Full Report
Author: Guus Beckers Back in 2022 Fox-IT decided to open source its proprietary incident response tooling known as Dissect. Since then it has been adopted by many different companies in their regular workflow. For those of you who are not yet familiar with Dissect, it is an incident response framework built with incident response engagements of any … Continue reading Decrypting Full Disk Encryption with Dissect →
Analysis Summary
# Tool/Technique: Dissect Framework (v3.17 Update)
## Overview
Dissect is an open-source incident response framework developed by Fox-IT. It is designed to facilitate large-scale incident response engagements by allowing analysts to extract artifacts from a wide variety of data formats, disk images, and containers. The version 3.17 update specifically introduces the capability to decrypt and analyze disks protected by Full Disk Encryption (FDE).
## Technical Details
- **Type:** Incident Response / Forensic Tool
- **Platform:** Windows (BitLocker), Linux (LUKS), VMware containers (`.vmwarevm`), and various disk image formats.
- **Capabilities:** Artifact extraction, filesystem parsing, decryption of FDE volumes, and disk image conversion.
- **First Seen:** Open-sourced in 2022 (FDE decryption features added December 2024).
## MITRE ATT&CK Mapping
*Note: This is a defensive/forensic tool. While it maps to these categories, it is used by defenders to investigate these activities.*
- **[TA0007 - Discovery]**
- [T1083 - File and Directory Discovery] (Used by analysts to browse encrypted filesystems)
- **[TA0009 - Collection]**
- [T1005 - Data from Local System] (Extraction of files from acquired images)
## Functionality
### Core Capabilities
- **Artifact Extraction:** Rapidly pulls forensic artifacts from various operating systems and file formats.
- **BitLocker Decryption:** Supports unlocking Microsoft BitLocker volumes using recovery keys, user passphrases, or BitLocker key files.
- **LUKS Decryption:** Supports unlocking Linux Unified Key Setup (LUKS) partitions using passphrases.
- **Multi-Format Support:** Can parse complex containers (like VMware `.vmwarevm` or fragmented `.vmdk` files) without manual reassembly.
### Advanced Features
- **Keychain Integration:** Use of CSV-based keychains to batch-provide credentials for encrypted volumes across multiple targets.
- **`fve-dd` Utility:** A dedicated tool within the framework that decrypts an entire encrypted volume and outputs it as a raw `.dd` image, enabling the use of third-party forensic tools on the decrypted data.
- **Virtual Shell:** `target-shell` provides a command-line interface to interact with the decrypted filesystem of a target image without mounting it to the host OS.
## Indicators of Compromise
*Not applicable: Dissect is a forensic tool. However, typical usage signatures include:*
- **File Names:** `target-info`, `target-shell`, `fve-dd` (dissect component executables).
- **Behavioral Indicators:** High disk I/O during volume decryption and `fve-dd` operations.
## Associated Threat Actors
- **Users:** Digital Forensics and Incident Response (DFIR) teams, security researchers, and system administrators.
- **Note:** While designed for defenders, any forensic tool can be utilized by sophisticated threat actors for offline data exfiltration from stolen disk images.
## Detection Methods
- **Process Monitoring:** Monitor for execution of Dissect-related binaries (`target-info`, `target-shell`).
- **Signature-based:** Detection of Dissect Python libraries and the `dissect.target` module.
## Mitigation Strategies
- **Key Management:** Ensure BitLocker recovery keys and LUKS passphrases are stored in secure, centralized vaults (e.g., AD, Key Management Systems) to prevent unauthorized forensic access.
- **Access Control:** Limit access to raw disk images and VMDK files to authorized forensic personnel only.
## Related Tools/Techniques
- **Plaso/log2timeline:** Similar artifact extraction capabilities.
- **Volatility:** Memory forensics (often used alongside Dissect).
- **Libguestfs:** Tools for accessing and modifying virtual machine disk images.
- **Hashcat/John the Ripper:** Often used in conjunction with forensics if passphrases for volumes are unknown.