RE: Bitlocker without PIN
- From: Per Thorsheim <putilutt@xxxxxxxxx>
- Date: Thu, 24 Feb 2011 22:42:14 +0100
Actually not. The hardware Firewire controller in your computer has
direct memory access. Through the Passware kit you connect 2 computers
using firewire. The target computer sees a new Firewire storage device
connecting, and nothing else happens on screen. The attacking computer,
running Passware Kit, makes a live memory dump of all physical memory
over Firewire. Then you'll need a couple of minutes maximum to search
the memory dump to recover the Bitlocker key.
We're talking about a Firewire FEATURE, not a bug.
As I wrote earlier, Passware introduced this at the Passwords^10
conference, and you can see our video recording of their presentation
and live demo (as well as others) here:
Yes, we were pretty amazed and scared at the same time when we saw it
live. I don't remember, but you'll probably here some comments about
superglue at the Q&A at the end of their presentation.
On Thu, 2011-02-24 at 21:25 +0000, Thor (Hammer of God) wrote:
I assume he's talking about after you have logged on and the computer is locked and you retrieve it from "live" memory a.k.a the memory freezing attack. I would actually like to see that work IRL. If it were that easy, you wouldn't need recovery agents :)
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of John Lightfoot
Sent: Thursday, February 24, 2011 12:37 PM
To: 'Per Thorsheim'; 'focus-ms'
Subject: RE: Bitlocker without PIN
I agree that transparent Bitlocker is a great security tool.
Per, could you provide more details where you say:
"Using Passware Forensic Toolkit you can extract the bitlocker key using live memory dumping through Firewire (either by using an existing Firewire port, or by inserting an pcmcia/expresscard firewire card). No need to logon to Windows there..."
My understanding of the way Bitlocker works is that when you enable full-disk encryption, Bitlocker creates a small, unencrypted partition that contains the Windows login module. Once you've entered your credentials and they've been validated, the login module uses them to access the TPM for the key to decrypt the rest of the hard drive. I do not believe the encryption key is resident in memory until after the login credentials are verified, so I don't think the firewire hack or other memory scanning techniques would allow you to retrieve the key prior to authentication.
Description: This is a digitally signed message part