As hard-wired as any Application Specific Integrated Circuit it seems the Infosec community can’t go a week without some ruckas. This holiday it’s Russian ElcomSoft and their Forensic DiskDecryptor tool. Yours for only $299! (or £300 if you read El Reg) which makes it between 9,131 & 14,813 Rubles at today’s rate.
This tool can reportedly grab encryption keys from memory thereby upsetting users of BitLocker, PGP, TrueCrypt. Another tool (Passware Forensic Kit) adds FileVault2 to the list.
However, some guy called Bruce didn’t believe it was ‘all that’, causing the following reaction:
This SpiderLabs post is only concerned with my own unique BitLocker bypass technique, allow me to lighten the mood somewhat and jump right in, to April 2009 to be precise.
We don’t need no steenkin’ tools (and other movie references)
O.K. BitLocker has a number of known (mostly theoretical) vulnerabilities but arguably the most critical, only seems to have been acknowledged by Microsoft themselves.
What if I told you I could access Mr Bean’s encrypted laptop by ambushing him with nothing more than a cup of coffee?*
…and that according to Microsoft this is expected behaviour?
Bit Locker is supposed to protect against moving an encrypted drive from one machine to another.
Not necessarily… not if the user never logged out.
Time to clean up
So how did I find this out?
Back in April 2009 and only a month into my probation with SpiderLabs I killed my Trusted Platform Module (TPM) and BitLocker enabled Vista laptop with drain cleaner.
The laptop was logged in on the kitchen table when I decided to unblock the shower during my lunch break. The drain cleaner which had been left to do it's work for 24 hours had failed, so using a springy pipe cleaner designed for the purpose, the blockage was removed… along with the cheap 'push to fit' plumbing. I should perhaps mention that this was a recently installed bathroom to replace the previously leaky bath/shower and the reason why there was no ceiling in the kitchen. Consequently all the drain cleaner and water poured directly onto the kitchen table and laptop below… (Sorry Nick!)
I imagine CSI forensic investigators can tell you the same thing. A few inches of fluid can go a long way. The laptop had shorted out and the drain cleaner had already started to melt the keyboard. Pulling out the now dead power supply and racing to extract the hard drive seemed my only hope.
I never did mind the little things
Had I saved my Bitlocker encryption keys? Where? A call to IT Support told me they didn't have them. A few deep breaths and they were recovered from a logical place. Now I just needed a SATA docking device to read the disk. A quick trip to the local electronic store and normal service could resume. Well, not quite. Real world instructions for BitLocker are not exactly forthcoming. After much frustrated hunting around umpteen Microsoft web pages and blog posts I had the necessary manage-bde.exe and instructions. I needn’t have bothered.
Bitlocker was aware there was an issue as demonstrated by the exclamation mark over the UNLOCKED padlock icon.
Imagine my surprise when powering up the now external ‘BitLocker To Go’ hard drive and witnessing all my files still in clear-text.
“When BitLocker is suspended, BitLocker keeps the data encrypted but encrypts the BitLocker volume master key with a clear key.” – Is that so?
More digging around the documentation did finally reveal that yes, Microsoft knows that the system must be logged out "gracefully" for encryption to work.
So keep this in mind should someone 'accidentally' spill coffee (or drain cleaner) on your laptop when in your local coffee shop or airport.
Summary: Tools to ‘bypass’ BitLocker
- One Ceiling – Preferably missing (as in snowman)
- Shower pipe – Push to fit, preferably blocked
- Drain Cleaner – Use entire contents, preferably organic dark roast.
- Long springy wotsit
- Towels – Lots to tidy up
*Ronin – Robert de Niro’s character ambushed Sean Bean’s character with a cup of coffee.
Thank you for your comments.
It is not something I have tried to recreate since I read that logging out gracefully was a prerequisite. Also that the disk should remain encrypted even in Suspend mode.
I do know that I never manually suspended BitLocker so it is possible it was never setup correctly but I consider this highly unlikely.
Unfortunately I no longer have a laptop with TPM to test with.
Posted by: missingsnowman | 07 January 2013 at 05:40
Thank you for your comments.
It is not something I have tried to recreate since I read that logging out gracefully was a prerequisite. Unfortunately I no longer have a laptop with TPM to test with. I do know that I never manually suspended BitLocker so it is possible it was never setup correctly.
Posted by: missingsnowman | 03 January 2013 at 15:07
Sorry to burst your bubble, but you have the key fact wrong. BitLocker does not automatically suspend itself on logon. Suspending BitLocker requires manual action by a local administrator. In your particular scenario; it appears that at some point you manually suspended BitLocker; then simply forgot to resume it. When you pulled the drive; it was in that suspended state. If you had BitLocker properly running in its default state; you would have needed the recovery key to access the data.
It's like leaving your front door unlocked; and blaming the lock maker when you house gets robbed...
Posted by: Adam | 03 January 2013 at 12:42
Good Morning,
Your blog post concerned me so I decided to run a few tests but was unable to bypass the requirement of entering the bitlocker key to access the drive.
I tried three scenarios
1) With bitlocker suspended on the laptop, I hibernated it and pulled the drive. I externally mounted the disk and was able to see the data (This was expected due to having bitlocker Suspended)
2) With bitlocker enabled, I hibernated the laptop, pulled the drive and again mounted it externally and was prompted to enter the encryption key. With out entering the key the drive only showed a encrypted container.
3) with Bitlocker enabled and the system running I pulled the hard drive ( trying to simulate worst case scenario like above). Again I mounted the disk externally and was prompted for the key. The drive again only showed the encrypted container.
Have you tested this recently?
Is there something I'm missing, or another way for me to test this?
Thanks for your help.
Posted by: Bitlockertesting | 03 January 2013 at 11:33