0018] Fourthly, the present invention provides a computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, implements the above-described method.

[0019] Compared with the prior art, the present invention has the following beneficial effects: Breakthrough cache utilization: It leverages the cache features left in the registry by BitLocker's automatic unlock function, breaking through the limitation of traditional offline decryption that must rely on plaintext recovery keys. Even if the user forgets the password and cannot start the system, the key can still be retrieved through technical means.

[0020] Fully automated decryption: No user needs to enter any password or recovery key, significantly improving data recovery efficiency in emergency scenarios (such as judicial evidence collection and system crash rescue).

[0021] Completely offline operation: No network connection is required, making it suitable for physically isolated scenarios such as judicial evidence collection and data recovery for confidential units. Attached Figure Description

[0022] The accompanying drawings are included to provide a further understanding of the embodiments and are incorporated in and constitute a part of this specification. The drawings illustrate embodiments and, together with the description, serve to explain the principles of the invention. Other embodiments and many anticipated advantages of the embodiments will be readily recognized as they become better understood through reference to the following detailed description. Elements in the drawings are not necessarily to scale. The same reference numerals refer to corresponding similar parts.

[0023] Figure 1 This is a flowchart of an offline automatic decryption method for BitLocker encrypted partitions provided in an embodiment of the present invention; Figure 2 This is a schematic diagram of the association path between the registry and BitLocker automatic decryption and its sub-item structure in an embodiment of the present invention; Figure 3This is a schematic diagram of encrypted binary data extracted from the registry subkey info in an embodiment of the present invention; Figure 4 This is a schematic diagram of the BitLocker recovery key Bek file data obtained after decrypting the key cache data in an embodiment of the present invention; Figure 5 This is a schematic diagram illustrating that the disk partition header data contains BitLocker cryptographic signature features in an embodiment of the present invention; Figure 6 This is a schematic diagram showing the BitLocker encrypted partition in a locked state under experimental conditions in an embodiment of the present invention; Figure 7 This is a schematic diagram illustrating the successful decryption of the target BitLocker encrypted partition and the parsing of the file list in an embodiment of the present invention; Figure 8 This is a framework diagram of an offline automatic decryption device for BitLocker encrypted partitions provided in an embodiment of the present invention; Figure 9 This is a schematic diagram of the hardware structure of the electronic device provided in an embodiment of the present invention. Detailed Implementation

[0024] The present invention will now be described in further detail with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and not intended to limit it. Furthermore, it should be noted that, for ease of description, only the parts relevant to the invention are shown in the accompanying drawings.

[0025] refer to Figure 1 This embodiment provides an offline automatic decryption method for BitLocker encrypted partitions. The method typically runs on a forensic analysis machine or a maintenance system booted via USB. The object being analyzed can be a physically mounted hard drive or a hard drive image file. BitLocker automatic decryption functionality is pre-enabled.

[0026] The specific execution flow of this method is as follows: S100: Loads and parses the file system of the system disk or system disk image. This enables subsequent reading of system files and registry files.

[0027] S200: Extract the data required for offline DPAPI decryption based on file system analysis; the data required for offline DPAPI decryption includes at least the user master key file and the user security identifier.

[0028] Specifically, this step analyzes the system disk or system disk image to extract the data required for offline DPAPI decryption. This data includes at least: DPAPI master key file: usually located in the user's AppData directory or system directory.

[0029] Security Identifier (SID): Used to identify a user or system account.

[0030] Optionally, it also includes a system boot key extracted from the SYSTEM registry.

[0031] S300. Obtain the registry based on the file system and extract the key cache data stored in the registry for the BitLocker encrypted partition. This key cache data is generated when the BitLocker automatic decryption function is enabled, and includes a globally unique encrypted identifier for the corresponding BitLocker encrypted partition and the encrypted BitLocker recovery key. The core of this step is to find traces left by the BitLocker automatic unlock function.

[0032] Specifically, extract the key cache data stored in the registry for the BitLocker encrypted partition, including: Retrieve the registry path associated with BitLocker auto-decryption; the path is typically HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\FveAutoUnlock\{GUID}. (Reference) Figure 2 The Registry Editor displays the structure under this path, which includes the subkey info; the subkey info records the encrypted globally unique identifier (GUID) and the encrypted BitLocker recovery key.

[0033] Parse the `info` item under the path to obtain the encrypted globally unique identifier (GUID) and the encrypted BitLocker recovery key. (See reference.) Figure 3 This displays the encrypted binary data extracted from the "info" subkey under the FveAutoUnlock path in the registry. The encrypted binary data encapsulates an encrypted BitLocker recovery key and an encrypted globally unique identifier (GUID).

[0034] S400. Determine if the extracted key cache data has a value, i.e., determine if set T has a value. If set T has a value, proceed to step S500. If set T has no value, it means that the corresponding hardware has not enabled the BitLocker automatic decryption function, and the process ends.

[0035] S500 uses offline DPAPI technology to decrypt the key cache data based on the data required for offline DPAPI decryption, and obtains the globally unique identifier and the BitLocker recovery key after decryption, i.e., set K.

[0036] For details, please refer to Figure 4 The key cache data is decrypted to obtain the BitLocker recovery key file (Bek). The decrypted globally unique identifier (GUID) and the decrypted BitLocker recovery key are contained in the binary data of this file. The decrypted GUID is "2C 60 06 E4 A6 40 C8 40 85 E6 BD 08 56 BB B4 43", and the decrypted BitLocker recovery key is "91 F0 E2 CC BF 66 DF DA CB 19 90 8F C4 27 4558 5B B5 9E 98 67 7F BB B1 67 D3 54 83 B1 B7 56 A5".

[0037] Specifically, after obtaining the decrypted globally unique identifier and the decrypted BitLocker recovery key, the process also includes using the BitLocker encryption algorithm to verify the validity of the decrypted BitLocker recovery key.

[0038] S600: Obtain the disk partition table based on the file system, read the disk partition table, and identify the target BitLocker encrypted partition under the disk partition table based on the decrypted globally unique identifier and the preset BitLocker encryption signature feature.

[0039] Specifically, the target BitLocker encrypted partition under the disk partition table is identified based on the decrypted globally unique identifier and the preset BitLocker encryption signature features, including: Read the header data of each disk partition in the disk partition table; Determine if the header data contains the preset BitLocker cryptographic signature; and verify if the decrypted globally unique identifier matches the metadata of the corresponding disk partition; refer to Figure 5 The default BitLocker cryptographic signature feature is the string "-FVE-FS-", and this step is to determine whether the header data contains the string "-FVE-FS-". If the header data contains a preset BitLocker encryption signature and the decrypted globally unique identifier matches the metadata of the corresponding disk partition, then the corresponding partition is determined to be the target BitLocker encrypted partition.

[0040] S700: Decrypt the target BitLocker encrypted partition using the decrypted BitLocker recovery key.

[0041] Specifically, the built-in decryption software reads the data from the target BitLocker encrypted partition. The decrypted BitLocker recovery key is then used to decrypt the target BitLocker encrypted partition. The decryption process is completed internally by the device and does not rely on Windows' built-in decryption functionality.

[0042] S800: Determine whether decrypting the target BitLocker encrypted partition using set K was successful; if successful, proceed to step S900. If unsuccessful, display an error message and end the process.

[0043] S900: Parse the file system of the decrypted target BitLocker encrypted partition and generate a file list.

[0044] Specifically, the device has a built-in file system parsing module that can recognize and parse common file systems (such as NTFS, FAT32, etc.).

[0045] The S1000 displays a file list through an interactive interface and responds to external commands to perform file export or file preview operations.

[0046] To verify the effectiveness of the present invention, the following example is used for illustration: 1.Reference Figure 6 Set up a Windows 10 operating system virtual machine and set the D drive to BitLocker encryption, which means the "New Volume (D:)" icon has a lock.

[0047] 2. Enable BitLocker's automatic decryption function. To enable it, go to Control Panel -> BitLocker Drive Encryption -> select the disk you want to enable -> Enable automatic decryption (this option will only appear after decryption has been completed).

[0048] 3. Restart your computer and verify that the encrypted partition has been decrypted.

[0049] 4. Load the virtual machine system disk image.

[0050] 5. At this point, by applying the method of this invention, the encrypted partition can be automatically decrypted without requiring a password, and the recovery effect is as follows (see reference). Figure 7 As can be seen, the file system of the target BitLocker encrypted partition, namely "Partition2[D]" (new volume (D:), has been obtained, a file list has been generated, and the file list is displayed through the interactive interface.

[0051] This invention utilizes an innovative offline automatic decryption method to recover data from encrypted partitions without requiring a password, significantly improving the usability and ease of use of BitLocker encryption technology in offline scenarios. This method has demonstrated superior performance and reliability in enterprise data recovery, forensic investigation, and personal data recovery applications.

[0052] refer to Figure 8 The present invention also provides an offline automatic decryption device for BitLocker encrypted partitions, comprising: System loading module 100 is configured to load and parse the file system of the system disk or system disk image; The DPAPI decryption data extraction module 200 is configured to extract the data required for offline DPAPI decryption based on file system analysis; the data required for offline DPAPI decryption includes at least the user master key file and the user security identifier. The cache data extraction module 300 is configured to obtain the registry based on the file system and extract the key cache data of the BitLocker encrypted partition stored in the registry; wherein, the key cache data is generated when the BitLocker automatic decryption function is enabled, and the key cache data includes a globally unique identifier for identifying the corresponding BitLocker encrypted partition and the encrypted BitLocker recovery key. The key decryption module 400 is configured to decrypt the required data based on offline DPAPI, decrypt the key cache data through offline DPAPI technology, and obtain the decrypted globally unique identifier and the decrypted BitLocker recovery key. The partition identification module 500 is configured to obtain the disk partition table based on the file system, read the disk partition table, and identify the target BitLocker encrypted partition under the disk partition table based on the decrypted globally unique identifier and the preset BitLocker encryption signature feature. Specifically, the preset BitLocker cryptographic signature feature in the partition identification module 500 is the string -FVE-FS-.

[0053] The partition decryption and parsing module 600 is configured to decrypt the target BitLocker encrypted partition using the decrypted BitLocker recovery key, parse the file system of the decrypted target BitLocker encrypted partition, and generate a file list.

[0054] Furthermore, the device also includes: Front-end module 700 is configured to display a list of files through an interactive interface and respond to external commands to perform file export or file preview operations.

[0055] The following is for reference. Figure 9 It shows a schematic diagram of the structure of a computer system suitable for implementing an electronic device according to embodiments of the present invention. Figure 9 The electronic device shown is merely an example and should not be construed as limiting the functionality and scope of use of the embodiments of the present invention.

[0056] like Figure 9 As shown, the computer system includes a central processing unit (CPU) 901, which can perform various appropriate actions and processes based on programs stored in read-only memory (ROM) 902 or programs loaded from storage section 909 into random access memory (RAM) 903. RAM 903 also stores various programs and data required for the operation of system 900. CPU 901, ROM 902, and RAM 903 are interconnected via bus 904. Input / output (I / O) interface 905 is also connected to bus 904.

[0057] The following components are connected to I / O interface 905: an input section 906 including a keyboard, mouse, etc.; an output section 907 including a liquid crystal display (LCD) and speakers, etc.; a storage section 908 including a hard disk, etc.; and a communication section 909 including a network interface card such as a LAN card and a modem, etc. The communication section 909 performs communication processing via a network such as the Internet. A drive 910 is also connected to I / O interface 905 as needed. A removable medium 911, such as a disk, optical disk, magneto-optical disk, semiconductor memory, etc., is installed on drive 910 as needed so that computer programs read from it can be installed into storage section 908 as needed.

[0058] In particular, according to embodiments of the present invention, the processes described above with reference to the flowcharts can be implemented as computer software programs. For example, embodiments of the present invention include a computer program product comprising a computer program carried on a computer-readable storage medium, the computer program containing program code for performing the methods shown in the flowcharts. In such embodiments, the computer program can be downloaded and installed from a network via communication section 909, and / or installed from removable medium 911. When the computer program is executed by central processing unit (CPU) 901, it performs the functions defined in the methods of the present invention. It should be noted that the computer-readable storage medium of the present invention can be a computer-readable signal medium or a computer-readable storage medium or any combination thereof. The computer-readable storage medium can be, for example,—but not limited to—an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof. More specific examples of computer-readable storage media may include, but are not limited to: electrical connections having one or more wires, portable computer disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination thereof. In this invention, a computer-readable storage medium can be any tangible medium containing or storing a program that can be used by or in connection with an instruction execution system, apparatus, or device. In this invention, a computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, carrying computer-readable program code. Such propagated data signals can take various forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination thereof. A computer-readable signal medium can also be any computer-readable storage medium other than a computer-readable storage medium that can send, propagate, or transmit a program for use by or in connection with an instruction execution system, apparatus, or device. Program code contained on a computer-readable storage medium may be transmitted using any suitable medium, including but not limited to: wireless, wire, optical fiber, RF, etc., or any suitable combination thereof.

[0059] Computer program code for performing the operations of this invention can be written in one or more programming languages ​​or a combination thereof. Programming languages ​​include object-oriented programming languages—such as Java, Smalltalk, and C++—as well as conventional procedural programming languages—such as the "C" language or similar programming languages. The program code can be executed entirely on the user's computer, partially on the user's computer, as a standalone software package, partially on the user's computer and partially on a remote computer, or entirely on a remote computer or server. In cases involving remote computers, the remote computer can be connected to the user's computer via any type of network—including a local area network (LAN) or a wide area network (WAN)—or can be connected to an external computer (e.g., via the Internet using an Internet service provider).

[0060] The flowcharts and block diagrams in the accompanying drawings illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of the present invention. In this regard, each block in a flowchart or block diagram may represent a module, segment, or portion of code containing one or more executable instructions for implementing a specified logical function. It should also be noted that in some alternative implementations, the functions indicated in the blocks may occur in a different order than those indicated in the drawings. For example, two consecutively indicated blocks may actually be executed substantially in parallel, and they may sometimes be executed in reverse order, depending on the functions involved. It should also be noted that each block in the block diagrams and / or flowcharts, and combinations of blocks in the block diagrams and / or flowcharts, can be implemented using a dedicated hardware-based system that performs the specified function or operation, or using a combination of dedicated hardware and computer instructions.

[0061] The modules described in the embodiments of the present invention can be implemented in software or in hardware.

[0062] In another aspect, the present invention also provides a computer-readable storage medium, which may be included in the electronic device described in the above embodiments; or it may exist independently and not assembled into the electronic device. The aforementioned computer-readable storage medium carries one or more programs that, when executed by the electronic device, cause the electronic device to perform the following: loading and parsing the file system of the system disk or system disk image; extracting data required for offline DPAPI decryption based on file system analysis; the data required for offline DPAPI decryption includes at least the user master key file and the user security identifier; obtaining the registry based on the file system and extracting the key cache data of the BitLocker encrypted partition stored in the registry; wherein the key cache data is generated when the BitLocker automatic decryption function is enabled, and the key cache data includes an encrypted globally unique identifier and an encrypted BitLocker recovery key used to identify the corresponding BitLocker encrypted partition; decrypting the key cache data using offline DPAPI technology based on the data required for offline DPAPI decryption to obtain the decrypted globally unique identifier and the decrypted BitLocker recovery key; obtaining the disk partition table based on the file system, reading the disk partition table, identifying the target BitLocker encrypted partition under the disk partition table based on the decrypted globally unique identifier and the preset BitLocker encrypted signature features; decrypting the target BitLocker encrypted partition using the decrypted BitLocker recovery key, parsing the file system of the decrypted target BitLocker encrypted partition, and generating a file list.

[0063] The specific embodiments of the present invention have been described above, but the scope of protection of the present invention is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the technical scope disclosed in the present invention should be included within the scope of protection of the present invention. Therefore, the scope of protection of the present invention should be determined by the scope of the claims.

[0064] In the description of this invention, it should be understood that the terms "upper," "lower," "inner," "outer," etc., indicating orientation or positional relationships based on the orientation or positional relationships shown in the accompanying drawings, are only for the convenience of describing the invention and simplifying the description, and do not indicate or imply that the device or element referred to must have a specific orientation, or be constructed and operated in a specific orientation, and therefore should not be construed as a limitation of the invention. The word "comprising" does not exclude the presence of elements or steps not listed in the claims. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The simple fact that certain measures are recited in mutually different dependent claims does not indicate that combinations of these measures cannot be used for improvement. Any reference signs in the claims should not be construed as limiting the scope.

Claims

1. An offline automatic decryption method for BitLocker encrypted partitions, characterized in that, Includes the following steps: S1. Load and parse the file system of the system disk or system disk image; S2. Based on the file system analysis, extract the data required for offline DPAPI decryption; the data required for offline DPAPI decryption includes at least the user master key file and the user security identifier; S3. Obtain the registry based on the file system, and extract the key cache data of the BitLocker encrypted partition stored in the registry; wherein, the key cache data is generated when the BitLocker automatic decryption function is enabled, and the key cache data includes a globally unique encrypted identifier and an encrypted BitLocker recovery key used to identify the corresponding BitLocker encrypted partition. S4. Based on the data required for offline DPAPI decryption, decrypt the key cache data using offline DPAPI technology to obtain the decrypted globally unique identifier and the decrypted BitLocker recovery key; S5. Obtain the disk partition table based on the file system, read the disk partition table, and identify the target BitLocker encrypted partition under the disk partition table based on the decrypted globally unique identifier and the preset BitLocker encryption signature feature. S6. Use the decrypted BitLocker recovery key to decrypt the target BitLocker encrypted partition, parse the file system of the decrypted target BitLocker encrypted partition, and generate a file list.

2. The method according to claim 1, characterized in that, Step S3, which involves extracting the key cache data of the BitLocker encrypted partition stored in the registry, specifically includes: Retrieve the registry path associated with BitLocker auto-decryption; Parse the sub-items under the path to obtain the key cache data.

3. The method according to claim 1, characterized in that, Step S5, which involves identifying the target BitLocker encrypted partition under the disk partition table based on the decrypted globally unique identifier and the preset BitLocker encryption signature feature, specifically includes: Read the header data of each disk partition in the disk partition table; Determine whether the header data contains the preset BitLocker cryptographic signature feature; and verify whether the decrypted globally unique identifier matches the metadata of the corresponding disk partition; If it is determined that the header data contains the preset BitLocker encryption signature feature, and the decrypted globally unique identifier matches the metadata of the corresponding disk partition, then the corresponding partition is determined to be the target BitLocker encrypted partition.

4. The method according to claim 1, characterized in that, The preset BitLocker cryptographic signature feature mentioned in step S5 is the string -FVE-FS-.

5. The method according to claim 1, characterized in that, The method further includes: S7. Display the file list through the interactive interface, and respond to external commands to perform file export or file preview operations.

6. An offline automatic decryption device for BitLocker encrypted partitions, characterized in that, include: The system loading module is configured to load and parse the file system of the system disk or system disk image; The DPAPI decryption data extraction module is configured to extract the data required for offline DPAPI decryption based on the file system analysis. The data required for offline DPAPI decryption includes at least the user master key file and the user security identifier. The cache data extraction module is configured to obtain the registry based on the file system and extract the key cache data of the BitLocker encrypted partition stored in the registry; wherein, the key cache data is generated when the BitLocker automatic decryption function is enabled, and the key cache data includes an encrypted globally unique identifier and an encrypted BitLocker recovery key used to identify the corresponding BitLocker encrypted partition. The key decryption module is configured to decrypt the key cache data based on the data required for offline DPAPI decryption using offline DPAPI technology, and obtain the decrypted globally unique identifier and the decrypted BitLocker recovery key. The partition identification module is configured to obtain the disk partition table based on the file system, read the disk partition table, and identify the target BitLocker encrypted partition under the disk partition table based on the decrypted globally unique identifier and the preset BitLocker encryption signature feature. The partition decryption and parsing module is configured to decrypt the target BitLocker encrypted partition using the decrypted BitLocker recovery key, parse the file system of the decrypted target BitLocker encrypted partition, and generate a file list.

7. The apparatus according to claim 6, characterized in that, The preset BitLocker cryptographic signature feature in the partition identification module is the string -FVE-FS-.

8. The apparatus according to claim 6, characterized in that, The device further includes: The front-end module is configured to display the file list through an interactive interface and to perform file export or file preview operations in response to external commands.

9. An electronic device comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, characterized in that, When the processor executes the program, it implements the method as described in any one of claims 1 to 5.

10. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the program is executed by the processor, it implements the method as described in any one of claims 1 to 5.