Full Report
Author: Guus Beckers Back in 2022 Fox-IT decided to open source its proprietary incident response tooling known as Dissect. Since then it has been adopted by many different companies in their regular workflow. For those of you who are not yet familiar with Dissect, it is an incident response framework built with incident response engagements of any … Continue reading Decrypting Full Disk Encryption with Dissect →
Analysis Summary
# Tool/Technique: Dissect Framework (Version 3.17+)
## Overview
Dissect is an open-sourced, proprietary incident response framework developed by Fox-IT. It is designed to facilitate incident response engagements of any scale by allowing analysts to extract artifacts from various data formats and export them into a chosen format. The focus of this update (v3.17) is the addition of capabilities to decrypt full disk encryption (FDE) volumes, specifically Microsoft BitLocker and Linux Unified Key Setup (LUKS).
## Technical Details
- Type: Tool (Incident Response Framework)
- Platform: Multi-platform (Used on analysis workstations, but targets Windows, Linux disk images/acquisitions)
- Capabilities: Artifact extraction, format conversion, parsing of various data containers (e.g., `.vmwarevm`), and decryption of FDE volumes (BitLocker, LUKS).
- First Seen: The framework was open-sourced in 2022; FDE decryption capabilities were added in version 3.17 (circa December 2024).
## MITRE ATT&CK Mapping
Dissect itself is an analytic tool and does not map directly as an adversary technique. However, its capability to access encrypted data directly maps to techniques that **allow analysts to bypass access controls or recover data**.
- **T1003 - OS Credential Dumping** (While indirect, the goal is accessing system data often protected by encryption)
- **T1003.001 - LSASS Memory** (Relevant if memory dumping is combined with decryption to retrieve secrets)
- **T1530 - Data from Local System** (The successful use of Dissect allows investigators to extract localized data)
## Functionality
### Core Capabilities
- **Artifact Extraction:** Extracts forensic artifacts from diverse data formats.
- **Format Conversion:** Exports extracted data into user-specified formats.
- **Virtual Machine Parsing:** Can parse VM formats like VMware's `.vmwarevm`.
- **FDE Decryption:** Supports decryption of BitLocker and LUKS volumes using user passphrases, recovery keys, or key files.
- **Interactive Shell (`target-shell`):** Allows browsing of the decrypted filesystem structure.
### Advanced Features
- **BitLocker Decryption:** Accepts decryption credentials via plain argument (`-Kv`), keychain CSV files (`-K keychain.csv`), or BitLocker files.
- **LUKS Decryption:** Accepts decryption credentials (passphrases) via argument.
- **`fve-dd` Utility:** A component within Dissect used to decrypt an entire disk image (e.g., VMDK files) offline, outputting a raw decrypted image (`.dd`). This allows external tools to analyze the decrypted data.
- **Volume Information Retrieval (`target-info`):** Provides system details (OS version, IP addresses, time zones) post-decryption.
## Indicators of Compromise
As Dissect is an investigative/defensive tool, the direct IoCs are related to its usage during an investigation, not malware.
- File Hashes: N/A (Tool, not malware)
- File Names: `fve-dd` (Utility executable/command)
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: Execution of `target-info`, `target-shell`, or `fve-dd` against disk images (e.g., `.vmwarevm`, `.vmdk`) using provided decryption keys/passphrases.
## Associated Threat Actors
Dissect is used by forensic investigators and security teams, not known threat actors.
## Detection Methods
Detection focuses on the execution of the Dissect tools, potentially indicating forensic analysis or unauthorized data access/exfiltration planning.
- Signature-based detection: Look for file hashes or strings related to the Dissect binaries.
- Behavioral detection: Monitoring processes utilizing arguments related to FDE decryption (e.g., `-Kv`, `-K keychain.csv`) against forensic images.
## Mitigation Strategies
Mitigation relates to protecting the underlying data (FDE configuration) and monitoring tool usage.
- **Prevention Measures:** Ensure strong, complex BitLocker/LUKS passphrases and secure storage of recovery keys separate from the system metadata.
- **Hardening Recommendations:** Monitor endpoint for the execution of unmanaged forensic tools like Dissect, especially those interacting directly with disk image files containing authentication material.
## Related Tools/Techniques
- Other open-source forensic frameworks capable of artifact parsing (e.g., Plaso).
- Tools specifically designed for FDE decryption analysis (e.g., Rekall, Volatility components, specialized BitLocker analysis suites).