Notifications
Clear all

bitlocker  

  RSS
fuzed
(@fuzed)
Member

I know its been discussed and most have said it can't be done!!!
I've got a laptop that's been seized, but before seizure was shut down.

The imaging has been done, and I've found the laptops drive has been encrypted using bitlocker.

I've looked around and it seems that the only app that can decrypt is passware kit forensic, but this requires a dump of the ram whilst the machine is still logged in.

Passware say's it can bruteforce truecrypt, but does anyone have any experience of it bruteforcing bitlocker?

Any advice and or guidance appreciated.

Quote
Posted : 10/09/2010 8:05 pm
96hz
 96hz
(@96hz)
Active Member

EnCase has faciliites to decrypt Bitlocker but you require the recovery key, which can sometimes be found on associated removable media. As for brute forcing, I have no idea. Good luck with it, be interested to see what happens with this one.

ReplyQuote
Posted : 11/09/2010 2:15 am
twjolson
(@twjolson)
Active Member

You didn't give any specifics about the nature of the case, so this may have limited use.

Never underestimate the weakest link in technology, the person. If questioning won't get the password out of them, intentionally or not, then their password maybe written down somewhere, or another user may know it.

ReplyQuote
Posted : 11/09/2010 4:40 am
jaclaz
(@jaclaz)
Community Legend

Maybe these help (or maybe not)
http//blogs.msdn.com/b/si_team/archive/2006/08/10/694692.aspx
http//support.microsoft.com/kb/928202/en-us

jaclaz

ReplyQuote
Posted : 11/09/2010 5:30 pm
echo6
(@echo6)
Member

twjolson has it right!

You are screwed unless you have located the recovery key, by default when bitlocker is enabled it enforces that either a recovery key and or recovery password is created.

The second link posted by jaclaz refers to the enterprise edition of bitlocker. If this case involves a business laptop which was using this version you will need the machine name to ask the Admin for the recovery credentials which may be obtained from Active Directory, dependant on policy settings.

Also if you are able to recover the .BEK file, EnCase has support for accessing bitlocker volumes when this is supplied. Start searching recovered volumes for this file, likely to be on a usb key but can be dumped to any FAT/NTFS volume.

Good luck!

ReplyQuote
Posted : 11/09/2010 11:42 pm
douglasbrush
(@douglasbrush)
Senior Member

You didn't give any specifics about the nature of the case, so this may have limited use.

Never underestimate the weakest link in technology, the person. If questioning won't get the password out of them, intentionally or not, then their password maybe written down somewhere, or another user may know it.

Yup - any photos or access to the users physical desk? Post-it notes are usually not encrypted and contain passwords in plain text )

ReplyQuote
Posted : 12/09/2010 1:39 am
Nizmon
(@nizmon)
Junior Member

If I may put my two pence in. Unless the laptop was encrypted with a TPM chip on the board the drive should boot into the Windows log in screen no? If so then the password would be loaded into RAM allowing you to remove it? I did a paper on it at uni and got 100% D

Check this link - http//citp.princeton.edu/memory/

Let us know how you get on.

ReplyQuote
Posted : 13/09/2010 7:07 am
fuzed
(@fuzed)
Member

Thank you all very much, that's some very useful info.

I've been searching other media for any files that could be associated with bitlocker, will have a search for the .BEK file also.

Sorry for the limited amount of information, we've had a laptop from a client that didn't seem to have much information, after a great deal of trying to understand the encryption mechanism I worked out it was bit locker - TPM is disabled at BIOS level, the machines running windows 7.

I've booted the machine upto the windows logon screen to be presented with a logon account, doesn't seem to be domain related. I have asked the client for any other info/mem sticks etc, and so were awaiting those.

Nizmon, thanks for the link I'll have a look into maybe trying pull via ram, but I thought that the newer versions of bitlocker and truecrypt randomise the storage of the keys. Still we can but try, I will get back to you guys and let you know if it works with Win7.

ReplyQuote
Posted : 13/09/2010 5:31 pm
jaclaz
(@jaclaz)
Community Legend

A word of caution, freezing the RAM you should be very aware of condensation/humidity problems, see the
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&p=6540069

Avoiding spraying directly on the chips (and connectors) is a good idea.

Some kitchen plastic film will do nicely.

jaclaz

ReplyQuote
Posted : 13/09/2010 6:33 pm
chad131
(@chad131)
Member

If TPM is disabled in the BIOS, this may be worth a try. I've never tried it on a bitlocker system.

http//www.piotrbania.com/all/kon-boot/

–Chad

ReplyQuote
Posted : 13/09/2010 6:50 pm
jaclaz
(@jaclaz)
Community Legend

If TPM is disabled in the BIOS, this may be worth a try. I've never tried it on a bitlocker system.

http//www.piotrbania.com/all/kon-boot/

–Chad

NO, unfortunately kon-boot is a tool to workaround "normal" Windows passwords (i.e. Winlogon), and has nothing to do with bitlocker (or any hard drive encryption tool).

The given link is for the old (Free ) ) version, homepage of the new, Commercial version is here
http//www.kryptoslogic.com/?area=2&item=2

See FAQ's
http//www.kryptoslogic.com/?area=2&item=2&page=4

Can Kon Boot bypass hard drive encryption?

No. Kon Boot will only bypass authentication of Windows based local passwords.

jaclaz

ReplyQuote
Posted : 13/09/2010 6:56 pm
chad131
(@chad131)
Member

jaclaz,

thanks for the clarification. i figured it was a long shot (and would have been VERY surprised if it worked). I've never seen bootlocker on a non TPM system… wasn't sure what "workarounds" were available. kon-boot and passware ram dump over firewire first to mind.

–Chad

ReplyQuote
Posted : 13/09/2010 7:02 pm
fuzed
(@fuzed)
Member

thanks guy's - were going to attempt it without freezing the ram, but instead leaving it in a very cold room with AC down as low as poss.

ReplyQuote
Posted : 13/09/2010 7:52 pm
ronanmagee
(@ronanmagee)
Active Member

F-Response have released a video in conjunction with passware for bitlocker drives. I'm unsure if the password has to be entered and stored in memory prior to running the tools but never the less it is interesting.

ReplyQuote
Posted : 13/09/2010 9:38 pm
fuzed
(@fuzed)
Member

hi, yes saw that video the other day.

I thought that bitlocker wouldnt store info in the ram until login, but as the system doesnt seem to have TPM enabled in the BIOS we may well have a chance at getting it, its worth a go anyway

I'm just in the process of Zero'ing a USB mem stick before I attempt it.

ReplyQuote
Posted : 13/09/2010 9:52 pm
Share: