Windows 10 Partitio...
 
Notifications
Clear all

Windows 10 Partition Issue?

15 Posts
5 Users
0 Likes
3,235 Views
watcher
(@watcher)
Posts: 125
Estimable Member
 
Posted by: @arsenalconsulting

... It's that simple, and it's reliable....

Arsenal is a great product and I've used it successfully many times. However, it does require that you already have the password or recovery key. If the image came from a system using TPM, even having the password is not enough. I know you know all that, I just didn't want the details overlooked by someone who might not.

 
Posted : 17/08/2020 5:14 pm
ArsenalConsulting
(@arsenalconsulting)
Posts: 49
Eminent Member
 
Posted by: @watcher
Posted by: @arsenalconsulting

... It's that simple, and it's reliable....

Arsenal is a great product and I've used it successfully many times. However, it does require that you already have the password or recovery key. If the image came from a system using TPM, even having the password is not enough. I know you know all that, I just didn't want the details overlooked by someone who might not.

Hello,

 

I tried to be clear in #3 about the requirement to enter a password or recovery key.

Please explain in more detail what you mean by:

"If the image came from a system using TPM, even having the password is not enough."

We frequently hear from people who think that BitLocker volumes are somehow TPM protected simply because the systems they came from contained TPM chips, when that is not the case. If TPM-related BitLocker protectors have not been set (e.g. TpmAndPinProtector), TPM is not in play in this context. Even if TPM protectors have been set, the BitLocker recovery key can be used to unlock/fully decrypt/etc. the volume.

Mark

 
Posted : 17/08/2020 5:39 pm
watcher
(@watcher)
Posts: 125
Estimable Member
 
Posted by: @arsenalconsulting

... I tried to be clear in #3 about the requirement to enter a password or recovery key.

Please explain in more detail what you mean by:

"If the image came from a system using TPM, even having the password is not enough."

We frequently hear from people who think that BitLocker volumes are somehow TPM protected simply because the systems they came from contained TPM chips, when that is not the case. If TPM-related BitLocker protectors have not been set (e.g. TpmAndPinProtector), TPM is not in play in this context. Even if TPM protectors have been set, the BitLocker recovery key can be used to unlock/fully decrypt/etc. the volume.

Mark

You said:

(optionally provide the BitLocker password or recovery key at this point)

This seemed worded in a manner to suggest that neither are neccessary as opposed to one or the other is required.

My phrase of, "... using TPM ..." is meant to refer to TPM is in play, using vice having or containing

Perhaps you can school me in a misunderstanding. You said:

"Even if TPM protectors have been set, the BitLocker recovery key can be used to unlock/fully decrypt/etc. the volume."

Just to be absolutely clear. We are talking about an image, not a physical volume on the laptop. I know the password is not sufficient to decrypt an image in this circumstance. I guess I didn't address the recovery key.

 

 
Posted : 17/08/2020 6:14 pm
ArsenalConsulting
(@arsenalconsulting)
Posts: 49
Eminent Member
 
Posted by: @watcher

You said:

(optionally provide the BitLocker password or recovery key at this point)

This seemed worded in a manner to suggest that neither are neccessary as opposed to one or the other is required.

<snip>

Just to be absolutely clear. We are talking about an image, not a physical volume on the laptop. I know the password is not sufficient to decrypt an image in this circumstance. I guess I didn't address the recovery key.

 

It was worded in such a manner to suggest that it is not necessary to provide the password or recovery key at that step, because it can be provided at step #3. Perhaps we are both leaving too much up to suggestion, and to a reader's familiarity with BitLocker. Step #1 could be made more clear:

1.) Mount a BitLocker-protected disk image using AIM's read-only mode (optionally provide the BitLocker password or recovery key at this point, if not, it must be provided at step #3)

The steps I provided apply to a disk image which contains one or more BitLocker-protected volumes.

Back to the OP, let's see what Kenny is able to accomplish at this point.

Mark

 
Posted : 17/08/2020 6:29 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Maybe we are all saying the same thing with different words and with a different background/experience, leading to a different perception of the possible issues and how common they are.

The recovery key is IMHO usually a myth, something that only exists in the talks of IT specialists, no "normal" user will ever save it anywhere and even if he/she does save it (often on a USB stick), it will either be lost, overwritten or both (and this assumes someone that is cooperating).

The only (maybe) source for a recovery key in a non-corporate environment is the MS account, but having access to it is not "given".

The good guys at Elcomsoft concur with me that TPM is often the enabled protector on laptops/notebooks:

https://blog.elcomsoft.com/2020/05/unlocking-bitlocker-can-you-break-that-password/

TPM only

This is by far the most used protector type on portable devices such as notebooks, Windows tablets and two-in-ones. Your system will boot to login prompt; the VMK will be decrypted with a storage root key (SRK) that is stored in the TPM (or Intel PTT) module and only releases if the system passes the Secure Boot check. This is the most convenient option that effectively protects hard drives but offers weaker protection if the intruder has access to the whole system (computer with TPM and the hard drive).

Hence the yes and no in my previous reply, if you do have the appropriate credentials (recovery key or FVEK needed for TPM protected volumes) accessing/decrypting the image is a breeze, if you don't, you need to procure the key and it is not much straightforward and specifically in a forensics scenario, in order to procure it you need access to the original hardware AND perform on it operations that may alter the evidence, so it needs to be well documented.

jaclaz

 
Posted : 18/08/2020 9:38 am
Page 2 / 2
Share: