Another Bitlocker Windows 10 Thread

I have a customer who also forgot his Windows password but remember the BitLocker PIN. Tried to boot with different Live CDs to reset the password but all files are encrypted and inaccessible. Hopefully there is a way to decrypt the drive with BitLocker PIN instead of the recovery key, but I can't find any useful info now.

So we sill have had no luck but are persisting!

Looking through the manual of the Logicube Forensic Falcon, it says that it can unlock Bitlocker drives with either the password or Recovery Key….does anybody know if this is true? Link below…

https://www.logicube.com/wp-content/uploads/2018/03/MAN-Falcon-NEO-v1.0-20180328.pdf

So we sill have had no luck but are persisting!

Looking through the manual of the Logicube Forensic Falcon, it says that it can unlock Bitlocker drives with either the password or Recovery Key….does anybody know if this is true? Link below…

https://www.logicube.com/wp-content/uploads/2018/03/MAN-Falcon-NEO-v1.0-20180328.pdf

So, was a TPM used to store the key? If no, you can boot the image in a virtual machine (up to the login screen) and acquire the memory of a virtual machine from a host machine.

@ thefuf That method is next on list thank you! The user needs to enter the Bitlocker PIN on startup so I assume that means that there is no TPM on use…?

Hi All!

Long time reader first time poster here!

I'm currently attempting to recover data from a computer with Bitlocker and a Windows 10 password. We have the Bitlocker PIN but not the recovery key, recovery password or Windows logon password. This means we can unlock the laptop and boot Windows but can't get passed the logon screen. So close but so far!!

I'm able to boot the laptop from an external HDD so I've been able to get an encrypted image of the HDD using Paladin. Encase can decryption it but only with the recovery keys but not the actual user PIN.

Has anybody been in a similar situation and how did or didn't you get around it?

Thanks for any help you can give me!

Cx

Hello Chump!
We have the same problem. Did you find a solution? Please let me know.

That's a great idea thanks! we'll give inception or something similar a go and let you know how we get on.

We were also thinking of trying to brute force the Windows password via RDP based on a word list generated from the password hint. Not sure if anyone has any experience with this method or has any thoughts of if it's likely to work or not? - we're working on a clone of the drive obviously )

I had a similar scenario where I connected a Windows 10 laptop to our network using a USB to Ethernet adapter, setup a standalone DHCP server and scanned the machine for exploitable services. If RDP is enabled, you may be in luck.

So we sill have had no luck but are persisting!

Looking through the manual of the Logicube Forensic Falcon, it says that it can unlock Bitlocker drives with either the password or Recovery Key….does anybody know if this is true? Link below…

https://www.logicube.com/wp-content/uploads/2018/03/MAN-Falcon-NEO-v1.0-20180328.pdf

Yes, it can. Connect the source device and then select 'partition to image' as method, then select the partition and it'll prompt you for the password or recovery key. I've done this personally and it works.

@ thefuf That method is next on list thank you! The user needs to enter the Bitlocker PIN on startup so I assume that means that there is no TPM on use…?

This would mean TPM and pre-boot PIN is required for authentication. The PIN can't be bruteforced either.

Hi All!

Long time reader first time poster here!

I'm currently attempting to recover data from a computer with Bitlocker and a Windows 10 password. We have the Bitlocker PIN but not the recovery key, recovery password or Windows logon password.
Cx

Hello Chump!
We have the same problem. Did you find a solution? Please let me know.

1. Create your Windows FE device (USB/ image) as I have described here.
https://articles.forensicfocus.com/2017/01/06/windows-10-pe-for-digital-forensics/

2. Boot into Windows FE, (auto)mount your hard drive and use "manage-bde.exe" on the command line.

>manage-bde -unlock /?

gives you the option to unlock Bitlocker with these credentials

manage-bde -unlock e -RecoveryPassword …
manage-bde -unlock e -RecoveryKey "f\File Folder\Filename"
manage-bde -unlock e -Certificate -cf "c\File Folder\Filename.cer"
manage-bde -unlock e -pw
manage-bde -unlock e -sid

For me it seems as if "-pw" means "password" and this should solve you problem. Hopefully. Please be aware that you can mount the image into other running Operating Systems, too, and use manage-bde.exe

Good luck!

Robin

Hi All!

Long time reader first time poster here!

I'm currently attempting to recover data from a computer with Bitlocker and a Windows 10 password. We have the Bitlocker PIN but not the recovery key, recovery password or Windows logon password.
Cx

Hello Chump!
We have the same problem. Did you find a solution? Please let me know.

1. Create your Windows FE device (USB/ image) as I have described here.
https://articles.forensicfocus.com/2017/01/06/windows-10-pe-for-digital-forensics/

2. Boot into Windows FE, (auto)mount your hard drive and use "manage-bde.exe" on the command line.

>manage-bde -unlock /?

gives you the option to unlock Bitlocker with these credentials

manage-bde -unlock e -RecoveryPassword …
manage-bde -unlock e -RecoveryKey "f\File Folder\Filename"
manage-bde -unlock e -Certificate -cf "c\File Folder\Filename.cer"
manage-bde -unlock e -pw
manage-bde -unlock e -sid

For me it seems as if "-pw" means "password" and this should solve you problem. Hopefully. Please be aware that you can mount the image into other running Operating Systems, too, and use manage-bde.exe

Good luck!

Robin

Thank you for your advice! In our case the password doesn't set for drive protection. It was used PIN for that purpose, we have the BitLocker's PIN (but not recovery key) and we haven't Windows logon password. We can't reset the Windows password because of encrypted system drive.