±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 3 Overall: 35259
New Yesterday: 9 Visitors: 165

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Another Bitlocker Windows 10 Thread

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

Chump
Member
 

Another Bitlocker Windows 10 Thread

Post Posted: Feb 21, 19 09:40

Hi All!

Long time reader first time poster here!

I'm currently attempting to recover data from a computer with Bitlocker and a Windows 10 password. We have the Bitlocker PIN but not the recovery key, recovery password or Windows logon password. This means we can unlock the laptop and boot Windows but can't get passed the logon screen. So close but so far!!

I'm able to boot the laptop from an external HDD so I've been able to get an encrypted image of the HDD using Paladin. Encase can decryption it but only with the recovery keys but not the actual user PIN.

Has anybody been in a similar situation and how did or didn't you get around it?

Thanks for any help you can give me!

Cx  
 
  

C.R.S.
Senior Member
 

Re: Another Bitlocker Windows 10 Thread

Post Posted: Feb 21, 19 16:52

Usually a case for a DMA attack, if the owner did not set the respective precautions. Otherwise the thorny way via cold boot. If it is a SED and Bitlocker only managing, all attacks against the SED are open.  
 
  

jamie
Site Admin
 

Re: Another Bitlocker Windows 10 Thread

Post Posted: Feb 22, 19 01:36

- Chump
Long time reader first time poster here!


A very warm welcome!  
 
  

Chump
Member
 

Re: Another Bitlocker Windows 10 Thread

Post Posted: Feb 22, 19 03:18

- C.R.S.
Usually a case for a DMA attack, if the owner did not set the respective precautions. Otherwise the thorny way via cold boot. If it is a SED and Bitlocker only managing, all attacks against the SED are open.


Thanks a lot C.R.S, I did think of DMA but was under the impression that the user would have had to have logged on and then locked the computer for the password to be in memory? Would I be able to get the Bitlocker recovery Keys this way providing the Firewire ports are active?

Thanks Jamie, hopefully I can be of some use and help answer others questions.  
 
  

AmNe5iA
Senior Member
 

Re: Another Bitlocker Windows 10 Thread

Post Posted: Feb 22, 19 04:55

Can't you just plug the drive into your examination computer (Running windows 10?) through a writeblocker then enter the PIN when prompted by Windows? This won't work if the drive is protected by a PIN in conjunction with the TPM but will otherwise...  
 
  

Chump
Member
 

Re: Another Bitlocker Windows 10 Thread

Post Posted: Feb 22, 19 05:52

Hi AmNe5iA thanks for your reply.

Unfortunately when I try this it asks for the recovery key rather than the PIN.  
 
  

thefuf
Senior Member
 

Re: Another Bitlocker Windows 10 Thread

Post Posted: Feb 22, 19 06:24

- Chump
Hi AmNe5iA thanks for your reply.

Unfortunately when I try this it asks for the recovery key rather than the PIN.


If a Trusted Platform Module (TPM) was used to seal a key, then it's impossible to decrypt the volume using any method tied to that TPM (usually, the only option left in this situation is a recovery key). If no TPM was used, try another decryption tool (e.g., dislocker).

Also, as a last resort, try to image the memory to capture the encryption key. Since the computer is locked and no login password is known, try to reboot into another operating system and then acquire a memory image (and hope that the memory isn't wiped during the reboot).  
 

Page 1 of 2
Page 1, 2  Next