1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
|
/*
** The Sleuth Kit
**
** Brian Carrier [carrier <at> sleuthkit [dot] org]
** Copyright (c) 2024 Sleuth Kit Labs, LLC. All Rights reserved
** Copyright (c) 2010-2021 Brian Carrier. All Rights reserved
**
** This software is distributed under the Common Public License 1.0
*/
#ifdef HAVE_LIBMBEDTLS
#include "DataTypes.h"
/**
* Convert entry type value to enum.
*
* @param val The entry type as an integer
*
* @return Enum associated with the value. Returns BITLOCKER_METADATA_ENTRY_TYPE::UNKNOWN if unknown or invalid.
*/
BITLOCKER_METADATA_ENTRY_TYPE getMetadataEntryTypeEnum(uint16_t val) {
switch (val) {
case 0:
return BITLOCKER_METADATA_ENTRY_TYPE::PROPERTY;
case 2:
return BITLOCKER_METADATA_ENTRY_TYPE::VOLUME_MASTER_KEY;
case 3:
return BITLOCKER_METADATA_ENTRY_TYPE::FULL_VOLUME_ENCRYPTION_KEY;
case 4:
return BITLOCKER_METADATA_ENTRY_TYPE::VALIDATION;
case 6:
return BITLOCKER_METADATA_ENTRY_TYPE::STARTUP_KEY;
case 7:
return BITLOCKER_METADATA_ENTRY_TYPE::DESCRIPTION;
case 0xf:
return BITLOCKER_METADATA_ENTRY_TYPE::VOLUME_HEADER_BLOCK;
default:
return BITLOCKER_METADATA_ENTRY_TYPE::UNKNOWN;
}
}
/**
* Converts entry type enum to printable string.
*
* @param type Entry type
*
* @returns Entry type as a string
*/
string convertMetadataEntryTypeToString(BITLOCKER_METADATA_ENTRY_TYPE type) {
switch (type) {
case BITLOCKER_METADATA_ENTRY_TYPE::PROPERTY:
return "Property";
case BITLOCKER_METADATA_ENTRY_TYPE::VOLUME_MASTER_KEY:
return "Volume Master Key";
case BITLOCKER_METADATA_ENTRY_TYPE::FULL_VOLUME_ENCRYPTION_KEY:
return "Full Volume Encryption Key";
case BITLOCKER_METADATA_ENTRY_TYPE::VALIDATION:
return "Validation";
case BITLOCKER_METADATA_ENTRY_TYPE::STARTUP_KEY:
return "Startup Key";
case BITLOCKER_METADATA_ENTRY_TYPE::DESCRIPTION:
return "Description";
case BITLOCKER_METADATA_ENTRY_TYPE::VOLUME_HEADER_BLOCK:
return "Volume Header Block";
case BITLOCKER_METADATA_ENTRY_TYPE::UNKNOWN:
default:
return "Unknown";
}
}
/**
* Convert value type value to enum.
*
* @param val The value type as an integer
*
* @return Enum associated with the value. Returns BITLOCKER_METADATA_VALUE_TYPE::UNKNOWN if invalid.
*/
BITLOCKER_METADATA_VALUE_TYPE getMetadataValueTypeEnum(uint16_t val) {
switch (val) {
case 0:
return BITLOCKER_METADATA_VALUE_TYPE::ERASED;
case 1:
return BITLOCKER_METADATA_VALUE_TYPE::KEY;
case 2:
return BITLOCKER_METADATA_VALUE_TYPE::UNICODE_STRING;
case 3:
return BITLOCKER_METADATA_VALUE_TYPE::STRETCH_KEY;
case 4:
return BITLOCKER_METADATA_VALUE_TYPE::USE_KEY;
case 5:
return BITLOCKER_METADATA_VALUE_TYPE::AES_CCM_ENCRYPTED_KEY;
case 6:
return BITLOCKER_METADATA_VALUE_TYPE::TPM_ENCODED_KEY;
case 7:
return BITLOCKER_METADATA_VALUE_TYPE::VALIDATION;
case 8:
return BITLOCKER_METADATA_VALUE_TYPE::VOLUME_MASTER_KEY;
case 9:
return BITLOCKER_METADATA_VALUE_TYPE::EXTERNAL_KEY;
case 0xa:
return BITLOCKER_METADATA_VALUE_TYPE::UPDATE;
case 0xb:
return BITLOCKER_METADATA_VALUE_TYPE::ERROR_VAL;
case 0xf:
return BITLOCKER_METADATA_VALUE_TYPE::OFFSET_AND_SIZE;
default:
return BITLOCKER_METADATA_VALUE_TYPE::UNKNOWN;
}
}
/**
* Converts value type enum to printable string.
*
* @param type Value type
*
* @returns Value type as a string
*/
string convertMetadataValueTypeToString(BITLOCKER_METADATA_VALUE_TYPE type) {
switch (type) {
case BITLOCKER_METADATA_VALUE_TYPE::ERASED:
return "Erased";
case BITLOCKER_METADATA_VALUE_TYPE::KEY:
return "Key";
case BITLOCKER_METADATA_VALUE_TYPE::UNICODE_STRING:
return "Unicode String";
case BITLOCKER_METADATA_VALUE_TYPE::STRETCH_KEY:
return "Stretch Key";
case BITLOCKER_METADATA_VALUE_TYPE::USE_KEY:
return "Use Key";
case BITLOCKER_METADATA_VALUE_TYPE::AES_CCM_ENCRYPTED_KEY:
return "AES-CCM Encrypted Key";
case BITLOCKER_METADATA_VALUE_TYPE::TPM_ENCODED_KEY:
return "TPM Encoded Key";
case BITLOCKER_METADATA_VALUE_TYPE::VALIDATION:
return "Validation";
case BITLOCKER_METADATA_VALUE_TYPE::VOLUME_MASTER_KEY:
return "Volume Master Key";
case BITLOCKER_METADATA_VALUE_TYPE::EXTERNAL_KEY:
return "External Key";
case BITLOCKER_METADATA_VALUE_TYPE::UPDATE:
return "Update";
case BITLOCKER_METADATA_VALUE_TYPE::ERROR_VAL:
return "Error";
case BITLOCKER_METADATA_VALUE_TYPE::OFFSET_AND_SIZE:
return "Offset and Size";
case BITLOCKER_METADATA_VALUE_TYPE::UNKNOWN:
default:
return "Unknown";
}
}
/**
* Convert key protection type value to enum.
*
* @param val The protection type as an integer
*
* @return Enum associated with the value. Returns BITLOCKER_KEY_PROTECTION_TYPE::UNKNOWN if invalid.
*/
BITLOCKER_KEY_PROTECTION_TYPE getKeyProtectionTypeEnum(uint16_t val) {
switch (val) {
case 0x0000:
return BITLOCKER_KEY_PROTECTION_TYPE::CLEAR_KEY;
case 0x0100:
return BITLOCKER_KEY_PROTECTION_TYPE::TPM;
case 0x0200:
return BITLOCKER_KEY_PROTECTION_TYPE::STARTUP_KEY;
case 0x0500:
return BITLOCKER_KEY_PROTECTION_TYPE::TPM_AND_PIN;
case 0x0800:
return BITLOCKER_KEY_PROTECTION_TYPE::RECOVERY_PASSWORD;
case 0x2000:
return BITLOCKER_KEY_PROTECTION_TYPE::PASSWORD;
default:
return BITLOCKER_KEY_PROTECTION_TYPE::UNKNOWN;
}
}
/**
* Converts key protection type enum to printable string.
*
* @param type Protection type
*
* @returns Protection type as a string
*/
string convertKeyProtectionTypeToString(BITLOCKER_KEY_PROTECTION_TYPE type) {
switch (type) {
case BITLOCKER_KEY_PROTECTION_TYPE::CLEAR_KEY:
return "clear key";
case BITLOCKER_KEY_PROTECTION_TYPE::TPM:
return "TPM";
case BITLOCKER_KEY_PROTECTION_TYPE::STARTUP_KEY:
return "startup key";
case BITLOCKER_KEY_PROTECTION_TYPE::TPM_AND_PIN:
return "TPM and PIN";
case BITLOCKER_KEY_PROTECTION_TYPE::RECOVERY_PASSWORD:
return "recovery password";
case BITLOCKER_KEY_PROTECTION_TYPE::PASSWORD:
return "password";
case BITLOCKER_KEY_PROTECTION_TYPE::UNKNOWN:
default:
return "unknown key protection type";
}
}
/**
* Convert encryption type value to enum.
*
* @param val The encryption type as an integer
*
* @return Enum associated with the value. Returns BITLOCKER_ENCRYPTION_TYPE::UNKNOWN if invalid.
*/
BITLOCKER_ENCRYPTION_TYPE getEncryptionTypeEnum(uint16_t val) {
switch (val) {
case 0x1000:
return BITLOCKER_ENCRYPTION_TYPE::STRETCH_KEY;
case 0x2000:
case 0x2001:
case 0x2004:
return BITLOCKER_ENCRYPTION_TYPE::AES_CCM_256;
case 0x2002:
return BITLOCKER_ENCRYPTION_TYPE::EXTERN_KEY;
case 0x2003:
return BITLOCKER_ENCRYPTION_TYPE::VMK;
case 0x2005:
return BITLOCKER_ENCRYPTION_TYPE::HASH_256;
case 0x8000:
return BITLOCKER_ENCRYPTION_TYPE::AES_CBC_128_DIFF;
case 0x8001:
return BITLOCKER_ENCRYPTION_TYPE::AES_CBC_256_DIFF;
case 0x8002:
return BITLOCKER_ENCRYPTION_TYPE::AES_CBC_128;
case 0x8003:
return BITLOCKER_ENCRYPTION_TYPE::AES_CBC_256;
case 0x8004:
return BITLOCKER_ENCRYPTION_TYPE::AES_XTS_128;
case 0x8005:
return BITLOCKER_ENCRYPTION_TYPE::AES_XTS_256;
default:
return BITLOCKER_ENCRYPTION_TYPE::UNKNOWN;
}
}
/**
* Converts encryption type enum to printable string.
*
* @param type Encryption type
*
* @returns Encryption type as a string
*/
string convertEncryptionTypeToString(BITLOCKER_ENCRYPTION_TYPE type) {
switch (type) {
case BITLOCKER_ENCRYPTION_TYPE::STRETCH_KEY:
return "Stretch Key";
case BITLOCKER_ENCRYPTION_TYPE::AES_CCM_256:
return "AES-CCM 256";
case BITLOCKER_ENCRYPTION_TYPE::EXTERN_KEY:
return "Extern Key";
case BITLOCKER_ENCRYPTION_TYPE::VMK:
return "VMK";
case BITLOCKER_ENCRYPTION_TYPE::HASH_256:
return "Hash 256";
case BITLOCKER_ENCRYPTION_TYPE::AES_CBC_128_DIFF:
return "AES CBC 128-bit with diffuser";
case BITLOCKER_ENCRYPTION_TYPE::AES_CBC_256_DIFF:
return "AES CBC 256-bit with diffuser";
case BITLOCKER_ENCRYPTION_TYPE::AES_CBC_128:
return "AES CBC 128-bit";
case BITLOCKER_ENCRYPTION_TYPE::AES_CBC_256:
return "AES CBC 256-bit";
case BITLOCKER_ENCRYPTION_TYPE::AES_XTS_128:
return "AES-XTS 128-bit";
case BITLOCKER_ENCRYPTION_TYPE::AES_XTS_256:
return "AES-XTS 256-bit";
default:
return "Unknown Encryption Type";
}
}
/**
* Check if the encryption type is AES-CBC
*
* @param type Encryption type
*
* @return true if the encryption type is AES-CBC, false otherwise
*/
bool isAESCBC(BITLOCKER_ENCRYPTION_TYPE type) {
return (type == BITLOCKER_ENCRYPTION_TYPE::AES_CBC_128_DIFF
|| type == BITLOCKER_ENCRYPTION_TYPE::AES_CBC_256_DIFF
|| type == BITLOCKER_ENCRYPTION_TYPE::AES_CBC_128
|| type == BITLOCKER_ENCRYPTION_TYPE::AES_CBC_256);
}
/**
* Check if the encryption type is AES-XTS
*
* @param type Encryption type
*
* @return true if the encryption type is AES-XTS, false otherwise
*/
bool isAESXTS(BITLOCKER_ENCRYPTION_TYPE type) {
return (type == BITLOCKER_ENCRYPTION_TYPE::AES_XTS_128
|| type == BITLOCKER_ENCRYPTION_TYPE::AES_XTS_256);
}
/**
* Check if the encryption type uses the diffuser
*
* @param type Encryption type
*
* @return true if the encryption type uses the diffuser, false otherwise
*/
bool usesDiffuser(BITLOCKER_ENCRYPTION_TYPE type) {
return (type == BITLOCKER_ENCRYPTION_TYPE::AES_CBC_128_DIFF
|| type == BITLOCKER_ENCRYPTION_TYPE::AES_CBC_256_DIFF);
}
#endif
|
