SKETCH OF HOW RESEARCH MIGHT CONTINUE AND RESULTS BE PRESENTED

FVE_DATUM_UNICODE

The FVE_DATUM_UNICODE structure (formally _FVE_DATUM_UNICODE) is a fixed-size header for a BitLocker datum that is specifically a null-terminated Unicode string.

Documentation Status

No documentation of the FVE_DATUM_UNICODE structure is known from Microsoft, but the name is Microsoft’s. It is known from public symbol files for FVEAPI.DLL.

Layout

The FVE_DATUM_UNICODE structure is just the eight bytes of the FVE_DATUM. The type at offset 0x04 is necessarily 2. As with most other headers for a BitLocker datum, the FVE_DATUM_UNICODE is followed immediately by the data segment. The null-terminated Unicode string is the whole of the data segment.

Use

This type of BitLocker datum is typically nested in another BitLocker datum to provide the latter with a name or label or other helpful description in more or less plain language. This purpose appears to be taken as understood, such that the role at offset 0x02 in the FVE_DATUM is left as zero.

One special case is known and is distinguished by a non-zero role. An FVE_DATUM_UNICODE may be nested in the datum for a stretch key (type 3) to name an algorithm to use for the stretching. For this the datum has role 0x0014. The only name that is yet known to be meaningful is PBKDF2_HMAC_SHA256.

This page was created on 31st May 2020 but was not published until 22nd June 2021.

Copyright © 2021. Geoff Chappell. All rights reserved. Conditions apply.