Bitlocker-2 picoCTF 2025 Solution

Description

1. Step 1Scan the memory image
   Mounted-disk + RAM capture means decrypted file contents are sitting in physical memory. strings memdump.mem | grep -oE 'picoCTF\{[^}]+\}' | sort -u extracts every flag-shaped token and dedupes them. There's usually one true flag plus a couple of buffer-cache copies.
   Learn more

   Memory forensics exploits the fact that when an encrypted volume is mounted, the operating system keeps decrypted data in RAM. The encryption key itself, decrypted file contents, and recently accessed strings all reside in physical memory for as long as the system is running. A RAM dump captured while BitLocker is unlocked therefore contains the plaintext of whatever files were recently read - regardless of how strong the disk password is.

   This is the basis of the cold boot attack, a technique where an attacker physically cools RAM chips (slowing the decay of stored data), removes them from the running machine, and reads the contents in another system to extract encryption keys. Cold boot attacks have been demonstrated against BitLocker, FileVault, and LUKS. The defense is to power off machines completely before leaving them unattended in physically insecure environments.

   The strings tool works on memory dumps exactly as it does on executables - it scans raw bytes for printable sequences. Because RAM contains all running process memory, heap data, stack frames, and kernel buffers, it is a rich source of artifacts: passwords typed into terminals, browser history, decrypted file content, and cryptographic keys. This makes live memory acquisition a high priority in digital forensics.

2. Step 2Optional: use Volatility
   Volatility 3 understands kernel structures so it can pull the FVEK (Full Volume Encryption Key) directly from RAM with vol -f memdump.mem windows.bitlocker. That key plus dislocker -K unlocks the disk image even if you never recover the user password.
   Learn more

   Volatility is the leading open-source memory forensics framework. Rather than treating a memory dump as a raw byte blob, Volatility understands Windows (and Linux/macOS) kernel structures and can reconstruct process lists, network connections, registry hives, loaded modules, and file artifacts from the dump. This structured approach is far more powerful than grep for complex investigations.

   Key Volatility plugins for BitLocker investigations include windows.bitlocker (extracts FVEK encryption keys directly from memory), windows.pslist (lists running processes), and windows.filescan (finds file objects cached in memory). Recovering the Full Volume Encryption Key (FVEK) from memory allows mounting the disk even without knowing the user password.

   Autopsy is a GUI-based digital forensics platform that integrates Volatility as a plugin. It provides timeline analysis, keyword search, hash lookup, and artifact extraction in a unified interface used by law enforcement and corporate incident responders worldwide. The combination of Autopsy for disk artifacts and Volatility for memory artifacts covers most digital forensics investigations. The Volatility 3 guide walks through the plugin catalog (pslist, filescan, hashdump, bitlocker) with real picoCTF artifacts.

Flag

No password cracking is necessary because the RAM capture already contains the decrypted flag.