Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

is it possible to work around Bitlocker?


  • Please log in to reply
22 replies to this topic

#1 P3nnyw1se

P3nnyw1se

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:21 AM

Posted 06 August 2013 - 02:15 AM

So.. I had an issue with a computer yesterday, its a company machine and had a virus on it.
I wanted to start it from safe-mode to fix this problem, but couldn't since the machine had Bitlocker activated and I didn't have the code

 

well I got the code, opening CMD as Administrator and typing in: “cscript manage-bde.wsf -protectors -get c:”
I since decrypted.

Now as an Administrator I am of course aware I'm suppose to be able to do this.
I couldn't help but wonder though, is there known work arounds regarding Bitlocker?
My Company uses Bitlocker and considers it 100% safe "unless we are dealing with great hackers or the NSA"

Are there ways to unlock Bitlocker without being administrator or having the key?
Like if I e.g. physically removed the harddrive from the machine and hooked up to another machine, would I somehow be able to access it?
 

 

I apologize my English, its a second language to me
regards /Allan


Edited by P3nnyw1se, 06 August 2013 - 02:18 AM.


BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:21 PM

Posted 06 August 2013 - 05:26 AM

My Company uses Bitlocker and considers it 100% safe "unless we are dealing with great hackers or the NSA"

Why don't you just ask for the password ??

If you are not allowed to have the password, there must be a very good reason .........



#3 P3nnyw1se

P3nnyw1se
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:21 AM

Posted 06 August 2013 - 05:48 AM

The password was literally lost, I'm an IT consultant here and I have more than right to read the passwords.. it just wasn't on the list..

we have more than 300 computers.. and for reasons unknown to me.. only something like 290 listed bitlocker passwords.



#4 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:21 PM

Posted 06 August 2013 - 05:54 AM

Well I can tell you now I fixed it.
After unlocking Bitlocker I was able to start in safemode.. and identify a virus called 'browserManager'

once I had Malware Antibytes remove it, it seems to work again

Your last reply said you Unlocked the computers ? ? ?



#5 P3nnyw1se

P3nnyw1se
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:21 AM

Posted 06 August 2013 - 06:19 AM

 

Well I can tell you now I fixed it.
After unlocking Bitlocker I was able to start in safemode.. and identify a virus called 'browserManager'

once I had Malware Antibytes remove it, it seems to work again

Your last reply said you Unlocked the computers ? ? ?

 

 

First of all to be honest.. its a little confusing you insist on pulling another topic into this thread..
this post was about in general working around Bitlocker.. not about any specific computer

and if I had the rights to get the codes or not, that was in the Vista forum.

And yes I unlocked it.. without having the password.
opening CMD as administrator and running a command, it was possible.. its all right there.. in my OP.
if you read that.


Edited by P3nnyw1se, 06 August 2013 - 06:20 AM.


#6 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:21 PM

Posted 06 August 2013 - 06:57 AM

This is a direct quote from M/soft for computers with Windows 7 ..........

There is no way to access the data if you have forget the password and lose the recovery key.

Tracy Cai
TechNet Community Support



#7 P3nnyw1se

P3nnyw1se
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:21 AM

Posted 06 August 2013 - 07:04 AM

This is a direct quote from M/soft for computers with Windows 7 ..........

There is no way to access the data if you have forget the password and lose the recovery key.

Tracy Cai
TechNet Community Support

Well thats simply wrong.. its actually very easy.. as long as you are administrator on a PC you can do anything you want

I think you misunderstand Tracy.. he mentions two seperate things, password and recovery key
He must mean password as in 'Administrator account password' cause

he certainly should know, that if you can login as Administrator to a pc,

there is no limit to what you can do.. and that also includes deactiving bitlocker without having the code for it.

 

go ahead and try it yourself... activate bitlocker on your drive

and trust me you dont have to write down the code.

 

then open CMD as administrator and type:
cscript manage-bde.wsf -off c:

And then you can go ahead and watch the decription percentage by percentage with this command

 cscript manage-bde.wsf -status

 

You can infact also pull out the code with this command:
cscript manage-bde.wsf -protectors -get c:

 

 

I have right infront of me a computer that had bitlocker on it yesterday, and now doesn't and I never found the code

But if you dont trust me, you can try it or you can just copy/paste the command I gave you here and see what google tells you

 

source -> http://www.niallbrady.com/2012/08/28/how-can-i-retrieve-my-bitlocker-recovery-key/


Edited by P3nnyw1se, 06 August 2013 - 07:17 AM.


#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:21 AM

Posted 06 August 2013 - 03:38 PM

Can you specify if the computer has a TPM chip?

You say you didn't have the code.

Do you mean the PIN?

So you were not able to boot the computer.

And then you obtained the PIN and were able to boot the computer with this PIN?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 P3nnyw1se

P3nnyw1se
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:21 AM

Posted 07 August 2013 - 04:41 AM

I'm gonna do it step by step so you can see what I did

in 'my' documentation I have hundreds of .txt files named after each Bitlocker ID: 
e.g.: {K12D16B4-B2D5-41D3-8705-1D220CC09875}.
Inside I would find a 48 characters long code to go with it.
with each txt files follows a TMP file of same name.

 

 

When I booted the computer and attempted to start safe mode
it told me Bitlocker was activated and I needed to provide the code to unlock it

or else I wouldn't be able to start in safemode

It supplied me with an ID: like the one above

From another computer I looked through the documentation and only found the TMP file that fit the ID, so somebody must have deleted the txt file by mistake

or moved it, there are several possible scenarios.
I have no experience with TMP files though and didn't even attempt to use/open it

 

With the 48 char long code being lost to me I searched google for alternative ways to unlock bitlocker, and then tried one.
 

I started Windows in normalmode.(which didn't require bitlocker)
I opened CMD as administrator
Wrote this command: cscript manage-bde.wsf -off c:
It told me it had started bitlocker decryption.

 

using this command
cscript manage-bde.wsf -status
I could overview the decryption
I saw how it started with 'harddrive 100% encrypted'

and after 8 hours or so it was on 0% encrypted.
 

I rebooted and was now able to start in safe mode, without it ever asking for any code
it also now states bitlocker is deactivated on the computer through windows

 


Edited by P3nnyw1se, 07 August 2013 - 05:48 AM.


#10 P3nnyw1se

P3nnyw1se
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:21 AM

Posted 07 August 2013 - 05:25 AM

Now Didier Stevens.. I can't help but wonder something

 

lets assume

 

a: that I'm able to pull a harddrive from a computer that has bitlocker activated, plug it into another computer and take ownership of the harddrive
b: that I'm able to unlock bitlocker this way, as I'm now owner/administrator of the harddrive
 

 isn't that.. a security issue with Bitlocker? or did I miss something, its all very new to me.


Edited by P3nnyw1se, 07 August 2013 - 05:32 AM.


#11 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:21 AM

Posted 07 August 2013 - 11:48 AM

Yes, I can answer your questions.

 

But first I want to make sure I understand exactly what you observed.

 

From what you describe, that 48-character code is most likely the recovery password. Is it all digits? Thus no letters, only digits?

 

And I think you misread my question. I'm asking about the TPM chip (Trusted Platform Module), not TMP files (temporary files).

https://en.wikipedia.org/wiki/Trusted_Platform_Module

This TPM chip is a hardware component used by Bitlocker. It's usually not found in consumer laptops, but most often found in laptops for the professional market like corporations.

So did this machine have a TPM chip?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#12 P3nnyw1se

P3nnyw1se
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:21 AM

Posted 07 August 2013 - 03:10 PM

Yes the password is all digits, and I'm sorry I don't remember the specific name for this password

but recovery password is probably right.

I sounds about right it would have TPM chip, the machine is a Lenovo T61 and from what I can tell they do have that.

 



#13 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:21 AM

Posted 07 August 2013 - 04:19 PM

Yes, the Lenovo T61 has a TPM chip.

 

Now for your concerns to the security of this.

I'm assuming that this laptop only uses the TPM for encryption (thus no PIN and no USB key).

So the user powers on the laptop, doesn't need to enter any password (the PIN), waits for Windows to boot, then enters his credentials to logon.

 

If you have the recovery password (your 48-digit code), you can always decrypt the disk. That's the purpose of the recovery password. So it has to be kept very secure.

 

When Bitlocker drive encryption is used on a machine with a TPM chip, this chip is used to protect the keys and to provide integrity for the boot sequence.

If you remove the encrypted harddisk from such a machine with a TPM chip, install it in another machine and boot it, it will not unlock the drive, hence Windows will not boot.

 

There is a known attack against disk encryption with a TPM chip: the cold boot attack https://en.wikipedia.org/wiki/Cold_boot_attack

Simply put: when a machine is running or in sleep mode, the encryption keys are in RAM and can be stolen from memory.


Edited by Didier Stevens, 07 August 2013 - 04:23 PM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#14 P3nnyw1se

P3nnyw1se
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:21 AM

Posted 08 August 2013 - 03:49 AM

Alright I see what you mean and the purpose of the chip

regarding the cold boot attack, we of course know any good hacker could access our machines.
I don't think we consider this a risc, our politic is that employees aren't suppose to place 'that' critical data

on the harddisk, which would make a hacker want to break into a machine.
the limited 'really' critical data we have is only on our in-house servers.

Now what if I placed the Harddrive removed from the T61, as a secondary harddrive in another computer..
While you say it wouldn't be allowed to boot from, couldn't I assume ownership of that harddrive booting from the 'other' harddisk
Enter the drive in cmd .e.g 'd:\'

and then use the commands I used to remove the encryption.
and thus never have to face the key?

 

I'm trying to look for loopholes that 'most' people could do

cause that would be a concern to us,
 


Edited by P3nnyw1se, 08 August 2013 - 04:03 AM.


#15 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:21 AM

Posted 08 August 2013 - 01:17 PM

If you connect this encrypted harddisk (protected by the TPM) as a primary or secondary disk in another computer, then this other computer has no keys to decrypt the harddisk.

So even if you connect it as a secondary disk, you can not decrypt it.

 

Assuming you don't have the recovery password.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users