Focus on Microsoft
RE: Bitlocker without PIN Feb 24 2011 09:34AM
Per Thorsheim (putilutt online no) (2 replies)
Re: Bitlocker without PIN Feb 25 2011 10:54AM
Ansgar Wiechers (bugtraq planetcobalt net)
RE: Bitlocker without PIN Feb 24 2011 05:07PM
Thor (Hammer of God) (thor hammerofgod com) (3 replies)
RE: Bitlocker without PIN Feb 24 2011 09:43PM
rwagg (at) robhome (dot) com [email concealed] (rwagg robhome com) (1 replies)
RE: Bitlocker without PIN Feb 24 2011 10:06PM
David Lum (David Lum NWEA org)
RE: Bitlocker without PIN Feb 24 2011 09:33PM
Per Thorsheim (putilutt online no)
RE: Bitlocker without PIN Feb 24 2011 08:37PM
John Lightfoot (jlightfoot gmail com) (2 replies)
RE: Bitlocker without PIN Feb 24 2011 10:42PM
Per Thorsheim (putilutt online no) (1 replies)
RE: Bitlocker without PIN Feb 25 2011 03:02AM
Thor (Hammer of God) (thor hammerofgod com)
It is my understanding that this is not actually how it works. "A" key is in memory, but not "THE" key. I think that Mr. Lightfoot is more correct in that only certain files can be accessed when booted directly without a PIN. A valid user must log on in order to access data.

The file you reference is 1.7 gig, so I was hoping you could tell me if they actually DID anything with the key as in accessing datafiles after they got the key during the presentation. I would interested in what happened after that...

t

-----Original Message-----

From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Per Thorsheim

Sent: Thursday, February 24, 2011 2:42 PM

To: John Lightfoot; focus-ms

Subject: RE: Bitlocker without PIN

To be 100% sure about my reply, I double-checked with Passware directly.

Their answer is simple and straight forward:

"By the time windows GUI loads and the windows logon screen is displayed the key is read from TPM and is available in memory. The only way around this is to use pre-boot authentication."

Best regards,

Per Thorsheim

securitynirvana.blogspot.com

On Thu, 2011-02-24 at 15:37 -0500, John Lightfoot wrote:

> I agree that transparent Bitlocker is a great security tool.

>

> Per, could you provide more details where you say:

>

> "Using Passware Forensic Toolkit you can extract the bitlocker key using live memory dumping through Firewire (either by using an existing Firewire port, or by inserting an pcmcia/expresscard firewire card). No need to logon to Windows there..."

>

> My understanding of the way Bitlocker works is that when you enable full-disk encryption, Bitlocker creates a small, unencrypted partition that contains the Windows login module. Once you've entered your credentials and they've been validated, the login module uses them to access the TPM for the key to decrypt the rest of the hard drive. I do not believe the encryption key is resident in memory until after the login credentials are verified, so I don't think the firewire hack or other memory scanning techniques would allow you to retrieve the key prior to authentication.

[ reply ]
RE: Bitlocker without PIN Feb 24 2011 09:25PM
Thor (Hammer of God) (thor hammerofgod com) (2 replies)
Re: Bitlocker without PIN Feb 24 2011 10:18PM
Susan Bradley (sbradcpa pacbell net) (1 replies)
RE: Bitlocker without PIN Feb 25 2011 03:41PM
Jim Harrison (Jim isatools org) (2 replies)
Re: Bitlocker without PIN Mar 04 2011 06:20PM
Susan Bradley (sbradcpa pacbell net)
RE: Bitlocker without PIN Feb 25 2011 06:01PM
Per Thorsheim (putilutt online no)
RE: Bitlocker without PIN Feb 24 2011 09:42PM
Per Thorsheim (putilutt online no)


 

Privacy Statement
Copyright 2010, SecurityFocus