Extract a John the Ripper / hashcat hash from a BitLocker-encrypted drive image with bitlocker2john. For authorized recovery only.
bitlocker2john reads a BitLocker-encrypted volume (or a raw image of one) and extracts the hash needed to recover the user password or recovery password offline. BitLocker derives keys from the password with SHA-256 iterated many times and stores key-protector metadata in the volume. The tool locates the relevant key protector and emits a hash for cracking. It does not unlock or mount the drive. Use it only on drives you own or are authorized to recover.
Input:
bitlocker.img (volume image)
Output:
$bitlocker$0$16$<salt>$1048576$12$<...>
Can it crack the 48-digit recovery key?
It can target the recovery-password protector, but the 48-digit recovery key has enormous entropy and is effectively impossible to brute force - cracking is realistic only against user-chosen passwords.
Do I need the whole drive?
You need the BitLocker metadata region; tools typically work from a full volume image to locate the key protectors reliably.
Which hashcat mode is used?
BitLocker uses hashcat mode 22100.
This tool extracts password hashes from BitLocker drives to facilitate password recovery and auditing.
Supported Tools: