Another Bitlocker W...
 
Notifications
Clear all

Another Bitlocker Windows 10 Thread

18 Posts
9 Users
0 Likes
2,676 Views
(@loveboatcaptain83)
Posts: 13
Active Member
Topic starter
 

Hi All!

Long time reader first time poster here!

I'm currently attempting to recover data from a computer with Bitlocker and a Windows 10 password. We have the Bitlocker PIN but not the recovery key, recovery password or Windows logon password. This means we can unlock the laptop and boot Windows but can't get passed the logon screen. So close but so far!!

I'm able to boot the laptop from an external HDD so I've been able to get an encrypted image of the HDD using Paladin. Encase can decryption it but only with the recovery keys but not the actual user PIN.

Has anybody been in a similar situation and how did or didn't you get around it?

Thanks for any help you can give me!

Cx

 
Posted : 21/02/2019 3:40 pm
(@c-r-s)
Posts: 170
Estimable Member
 

Usually a case for a DMA attack, if the owner did not set the respective precautions. Otherwise the thorny way via cold boot. If it is a SED and Bitlocker only managing, all attacks against the SED are open.

 
Posted : 21/02/2019 10:52 pm
Jamie
(@jamie)
Posts: 1288
Moderator
 

Long time reader first time poster here!

A very warm welcome!

 
Posted : 22/02/2019 7:36 am
(@loveboatcaptain83)
Posts: 13
Active Member
Topic starter
 

Usually a case for a DMA attack, if the owner did not set the respective precautions. Otherwise the thorny way via cold boot. If it is a SED and Bitlocker only managing, all attacks against the SED are open.

Thanks a lot C.R.S, I did think of DMA but was under the impression that the user would have had to have logged on and then locked the computer for the password to be in memory? Would I be able to get the Bitlocker recovery Keys this way providing the Firewire ports are active?

Thanks Jamie, hopefully I can be of some use and help answer others questions.

 
Posted : 22/02/2019 9:18 am
AmNe5iA
(@amne5ia)
Posts: 173
Estimable Member
 

Can't you just plug the drive into your examination computer (Running windows 10?) through a writeblocker then enter the PIN when prompted by Windows? This won't work if the drive is protected by a PIN in conjunction with the TPM but will otherwise…

 
Posted : 22/02/2019 10:55 am
(@loveboatcaptain83)
Posts: 13
Active Member
Topic starter
 

Hi AmNe5iA thanks for your reply.

Unfortunately when I try this it asks for the recovery key rather than the PIN.

 
Posted : 22/02/2019 11:52 am
(@thefuf)
Posts: 262
Reputable Member
 

Hi AmNe5iA thanks for your reply.

Unfortunately when I try this it asks for the recovery key rather than the PIN.

If a Trusted Platform Module (TPM) was used to seal a key, then it's impossible to decrypt the volume using any method tied to that TPM (usually, the only option left in this situation is a recovery key). If no TPM was used, try another decryption tool (e.g., dislocker).

Also, as a last resort, try to image the memory to capture the encryption key. Since the computer is locked and no login password is known, try to reboot into another operating system and then acquire a memory image (and hope that the memory isn't wiped during the reboot).

 
Posted : 22/02/2019 12:24 pm
(@loveboatcaptain83)
Posts: 13
Active Member
Topic starter
 

@thefuf Both great ideas! I'll give them a go and let you know.

 
Posted : 22/02/2019 2:20 pm
(@c-r-s)
Posts: 170
Estimable Member
 

Thanks a lot C.R.S, I did think of DMA but was under the impression that the user would have had to have logged on and then locked the computer for the password to be in memory? Would I be able to get the Bitlocker recovery Keys this way providing the Firewire ports are active?

The Windows authentication can be patched to allow any password (there should be some free/open source tools out there, it became quite popular among researchers; maybe "Inception", if I remember correctly). You can't retrieve a recovery key or any other Bitlocker protector data directly from RAM (unless the protector data is intentionally loaded into memory, of course). What you would grab from RAM is the Full Volume Encryption Key which you have to feed into an own implementation to decrypt the sector data, or you rely on the commercial solutions for this entire process (Passware, Elcomsoft).

 
Posted : 22/02/2019 6:33 pm
(@loveboatcaptain83)
Posts: 13
Active Member
Topic starter
 

That's a great idea thanks! we'll give inception or something similar a go and let you know how we get on.

We were also thinking of trying to brute force the Windows password via RDP based on a word list generated from the password hint. Not sure if anyone has any experience with this method or has any thoughts of if it's likely to work or not? - we're working on a clone of the drive obviously )

 
Posted : 25/02/2019 9:42 am
Page 1 / 2
Share: