Bitlocker password character encodings

Question

Bitlocker password character encodings

Mat Walker 96

A good friend's computer got hacked a while ago (https://support.google.com/mail/thread/97622912/daughter-being-held-to-ransom-ransomer-hiding-behind-a-gmail-address-what-to-do?hl=en) and I have been helping him out. We now have the password (no $$$ was paid I hasten to add) but it doesnt work. It may be false, but I dont think so.

The password we got is (and I dont mind publishing it at all!);
123Φxî◙╧▬╫¶╘≥N^&_%0135å>ô0á÷º•y#$%13#%$$φ1ùφ«]¯Σ√IÆD╡▀^@@╞1φ«.$ú¡Z↔╝↓ë@«4╓|I2æ

My thought is that somehow it has become corrupted between languages and/or character encodings. IE. If hacker was a non-english nationality, they may have used their own language characterset which has then been converted to UTF8/16 in the process. So, when I try it on my machine which is US English the Bitlocker password interpreter may be reading the password wrong.

Could this be a possibly? If so, how could I go about trying a fix?

EG. (And I'm not casting any dispersions here!). A Russian hacker hacks in and has a password he uses in Russian. He copy/pastes it into the Bitlocker set-password field and (by whatever means) forwards me the password. In sending it to me it becomes the set of characters we see above. When i try then, because the characters are now different, it fails.

Hope someone can help here as it is quite an emotional rollercoaster he has been on with this and I'd really like to be able to help the family.

2 answers

Your answer

Answer 1

MTG 1,246

How did you try to enter that password?
What is encrypted, the boot drive or a data drive?

Mat Walker 96 Reputation points

2022-03-13T00:49:04.98+00:00

@MTG

Copy/pasted into the Bitlocker unlock dialog.

It's all the drives EXCEPT the boot drive (total of 5 drives. It included his backups; hence the issue :-( )
MTG 1,246 Reputation points

2022-03-14T08:18:03.277+00:00

Ok, that idea of yours that languages/keyboard layouts matter is not what I think.
They would only matter, if you had the boot drive encrypted, since at the preboot authentication screen, the layout needs to be en-us and if your password holds a "y" for example, but your keyboard is of layout type "qwertz", you would need to enter a "z" instead.

BUT: this is only applicable to boot drives. In your situation, copy paste MUST work.
Please do the following:
Boot the machine, go to c:\windows\system32\cmd.exe and right-click it and select "run as administrator" ->a command prompt will appear.
There, launch
manage-bde -status d:
(or whatever drive letter this is about if it's not d:)
Then share the output.
Mat Walker 96 Reputation points

2022-03-14T21:12:50.733+00:00
Volume E: [Label Unknown]
[Data Volume]

Size: Unknown GB BitLocker Version: 2.0 Conversion Status: Unknown Percentage Encrypted: Unknown% Encryption Method: AES 128 Protection Status: Unknown Lock Status: Locked Identification Field: Unknown Automatic Unlock: Disabled Key Protectors: Password Numerical Password

The drive is not in it's original machine. He gave me this drive to work on as it is their main backup drive with the daughters work on they are so desperate to see.

One method I have been contemplating is this. All his 5 drives will have been encrypted using the same password. Assuming no salt has been used (I really know nothing about how bitlocker works - I'm assuming the password is used to 'unlock' a random token which is the actual encryption key) I'm wondering if there is a way of using a matrix to derive the password from the 5 encryptions....
MTG 1,246 Reputation points

2022-03-15T08:28:14.08+00:00

Nothing to derive, sorry..
If the ransomer still listens, ask for the numerical password (48 digits), which will work at all times. He will probably have that recovery password as well
Tell him the ID, which you may retrieve using the command
manage-bde -protectors -get e:
(ID is associated with the numerical password).

If he does not co-operate, please retry with this command (and make sure there are no blanks highlighted at the end of the password when you copy it):
manage-bde -unlock e: -pw
When it asks for the pw on the command line, just right-click into the command line to paste the password (it will not be displayed, but it's there).
Mat Walker 96 Reputation points

2022-03-16T08:59:10.94+00:00

Thanks @MTG - Unfortunately all contact with the ransomer was lost many months ago :-(

I'm going to carry on and try brute force using seeds from those known ones. The family has been through hell and back over this so don't mind spending a tonne of time on it.

Thanks again

Mat
MTG 1,246 Reputation points

2022-03-16T09:17:59.733+00:00

Matt, did you try with copy paste on the command line? Sometimes we copy something and copy a blank and that's all needed to make the whole thing fail.
And no, it does not depend on the language of the ransomer.

Answer 2

Limitless Technology 39,916

Hello @Mat Walker

What you're saying is definitely a possibility. However, if the nefarious entity who hacked into the system is giving you this password, it's also possible that it's false.

Assuming that your theory is correct, you will need to know the original language in order to interpret the password.

I suggest that you go back to the source in order to establish if this is the correct password.

I really hope you get this situation resolved.

--
--If the reply is helpful, please Upvote and Accept as answer--

Mat Walker 96 Reputation points

2022-03-15T22:10:41.3+00:00

Absolutely the password may be incorrect.

The identity and language of the hacker is unknown and appears to have gone silent so no contact.

Share via

Bitlocker password character encodings

2 answers

Your answer