Geoff Chappell - Software Analyst
SKETCH OF HOW RESEARCH MIGHT CONTINUE AND RESULTS BE PRESENTED
The FVE_DATUM_UNICODE structure (formally _FVE_DATUM_UNICODE) is a fixed-size header for a BitLocker datum that is specifically a null-terminated Unicode string.
No documentation of the FVE_DATUM_UNICODE structure is known from Microsoft, but the name is Microsoft’s. It is known from public symbol files for FVEAPI.DLL.
The FVE_DATUM_UNICODE structure is just the eight bytes of the FVE_DATUM. The type at offset 0x04 is necessarily 2. As with most other headers for a BitLocker datum, the FVE_DATUM_UNICODE is followed immediately by the data segment. The null-terminated Unicode string is the whole of the data segment.
This type of BitLocker datum is typically nested in another BitLocker datum to provide the latter with a name or label or other helpful description in more or less plain language. This purpose appears to be taken as understood, such that the role at offset 0x02 in the FVE_DATUM is left as zero.
One special case is known and is distinguished by a non-zero role. An FVE_DATUM_UNICODE may be nested in the datum for a stretch key (type 3) to name an algorithm to use for the stretching. For this the datum has role 0x0014. The only name that is yet known to be meaningful is PBKDF2_HMAC_SHA256.