Using a memory image to decrypt BitLocker

Follow

Comments

6 comments

  • Avatar
    Lars Lincoln

    Hi Yana, you mention in this article that 'When Windows displays a standard Windows user login screen, this means that the system BitLocker volume is mounted and the VMK resides in memory. Once a live memory image has been created *, it is possible to use Passware Kit to extract the VMK and decrypt the volume'

    You are implying here that a RAM capture/live memory image can occur from the login screen with the tools suggested, however this does not seem to be the case. You need to have the login password/PIN in this case to extract the VMK from the RAM Capture so that you can run a RAM Capture tool executable from a USB. 

    Please do let me know if you know of any tools that have the ability to capture RAM from a locked screen.

    Thanks

    Lars

    0
    Comment actions Permalink
  • Avatar
    Yana Gourenko

    Dear Lars Lincoln

    We have explored your request with our Research team and have updated the note as follows:

    It is important to acquire a live memory image correctly in order to preserve residing encryption keys. A warm boot can be performed using a Windows Secure Boot compatible Linux distributive.

    I hope this answers your question.

    0
    Comment actions Permalink
  • Avatar
    Adam Walker

    Hi Yana

    How reliable is the Passware Bootable Memory Imager on a system with a BitLocker-enabled boot drive?  I am surprised that the keys reside in memory and are not wiped from RAM. It looks to me that unless the following registry key is set: https://docs.microsoft.com/en-us/mem/configmgr/protect/tech-ref/bitlocker/settings#prevent-memory-overwrite-on-restart, the method would not be successful, as the system will wipe memory on restart. Best wishes.

    0
    Comment actions Permalink
  • Avatar
    Yana Gourenko

    Adam Walker we had many successful cases, but it is important to note that this is possible only in case of reboot made with hardware button. Any reboot performed via the software option will most likely erase the keys from the memory.

    0
    Comment actions Permalink
  • Avatar
    Vaidhy Swaminathan

    Hi Yana,

    If we receive a computer that is powered down with TPM enabled and secure boot disabled, would following the steps listed in the article allow us to retrieve the VMK?

    0
    Comment actions Permalink
  • Avatar
    Yana Gourenko

    Dear Vaidhy,

    I have replied to you on a support ticket, there are many points that need clarifying first.

    0
    Comment actions Permalink

Please sign in to leave a comment.