Port fixes from CFspitkey #3
Description
Incorporate Changes from CFSPITkey Fork
Summary
This issue tracks the incorporation of improvements and changes made in the CFSPITkey fork (https://github.com/controlf/CFSPITkey) back into the original SPITkey project. The fork has implemented enhancements and bug fixes.
Proposed Changes
Incorporate the following changes into the SPITkey code.
Version 1.2.0 (2025-11-25)
- Output directory argument - Added
-o path/to/output/dirflag for specifying output location - Log file writing - Capability to write log messages to file for better debugging and record-keeping
Version 1.1.1 (2025-10-29)
Critical Bug Fixes:
Fixedget_enc_fvekfalse positive bug - Previously matched "Datum entry type: 3" too broadly, causing false positives with "Datum entry type: 30" and resulting in missing nonce errors- Added context validation to ensure "ENTRY TYPE FVEK" appears near "Datum entry type: 3"
Prevents false matches and raises clear errors when no valid FVEK section is found- fixed in Commit 3e241c2
Fixedget_enc_payloadUnboundLocalError - Occurred when nonce/MAC/payload were not found due to log spacing or structure inconsistencies- Added default values for
nonce,mac, andpayloadto prevent unbound errors - Extended scan range from 17 to 50 lines to accommodate spaced-out logs
- Skips early "Header safe" lines until all components are found
Raises clear error if structure is incomplete- fixed in Commit 483d4e3
- Added default values for
Enhanced Error Handling:
[ ] MAC verification - Added MAC check indecryptfunction- Cleanly handles incorrect or corrupted VMK input
Replaces Python traceback with user-friendly error: "ERROR. MAC check failed. Are you sure you have the correct VMK?"- fixed in Commit a93770d
Version 1.0.0 (2025-08-22)
- VMK input format flexibility - Enhanced to accept both plaintext and binary VMK formats:
- Plaintext string from
.txtfile - Binary data from
.datfile (e.g.,VMK.datfrom BitPixie)
- Plaintext string from
- Incomplete encryption detection - Added granular error checking for incomplete BitLocker partitions
- Detects when BitLocker encryption hasn't completed by checking for missing metadata in
dislocker.log - Specifically flags missing
[EOW_INFORMATION_OFFSET_GUID]entries - Prevents invalid recovery-key decryption attempts
- Detects when BitLocker encryption hasn't completed by checking for missing metadata in
Priority
The bug fixes in version 1.1.1 should be considered high priority as they address issues that cause the tool to fail or produce incorrect results in certain scenarios.
References
- CFSPITkey Repository: https://github.com/controlf/CFSPITkey
- CFSPITkey CHANGELOG: https://github.com/controlf/CFSPITkey/blob/main/CHANGELOG.md
Metadata
Metadata
Assignees
Labels
No labels