Focus on Microsoft
RE: Bitlocker without PIN Feb 24 2011 09:34AM
Per Thorsheim (putilutt online no) (2 replies)
Re: Bitlocker without PIN Feb 25 2011 10:54AM
Ansgar Wiechers (bugtraq planetcobalt net)
RE: Bitlocker without PIN Feb 24 2011 05:07PM
Thor (Hammer of God) (thor hammerofgod com) (3 replies)
RE: Bitlocker without PIN Feb 24 2011 09:43PM
rwagg (at) robhome (dot) com [email concealed] (rwagg robhome com) (1 replies)
RE: Bitlocker without PIN Feb 24 2011 10:06PM
David Lum (David Lum NWEA org)
RE: Bitlocker without PIN Feb 24 2011 09:33PM
Per Thorsheim (putilutt online no)
RE: Bitlocker without PIN Feb 24 2011 08:37PM
John Lightfoot (jlightfoot gmail com) (2 replies)
RE: Bitlocker without PIN Feb 24 2011 10:42PM
Per Thorsheim (putilutt online no) (1 replies)
RE: Bitlocker without PIN Feb 25 2011 03:02AM
Thor (Hammer of God) (thor hammerofgod com)
RE: Bitlocker without PIN Feb 24 2011 09:25PM
Thor (Hammer of God) (thor hammerofgod com) (2 replies)
Re: Bitlocker without PIN Feb 24 2011 10:18PM
Susan Bradley (sbradcpa pacbell net) (1 replies)
RE: Bitlocker without PIN Feb 25 2011 03:41PM
Jim Harrison (Jim isatools org) (2 replies)
Re: Bitlocker without PIN Mar 04 2011 06:20PM
Susan Bradley (sbradcpa pacbell net)
RE: Bitlocker without PIN Feb 25 2011 06:01PM
Per Thorsheim (putilutt online no)
RE: Bitlocker without PIN Feb 24 2011 09:42PM
Per Thorsheim (putilutt online no)
Actually not. The hardware Firewire controller in your computer has
direct memory access. Through the Passware kit you connect 2 computers
using firewire. The target computer sees a new Firewire storage device
connecting, and nothing else happens on screen. The attacking computer,
running Passware Kit, makes a live memory dump of all physical memory
over Firewire. Then you'll need a couple of minutes maximum to search
the memory dump to recover the Bitlocker key.

We're talking about a Firewire FEATURE, not a bug.

As I wrote earlier, Passware introduced this at the Passwords^10
conference, and you can see our video recording of their presentation
and live demo (as well as others) here:
ftp://ftp.ii.uib.no/pub/passwords10/

Yes, we were pretty amazed and scared at the same time when we saw it
live. I don't remember, but you'll probably here some comments about
superglue at the Q&A at the end of their presentation.

Best regards,
Per Thorsheim

On Thu, 2011-02-24 at 21:25 +0000, Thor (Hammer of God) wrote:
> I assume he's talking about after you have logged on and the computer is locked and you retrieve it from "live" memory a.k.a the memory freezing attack. I would actually like to see that work IRL. If it were that easy, you wouldn't need recovery agents :)

> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of John Lightfoot
> Sent: Thursday, February 24, 2011 12:37 PM
> To: 'Per Thorsheim'; 'focus-ms'
> Subject: RE: Bitlocker without PIN
>
> I agree that transparent Bitlocker is a great security tool.
>
> Per, could you provide more details where you say:
>
> "Using Passware Forensic Toolkit you can extract the bitlocker key using live memory dumping through Firewire (either by using an existing Firewire port, or by inserting an pcmcia/expresscard firewire card). No need to logon to Windows there..."
>
> My understanding of the way Bitlocker works is that when you enable full-disk encryption, Bitlocker creates a small, unencrypted partition that contains the Windows login module. Once you've entered your credentials and they've been validated, the login module uses them to access the TPM for the key to decrypt the rest of the hard drive. I do not believe the encryption key is resident in memory until after the login credentials are verified, so I don't think the firewire hack or other memory scanning techniques would allow you to retrieve the key prior to authentication.
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEABECAAYFAk1m0LEACgkQsXl+Y9DQrvZR8QCfaM1gevnX+pBJnirmtj6oQzZx
e9sAniuyxYKrVEPm2SQihSxmh5M4h0XH
=XMC4
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus