How To Decrypt BitLocker Volumes With Passware

Decrypting BitLocker volumes or images is challenging due to the various encryption options offered by BitLocker that require different information for decryption.

This article explains BitLocker protectors and talks about the best ways to get the data decrypted, even for computers that are turned off.

BitLocker Encryption Options

Protectors that can be used to encrypt a BitLocker volume include:

  1. TPM (Trusted Platform Module chip)
  2. TPM+PIN
  3. Startup key (on a USB drive)
  4. TPM+PIN+Startup key
  5. TPM+Startup key
  6. Password
  7. Recovery key (numerical password; on a USB drive)
  8. Recovery password (on a USB drive)
  9. Active Directory Domain Services (AD DS) account

To list the protectors of a given BitLocker volume, type the following command in command-line prompt (cmd):

manage-bde -protectors -get C:
(where C: is the name of the mounted BitLocker-encrypted volume)

The list of protectors will be displayed as follows:


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


Detailed information on each protector type, in accordance with Microsoft documentation, is provided below:

  1. TPM. BitLocker uses the computer’s TPM to protect the encryption key. If you specify this protector, users can access the encrypted drive as long as it is connected to the system board that hosts the TPM and the system boot integrity is intact. In general, TPM-based protectors can only be associated to an operating system volume.
  1. TPM+PIN. BitLocker uses a combination of the TPM and a user-supplied Personal Identification Number (PIN). A PIN is four to twenty digits or, if you allow enhanced PINs, four to twenty letters, symbols, spaces, or numbers.
  1. Startup key. BitLocker uses input from a USB memory device that contains the external key. It is a binary file with a .BEK extension.
  1. TPM+PIN+Startup key. BitLocker uses a combination of the TPM, a user-supplied PIN, and input from a USB memory device that contains an external key.
  1. TPM+Startup key. BitLocker uses a combination of the TPM and input from a USB memory device that contains an external key.
  1. Password. A user-supplied password is used to access the volume.
  1. Recovery key. A recovery key, also called a numerical password, is stored as a specified file in a USB memory device. It is a sequence of 48 digits divided by dashes.
  1. Active Directory Domain Services account. BitLocker uses domain authentication to unlock data volumes. Operating system volumes cannot use this type of key protector.

Any of these protectors encrypt a BitLocker Volume Master Key (VMK) to generate a Full Volume Encryption Key (FVEK), which is then used to encrypt the volume.

Using Memory Images for Instant Decryption of BitLocker Volumes

If a given BitLocker volume is mounted, the VMK resides in RAM.

When Windows displays a standard Windows user login screen, as above, this means that the system BitLocker volume is mounted and the VMK resides in memory. Once a live memory image has been created *, it is possible to use Passware Kit to extract the VMK and decrypt the volume.

When you turn on a computer configured with the default BitLocker settings, Windows reads the encryption key from the TPM chip, mounts the system drive and proceeds with the boot process. In this case the VMK resides in memory as well.

Passware Kit extracts the VMK from the memory image (or hibernation file), converts it to FVEK, and decrypts the BitLocker volume. It also recovers the Recovery key and Startup key protectors, if available. A sample result is displayed below:

As shown on the screenshot above, Passware Kit Forensic displays both the Encryption/Recovery key and Startup key (file) protectors, as well as creates a decrypted copy of the volume.

SUMMARY

To summarize, if the memory image contains the VMK, the volume gets decrypted, regardless of the protector type used to encrypt the volume. By extracting this VMK, it is also possible to recover the protectors (Recovery Key and Startup Key).

However, if the memory image does not contain the VMK (the volume was not mounted during the live memory acquisition, the hibernation file had been overwritten, etc.), it is only possible to decrypt the volume with the Password protector, i.e. to recover the original password (using brute-force or dictionary attacks).

The password recovery process is time-consuming and depends on the password complexity, any knowledge about the password, and your hardware resources available for password recovery, such as GPUs and availability of distributed computing. As a result, the recovered original password can be used to mount the BitLocker volume.

For some volumes, Password might not be among protectors used and the volume might be protected with other protectors (e.g. Startup key or TPM + PIN). In this case it is impossible to decrypt the volume without a memory image acquired while the volume was mounted or a hibernation file, which contains the VMK.

* It is important to acquire a live memory image correctly in order to preserve residing encryption keys. We recommend using the following third-party tools to acquire memory images: Belkasoft Live RAM Capturer and Magnet RAM Capture, both available free of charge, and Recon by SUMURI for macOS.

Find out more at Passware.com.

Leave a Comment

Latest Videos

Digital Forensics News Round-Up, June 12 2024 #dfir #digitalforensics

Forensic Focus 12th June 2024 5:51 pm

Digital Forensics News Round-Up, June 12 2024 #dfir #digitalforensics

Forensic Focus 12th June 2024 5:39 pm

Internal investigations and eDiscovery face rising challenges in the data collection landscape. There is an urgent need to preserve and analyze data; rising costs for server infrastructure and overhead and the increasing complexity and volume of data from emerging sources is overwhelming. Laptops, computers, phones, tablets, cloud sources, and messaging applications – data is stored anywhere and everywhere with employee communications being the riskiest data sources.

The scope and specific challenges of data collection affect organizations and law firms differently, presenting a need for a variety of solutions to best fit their needs. With Cellebrite’s suite of SaaS (Software-as-a-Service) cloud-based collection solutions, corporate investigators and eDiscovery practitioners can close investigations and get to review faster.

Cellebrite's market-leading SaaS based solutions minimize business disruption and save organizations money by:

- Eliminating the need for large upfront costs and maintenance expenses
- Minimizing overhead costs without hosting the solution, no hardware shipping, and no technical calls for assistance
- Minimal and predictable data collection costs, allowing you to scale your usage according to your specific needs and budgetary considerations
- Stay up to date with continuous updates to data sources with updates pushed to the Cellebrite cloud
- Close investigations and review discovery faster with cloud-based innovation
- Manage customer requests and provide transparency throughout your organization across the globe

Watch Cellebrite's webinar where Monica Harris, Product Business Manager, showcases how Cellebrite’s range of SaaS-based solutions have you covered whether you need remote collection across all devices, including computers, cloud sources, chat applications, and mobile devices or full-file system advanced collection capabilities across the widest range of mobile devices and applications.

Internal investigations and eDiscovery face rising challenges in the data collection landscape. There is an urgent need to preserve and analyze data; rising costs for server infrastructure and overhead and the increasing complexity and volume of data from emerging sources is overwhelming. Laptops, computers, phones, tablets, cloud sources, and messaging applications – data is stored anywhere and everywhere with employee communications being the riskiest data sources.

The scope and specific challenges of data collection affect organizations and law firms differently, presenting a need for a variety of solutions to best fit their needs. With Cellebrite’s suite of SaaS (Software-as-a-Service) cloud-based collection solutions, corporate investigators and eDiscovery practitioners can close investigations and get to review faster.

Cellebrite's market-leading SaaS based solutions minimize business disruption and save organizations money by:

- Eliminating the need for large upfront costs and maintenance expenses
- Minimizing overhead costs without hosting the solution, no hardware shipping, and no technical calls for assistance
- Minimal and predictable data collection costs, allowing you to scale your usage according to your specific needs and budgetary considerations
- Stay up to date with continuous updates to data sources with updates pushed to the Cellebrite cloud
- Close investigations and review discovery faster with cloud-based innovation
- Manage customer requests and provide transparency throughout your organization across the globe

Watch Cellebrite's webinar where Monica Harris, Product Business Manager, showcases how Cellebrite’s range of SaaS-based solutions have you covered whether you need remote collection across all devices, including computers, cloud sources, chat applications, and mobile devices or full-file system advanced collection capabilities across the widest range of mobile devices and applications.

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_SE7Cl5jkigk

Maximising Data Collection With SaaS Innovations

Forensic Focus 10th June 2024 12:42 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles