Notifications
Clear all

Bitlocker

12 Posts
7 Users
0 Likes
2,189 Views
(@dickson-icac)
Posts: 4
New Member
Topic starter
 

Greetings. New to the group and in need of assistance. I am an ICAC (Internet Crimes Against Children) detective and have never actually encountered Bitlocker in use in any of my cases. I need to find a way around Bitlocker. I assure you that I am nowhere near as smart as anyone else here so I'll try to be as precise as possible. I removed the 256Gb NVMe "Hard Drive" from the Lenovo laptop, installed it into my NVMe to USB adapter and plugged it into my write blocker so that I can image the drive. The drive is locked and I am being prompted for a 48 digit recovery pin, which I do not have. Is there any way (methods, software etc.) for me to get around Bitlocker or is this an actual barrier that I cannot defeat without 10's of thousands of dollars in software and additional equipment? Thank you in advance for any and all assistance.

 
Posted : 18/10/2021 4:24 pm
Passmark
(@passmark)
Posts: 375
Reputable Member
 

Assuming it really is Bitlocker (and not some other encryption) you need 1 of the following,

  • Password
  • Recovery Key (That looks something like this, 531135-570372-522236-480007-142241-640487-244519-333049)
  • Startup Key File (.bek file)
  • TPM module from the original machine (maybe with a PIN or USB drive)

There are also lots of different encryption levels. For example AES-CBC 128-bit & AES-XTS 256-bit. 

If you don't have .bek, key or password then I think you are stuck. 

Very small change you could brute force the password, but probably not.

Even the weaker AES-128 bit option is still very solid in 2021. And to be honest if it was trivial to bypass, Bitlocker would have no value (and Microsoft would patch it to fix it). It isn't open source so maybe it has a back door. But if it does, it isn't well known and is well hidden.

 

 

 

 
Posted : 19/10/2021 1:24 am
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

There is one way you can try @dickson-icac : in case you have the Microsoft account password AND the suspect used the default option to store the recovery key, you can find the recovery key at 
https://account.microsoft.com/devices/recoverykey

But....unlikely that someone who is trying to hide illegal media stores the recovery key to the MS account. Look around if you can find the recovery key somewhere else, on a USB stick perhaps or on a printed page of paper.

As @Passmark said, Bitlocker works. Otherwise, it would not be the de-facto standard for FDE in enterprises.

Good hunting!
regards, Robin

 
Posted : 19/10/2021 10:43 am
(@dickson-icac)
Posts: 4
New Member
Topic starter
 

@passmark Thank you kindly for your fast and honest answer. I was afraid I was staring at a block wall when that notification popped up. Unfortunately I don't have any information at all and the suspect isn't going to come off anything. I hope I don't run into Bitlocker on a regular basis.

 
Posted : 19/10/2021 3:41 pm
(@dickson-icac)
Posts: 4
New Member
Topic starter
 

@bunnysniper Thank you as well for your fast response. I will save that address for future reference. Maybe I can find his Microsoft password but I don't see that as a likely scenario.

 
Posted : 19/10/2021 3:43 pm
UnallocatedClusters
(@unallocatedclusters)
Posts: 570
Honorable Member
 

Thank you for your work protecting our families and children!

Now that you have created a physical forensic image of the internal hard drive, have you attempted to log in to the computer? 

If you can log in, then you could make a live forensic image by plugging in an external USB drive with FTK Imager on the external USB drive.  FTK Imager would be launched from the external USB drive and the resulting forensic image would be written to the external USB drive.

If the login password is unknown, perhaps a tool like this would work to reset the password:

Passware Windows Key Basic - password reset made simple

Is the original evidence is a corporate owned laptop or a personally owned laptop?  If corporate owned then BL recovery key could be acquired from Microsoft Active Directory.

 
Posted : 19/10/2021 4:04 pm
(@cmueller-tp)
Posts: 3
New Member
 

Hi,

so if your suspect did not set a pre-boot pin you might be able to set the disk back in to the PC and normally boot the system. Bitlocker (without the mentioned pre-boot pin) will get the key to decrypt the disk from the TPM and decrypt the disk. But the user password would still prevent you from accessing the files.

One way of getting around that would be to cold-boot the system and recover the Bitlocker keys from the memory dump.

Cheers
Chris

 
Posted : 19/10/2021 4:35 pm
Passmark
(@passmark)
Posts: 375
Reputable Member
 

Related story,

https://www.wired.com/2015/01/silk-road-trial-undercover-dhs-fbi-trap-ross-ulbricht/

"The plan for the arrest...was to get him into a position where we could have him in a public setting, and I could initiate a chat with him," Deryeghiayan said in response to questions from prosecutor Serrin Turner. "The purpose was that if indeed [the Dread Pirate Roberts] was Ross Ulbricht, we could get his computer in an open, unencrypted state."

 

 
Posted : 20/10/2021 12:09 am
(@dickson-icac)
Posts: 4
New Member
Topic starter
 

@unallocatedclusters, Thank you for your response. I was unable to make an image of the drive due to Bitlocker- it locked the drive and requires a 48 digit recovery pin. I'm unable to power on the device as well and assume that it would also be password protected, so logging in is definitely out of the question. I appreciate your info on using FTK on USB, I'll be saving that for future reference and will give it a try under the right circumstances.

 
Posted : 20/10/2021 4:15 pm
minime2k9
(@minime2k9)
Posts: 474
Honorable Member
 

@dickson-icac - Bitlocker itself will not stop you from creating an image of the drive, it will just mean that the data you have is not intelligible.

You state you are unable to power on the device, is this due to a faulty device or a PIN code/password to enter the user account?

If it is faulty, you can often get the device repaired in order to get it to a working state. If the user account is password protected, there is another way.

You can create a Windows2go USB device, which is basically a portable windows installation. If you boot the device to this, you can query the bitlocker key using the "manage-bde status" command from a command prompt.

We deal with quite a few bitlockered drives in our unit where there is no password set by the user and this is the best way we have found for dealing with them, once you have an image of the device.

 
Posted : 21/10/2021 6:48 am
Page 1 / 2
Share:
Share to...