How to decrypt BitLocker using Passware Kit

Follow

Comments

2 comments

  • Avatar
    Lars Lincoln

    Hi Yana, you mention in this article that 'When Windows displays a standard Windows user login screen, this means that the system BitLocker volume is mounted and the VMK resides in memory. Once a live memory image has been created *, it is possible to use Passware Kit to extract the VMK and decrypt the volume'

    You are implying here that a RAM capture/live memory image can occur from the login screen with the tools suggested, however this does not seem to be the case. You need to have the login password/PIN in this case to extract the VMK from the RAM Capture so that you can run a RAM Capture tool executable from a USB. 

    Please do let me know if you know of any tools that have the ability to capture RAM from a locked screen.

    Thanks

    Lars

    0
    Comment actions Permalink
  • Avatar
    Yana Gourenko

    Dear Lars Lincoln

    We have explored your request with our Research team and have updated the note as follows:

    It is important to acquire a live memory image correctly in order to preserve residing encryption keys. A warm boot can be performed using a Windows Secure Boot compatible Linux distributive.

    I hope this answers your question.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Powered by Zendesk