Notifications
Clear all

Bitlocker

Dickson ICAC
(@dickson-icac)
New Member

Greetings. New to the group and in need of assistance. I am an ICAC (Internet Crimes Against Children) detective and have never actually encountered Bitlocker in use in any of my cases. I need to find a way around Bitlocker. I assure you that I am nowhere near as smart as anyone else here so I'll try to be as precise as possible. I removed the 256Gb NVMe "Hard Drive" from the Lenovo laptop, installed it into my NVMe to USB adapter and plugged it into my write blocker so that I can image the drive. The drive is locked and I am being prompted for a 48 digit recovery pin, which I do not have. Is there any way (methods, software etc.) for me to get around Bitlocker or is this an actual barrier that I cannot defeat without 10's of thousands of dollars in software and additional equipment? Thank you in advance for any and all assistance.

Quote
Topic starter Posted : 18/10/2021 4:24 pm
Passmark
(@passmark)
Active Member

Assuming it really is Bitlocker (and not some other encryption) you need 1 of the following,

  • Password
  • Recovery Key (That looks something like this, 531135-570372-522236-480007-142241-640487-244519-333049)
  • Startup Key File (.bek file)
  • TPM module from the original machine (maybe with a PIN or USB drive)

There are also lots of different encryption levels. For example AES-CBC 128-bit & AES-XTS 256-bit. 

If you don't have .bek, key or password then I think you are stuck. 

Very small change you could brute force the password, but probably not.

Even the weaker AES-128 bit option is still very solid in 2021. And to be honest if it was trivial to bypass, Bitlocker would have no value (and Microsoft would patch it to fix it). It isn't open source so maybe it has a back door. But if it does, it isn't well known and is well hidden.

 

 

 

ReplyQuote
Posted : 19/10/2021 1:24 am
Bunnysniper
(@bunnysniper)
Active Member

There is one way you can try @dickson-icac : in case you have the Microsoft account password AND the suspect used the default option to store the recovery key, you can find the recovery key at 
https://account.microsoft.com/devices/recoverykey

But....unlikely that someone who is trying to hide illegal media stores the recovery key to the MS account. Look around if you can find the recovery key somewhere else, on a USB stick perhaps or on a printed page of paper.

As @Passmark said, Bitlocker works. Otherwise, it would not be the de-facto standard for FDE in enterprises.

Good hunting!
regards, Robin

ReplyQuote
Posted : 19/10/2021 10:43 am
Dickson ICAC
(@dickson-icac)
New Member

@passmark Thank you kindly for your fast and honest answer. I was afraid I was staring at a block wall when that notification popped up. Unfortunately I don't have any information at all and the suspect isn't going to come off anything. I hope I don't run into Bitlocker on a regular basis.

ReplyQuote
Topic starter Posted : 19/10/2021 3:41 pm
Dickson ICAC
(@dickson-icac)
New Member

@bunnysniper Thank you as well for your fast response. I will save that address for future reference. Maybe I can find his Microsoft password but I don't see that as a likely scenario.

ReplyQuote
Topic starter Posted : 19/10/2021 3:43 pm
UnallocatedClusters
(@unallocatedclusters)
Senior Member

Thank you for your work protecting our families and children!

Now that you have created a physical forensic image of the internal hard drive, have you attempted to log in to the computer? 

If you can log in, then you could make a live forensic image by plugging in an external USB drive with FTK Imager on the external USB drive.  FTK Imager would be launched from the external USB drive and the resulting forensic image would be written to the external USB drive.

If the login password is unknown, perhaps a tool like this would work to reset the password:

Passware Windows Key Basic - password reset made simple

Is the original evidence is a corporate owned laptop or a personally owned laptop?  If corporate owned then BL recovery key could be acquired from Microsoft Active Directory.

ReplyQuote
Posted : 19/10/2021 4:04 pm
cmueller-tp
(@cmueller-tp)
New Member

Hi,

so if your suspect did not set a pre-boot pin you might be able to set the disk back in to the PC and normally boot the system. Bitlocker (without the mentioned pre-boot pin) will get the key to decrypt the disk from the TPM and decrypt the disk. But the user password would still prevent you from accessing the files.

One way of getting around that would be to cold-boot the system and recover the Bitlocker keys from the memory dump.

Cheers
Chris

ReplyQuote
Posted : 19/10/2021 4:35 pm
Passmark
(@passmark)
Active Member

Related story,

https://www.wired.com/2015/01/silk-road-trial-undercover-dhs-fbi-trap-ross-ulbricht/

"The plan for the arrest...was to get him into a position where we could have him in a public setting, and I could initiate a chat with him," Deryeghiayan said in response to questions from prosecutor Serrin Turner. "The purpose was that if indeed [the Dread Pirate Roberts] was Ross Ulbricht, we could get his computer in an open, unencrypted state."

 

ReplyQuote
Posted : 20/10/2021 12:09 am
Dickson ICAC
(@dickson-icac)
New Member

@unallocatedclusters, Thank you for your response. I was unable to make an image of the drive due to Bitlocker- it locked the drive and requires a 48 digit recovery pin. I'm unable to power on the device as well and assume that it would also be password protected, so logging in is definitely out of the question. I appreciate your info on using FTK on USB, I'll be saving that for future reference and will give it a try under the right circumstances.

ReplyQuote
Topic starter Posted : 20/10/2021 4:15 pm
minime2k9
(@minime2k9)
Active Member

@dickson-icac - Bitlocker itself will not stop you from creating an image of the drive, it will just mean that the data you have is not intelligible.

You state you are unable to power on the device, is this due to a faulty device or a PIN code/password to enter the user account?

If it is faulty, you can often get the device repaired in order to get it to a working state. If the user account is password protected, there is another way.

You can create a Windows2go USB device, which is basically a portable windows installation. If you boot the device to this, you can query the bitlocker key using the "manage-bde status" command from a command prompt.

We deal with quite a few bitlockered drives in our unit where there is no password set by the user and this is the best way we have found for dealing with them, once you have an image of the device.

ReplyQuote
Posted : 21/10/2021 6:48 am
Columbuscop2290
(@columbuscop2290)
New Member

@minime2k9 I’m curious if you have a write up on this method? I’ve never seen it before and would be interested in giving it a try

ReplyQuote
Posted : 25/10/2021 2:35 pm
minime2k9
(@minime2k9)
Active Member

@Columbuscop2290 - Never actually written it up properly, the hardest part is creating a Windows2go usb, though this is a pretty good write up:

https://www.techspot.com/article/1751-windows-to-go/

I think you do need a copy of Windows 10 Pro as opposed to home to be able to do this. 

Once you have a machine booted, its basically just entering the manage-bde command. This will give you the recovery key for the mounted drive. It only works where a password is not required (unless you have the password too).

If you think about it logically, we are still running a completely legitimate version of Windows (i.e. Secure boot compliant) and therefore the TPM data will be available to us.

I used this technique first when I managed to erase a partition from a bitlocker encrypted disk (on a non-evidence device!!) 

ReplyQuote
Posted : 25/10/2021 2:56 pm
Share: