Greetings everyone,
I am working on Dell 7010 which is a Micro form factor which has purposed to be quite the challenge for me.
No pin/password, but may have luck with O365 having a copy of the keys, will know by this week.
I have full BIOS access.
The motherboard does not use an external TPM chip, it uses Intel 670Q chipset so I can't sniff the LPC lanes as from my understanding the TPM process is built into the processor itself.
The machine is Win11h24 and is impacted by Microsoft lovely keyboard bug so I cannot use BitPixie to dump the FVEK that way. Maybe I can leave the machine on at 3AM to trigger the update leading this to be fixed? There is no PS2/Bluetooth option that I can connect to AFAIK.
I am able to disable secureboot, boot to a USB (at which I imaged the drive with FTK Imager), then upon next boot switch secure boot back on without triggering bitlocker to prompt for a key to unlock the drive. It subsequently will continue to boot into the live os.
Both my attempts of freezing the ram, pulling the power and attempting to power it on as quickly as possible then subsequently dumping using UEFI-Memory-Dump has yeild memory dumps of the expected size but just scanning for "MZ" only shows three instances (both times) in the same address location. I dump the values of the first one and it appears to read computrace which I understand has low jack functions but am unsure if it has memory functions that would remove remanence. Outside that scanning for know Pooltag values for windows 11 has yeild zero results. Considering there are only 3 instances of "MZ" showing in the ram dump, Im convinced the data is not preversed as I would expected close to 100 binaries loaded into ram, not just three if the data was actually still there.
This computer only has a Shutoff button, I cant locate any place on the board to attach leads to short a reset process to preserve the ram. I can only pull the power plug and switch the machine back on, maybe still possible if I cool the ram enough?
Any suggestions on any other way to emulate a power reset to preserve as much of the ram remanence as possible or is that even needed if I keep the ram chilled enough?
Does dell secure boot POST process clear ram memory on startup?
I'm seeing multiple sources saying power should be cut before the login screen, is this true, I assume the keys must remain in memory to continue encrypt/decrypt data?
I have as much time as needed to look into this as I feel the challenge is worth it and useful for future recoveries and appreciate any feedback or ideas to explore. I feel I'm a tad bested at this point by this Dell machine surprisingly. Thanks for any guidance.