Re: Bitlocker without PIN



On 2011-02-24 Per Thorsheim wrote:
"Transparent" Bitlocker with TPM and direct boot to Windows Logon is not
a good idea in terms of security.

At the Passwords^10 conference in Dec 2010, Passware revealed their
newest versio of their forensic toolkit. You probably want to see that:
ftp://ftp.ii.uib.no/pub/passwords10/

Using Passware Forensic Toolkit you can extract the bitlocker key using
live memory dumping through Firewire (either by using an existing
Firewire port, or by inserting an pcmcia/expresscard firewire card). No
need to logon to Windows there...

Depending on your configuration, the hibernation file may be
unencrypted. This can then be extracted from the disk and analyzed to
get the bitlocker decryption key as well.

Lessons learned:
1. Superglue for your Firewire and pcmcia/expresscard ports
2. Do not allow hibernation mode OR encrypt the hibernation file as well
3. Always use Pre-Boot Authentication (PBA) in some form (pin, password,
smartcard..)

4. http://www.securityresearch.at/publications/windows_firewire_blocker.pdf

It should be able to mitigate the risks you outlined above.

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq