To be 100% sure about my reply, I double-checked with Passware directly.
Their answer is simple and straight forward:

"By the time windows GUI loads and the windows logon screen is displayed
the key is read from TPM and is available in memory. The only way around
this is to use pre-boot authentication."

Best regards,
Per Thorsheim
securitynirvana.blogspot.com

On Thu, 2011-02-24 at 15:37 -0500, John Lightfoot wrote:
> I agree that transparent Bitlocker is a great security tool.
>
> Per, could you provide more details where you say:
>
> "Using Passware Forensic Toolkit you can extract the bitlocker key using live memory dumping through Firewire (either by using an existing Firewire port, or by inserting an pcmcia/expresscard firewire card). No need to logon to Windows there..."
>
> My understanding of the way Bitlocker works is that when you enable full-disk encryption, Bitlocker creates a small, unencrypted partition that contains the Windows login module. Once you've entered your credentials and they've been validated, the login module uses them to access the TPM for the key to decrypt the rest of the hard drive. I do not believe the encryption key is resident in memory until after the login credentials are verified, so I don't think the firewire hack or other memory scanning techniques would allow you to retrieve the key prior to authentication.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEABECAAYFAk1m3sMACgkQsXl+Y9DQrvZIfgCfWIyV8ul0EgaoGY2nhcWbFz4M
LeEAoIpXmey9+5he5GTrn4ddadIHdduH
=790X
-----END PGP SIGNATURE-----

[ reply ]