BitLocker Decryption Explained

Decrypting BitLocker volumes or images is challenging due to the various encryption options offered by BitLocker that require different information for decryption.

This article explains BitLocker protectors and talks about the best ways to get the data decrypted, even for computers that are turned off.BitLocker Encryption Options

Protectors that can be used to encrypt a BitLocker volume include:

  • TPM (Trusted Platform Module chip)
  • TPM+PIN
  • Startup key (on a USB drive)
  • TPM+PIN+Startup key
  • TPM+Startup key
  • Password
  • Recovery key (numerical password; on a USB drive)
  • Recovery password (on a USB drive)
  • Active Directory Domain Services (AD DS) account
  • [/list:u]

    To list the protectors of a given BitLocker volume, type the following command in command-line prompt (cmd):

    manage-bde -protectors -get C:
    (where C: is the name of the mounted BitLocker-encrypted volume)

    The list of protectors will be displayed as follows:


    Get The Latest DFIR News

    Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


    Unsubscribe any time. We respect your privacy - read our privacy policy.

    Detailed information on each protector type, in accordance with Microsoft documentation, is provided below:

    • TPM. BitLocker uses the computer’s TPM to protect the encryption key. If you specify this protector, users can access the encrypted drive as long as it is connected to the system board that hosts the TPM and the system boot integrity is intact. In general, TPM-based protectors can only be associated to an operating system volume.
    • TPM+PIN. BitLocker uses a combination of the TPM and a user-supplied Personal Identification Number (PIN). A PIN is four to twenty digits or, if you allow enhanced PINs, four to twenty letters, symbols, spaces, or numbers.
    • Startup key. BitLocker uses input from a USB memory device that contains the external key. It is a binary file with a .BEK extension.
    • TPM+PIN+Startup key. BitLocker uses a combination of the TPM, a user-supplied PIN, and input from a USB memory device that contains an external key.
    • TPM+Startup key. BitLocker uses a combination of the TPM and input from a USB memory device that contains an external key.
    • Password. A user-supplied password is used to access the volume.
    • Recovery key. A recovery key, also called a numerical password, is stored as a specified file in a USB memory device. It is a sequence of 48 digits divided by dashes.
    • Active Directory Domain Services account. BitLocker uses domain authentication to unlock data volumes. Operating system volumes cannot use this type of key protector. [/list:u]
    • Any of these protectors encrypt a BitLocker Volume Master Key (VMK) to generate a Full Volume Encryption Key (FVEK), which is then used to encrypt the volume.

        [/list:u] Using Memory Images for Instant Decryption of BitLocker Volumes

          [/list:u] If a given BitLocker volume is mounted, the VMK resides in RAM.

          When Windows displays a standard Windows user login screen, as above, this means that the system BitLocker volume is mounted and the VMK resides in memory. Once a live memory image has been created *, it is possible to use Passware Kit to extract the VMK and decrypt the volume.

          When you turn on a computer configured with the default BitLocker settings, Windows reads the encryption key from the TPM chip, mounts the system drive and proceeds with the boot process. In this case the VMK resides in memory as well.

          Passware Kit extracts the VMK from the memory image (or hibernation file), converts it to FVEK, and decrypts the BitLocker volume. It also recovers the Recovery key and Startup key protectors, if available. A sample result is displayed below:

          As shown on the screenshot above, Passware Kit Forensic displays both the Encryption/Recovery key and Startup key (file) protectors, as well as creates a decrypted copy of the volume.

            [/list:u] SUMMARY

              [/list:u] To summarize, if the memory image contains the VMK, the volume gets decrypted, regardless of the protector type used to encrypt the volume. By extracting this VMK, it is also possible to recover the protectors (Recovery Key and Startup Key).

              However, if the memory image does not contain the VMK (the volume was not mounted during the live memory acquisition, the hibernation file had been overwritten, etc.), it is only possible to decrypt the volume with the Password protector, i.e. to recover the original password (using brute-force or dictionary attacks).

              The password recovery process is time-consuming and depends on the password complexity, any knowledge about the password, and your hardware resources available for password recovery, such as GPUs and availability of distributed computing. As a result, the recovered original password can be used to mount the BitLocker volume.

              For some volumes, Password might not be among protectors used and the volume might be protected with other protectors (e.g. Startup key or TPM + PIN). In this case it is impossible to decrypt the volume without a memory image acquired while the volume was mounted or a hibernation file, which contains the VMK.

              * It is important to acquire a live memory image correctly in order to preserve residing encryption keys. We recommend using the following third-party tools to acquire memory images: Belkasoft Live RAM Capturer and Magnet RAM Capture, both available free of charge, and Recon by SUMURI for macOS.

Leave a Comment

Latest Videos

In this episode of the Forensic Focus podcast, Si and Desi explore how artificial intelligence is being leveraged to uncover crucial evidence in investigations involving child sexual abuse material (CSAM) and examine the importance of exercising caution when implementing these tools. 

They also discuss a recent murder case in which cyber experts played a vital role in securing a conviction, and explore the unique challenges associated with using digital evidence as an alibi.

Show Notes:

A Practitioner Survey Exploring the Value of Forensic Tools, AI, Filtering, & Safer Presentation for Investigating Child Sexual Abuse Material (CSAM) - https://dfrws.org/wp-content/uploads/2019/06/2019_USA_paper-a_practitioner_survey_exploring_the_value_of_forensic_tools_ai_filtering_safer_presentation_for_investigating_child_sexual_abuse_material_csam.pdf

Man charged with NI murder ‘faked live stream to provide alibi’ (The Guardian) - https://www.theguardian.com/uk-news/2023/feb/02/man-charged-with-ni-faked-live-stream-to-provide-alibi

A YouTuber accused of murder faked a 6-hour livestream to produce an alibi (Sportskeeda) - https://www.sportskeeda.com/esports/news-a-youtuber-accused-murder-faked-6-hour-livestream-produce-alibi

European Interdisciplinary Cybersecurity Conference (EICC) 2023 - https://www.forensicfocus.com/event/european-interdisciplinary-cybersecurity-conference-eicc-2023/#more-493234

YouTuber reportedly faked GTA livestream to have an alibi while he committed murder (Dexerto) - https://www.dexerto.com/entertainment/youtuber-reportedly-faked-gta-livestream-to-have-an-alibi-while-he-committed-murder-2052974/

Forensic Europe Expo - https://www.forensicfocus.com/event/forensic-europe-expo/#more-493225

In this episode of the Forensic Focus podcast, Si and Desi explore how artificial intelligence is being leveraged to uncover crucial evidence in investigations involving child sexual abuse material (CSAM) and examine the importance of exercising caution when implementing these tools.

They also discuss a recent murder case in which cyber experts played a vital role in securing a conviction, and explore the unique challenges associated with using digital evidence as an alibi.

Show Notes:

A Practitioner Survey Exploring the Value of Forensic Tools, AI, Filtering, & Safer Presentation for Investigating Child Sexual Abuse Material (CSAM) - https://dfrws.org/wp-content/uploads/2019/06/2019_USA_paper-a_practitioner_survey_exploring_the_value_of_forensic_tools_ai_filtering_safer_presentation_for_investigating_child_sexual_abuse_material_csam.pdf

Man charged with NI murder ‘faked live stream to provide alibi’ (The Guardian) - https://www.theguardian.com/uk-news/2023/feb/02/man-charged-with-ni-faked-live-stream-to-provide-alibi

A YouTuber accused of murder faked a 6-hour livestream to produce an alibi (Sportskeeda) - https://www.sportskeeda.com/esports/news-a-youtuber-accused-murder-faked-6-hour-livestream-produce-alibi

European Interdisciplinary Cybersecurity Conference (EICC) 2023 - https://www.forensicfocus.com/event/european-interdisciplinary-cybersecurity-conference-eicc-2023/#more-493234

YouTuber reportedly faked GTA livestream to have an alibi while he committed murder (Dexerto) - https://www.dexerto.com/entertainment/youtuber-reportedly-faked-gta-livestream-to-have-an-alibi-while-he-committed-murder-2052974/

Forensic Europe Expo - https://www.forensicfocus.com/event/forensic-europe-expo/#more-493225

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_7QiFTiuY7Vw

AI In CSAM Investigations And The Role Of Digital Evidence In Criminal Cases

Forensic Focus 22nd March 2023 12:44 pm

Throughout the past few years, the way employees communicate with each other has changed forever.<br /><br />69% of employees note that the number of business applications they use at work has increased during the pandemic.<br /><br />Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.<br /><br />Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.<br /><br />Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.<br /><br />With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.<br /><br />Join Monica Harris, Product Business Manager, as she showcases how investigators can:<br /><br />- Manage multiple cloud collections through a web interface<br />- Cull data prior to collection to save time and money by gaining these valuable insights of the data available<br />- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box<br />- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee<br />- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

Throughout the past few years, the way employees communicate with each other has changed forever.

69% of employees note that the number of business applications they use at work has increased during the pandemic.

Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.

Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.

Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.

With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.

Join Monica Harris, Product Business Manager, as she showcases how investigators can:

- Manage multiple cloud collections through a web interface
- Cull data prior to collection to save time and money by gaining these valuable insights of the data available
- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box
- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee
- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_g6nTjfEMnsA

Tips And Tricks Data Collection For Cloud Workplace Applications

Forensic Focus 20th March 2023 12:00 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...