Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Hacking with Drain Cleaner – Yet Another BitLocker Bypass Technique

As hard-wired as any Application Specific Integrated Circuit it seems the Infosec community can't go a week without some ruckas. This holiday it's Russian ElcomSoft and their Forensic DiskDecryptor tool. Yours for only $299! (or £300 if you read El Reg) which makes it between 9,131 & 14,813 Rubles at today's rate.

This tool can reportedly grab encryption keys from memory thereby upsetting users of BitLocker, PGP, TrueCrypt. Another tool (Passware Forensic Kit) adds FileVault2 to the list.

However, some guy called Bruce didn't believe it was 'all that', causing the following reaction:

10811_9ab33cd3-6a4c-4c37-a64b-878ffdc5811a
This SpiderLabs post is only concerned with my own unique BitLocker bypass technique, allow me to lighten the mood somewhat and jump right in, to April 2009 to be precise.

We don't need no steenkin' tools (and other movie references)

O.K. BitLocker has a number of known (mostly theoretical) vulnerabilities but arguably the most critical, only seems to have been acknowledged by Microsoft themselves.

What if I told you I could access Mr Bean's encrypted laptop by ambushing him with nothing more than a cup of coffee?*

…and that according to Microsoft this is expected behaviour?

Bit Locker is supposed to protect against moving an encrypted drive from one machine to another.

Not necessarily… not if the user never logged out.

Time to clean up

So how did I find this out?

Back in April 2009 and only a month into my probation with SpiderLabs I killed my Trusted Platform Module (TPM) and BitLocker enabled Vista laptop with drain cleaner.

The laptop was logged in on the kitchen table when I decided to unblock the shower during my lunch break. The drain cleaner which had been left to do it's work for 24 hours had failed, so using a springy pipe cleaner designed for the purpose, the blockage was removed… along with the cheap 'push to fit' plumbing. I should perhaps mention that this was a recently installed bathroom to replace the previously leaky bath/shower and the reason why there was no ceiling in the kitchen. Consequently all the drain cleaner and water poured directly onto the kitchen table and laptop below… (Sorry Nick!)

I imagine CSI forensic investigators can tell you the same thing. A few inches of fluid can go a long way. The laptop had shorted out and the drain cleaner had already started to melt the keyboard. Pulling out the now dead power supply and racing to extract the hard drive seemed my only hope.

I never did mind the little things

Had I saved my Bitlocker encryption keys? Where? A call to IT Support told me they didn't have them. A few deep breaths and they were recovered from a logical place. Now I just needed a SATA docking device to read the disk. A quick trip to the local electronic store and normal service could resume. Well, not quite. Real world instructions for BitLocker are not exactly forthcoming. After much frustrated hunting around umpteen Microsoft web pages and blog posts I had the necessary manage-bde.exe and instructions. I needn't have bothered.

7979_110d78f5-74dc-4490-89c3-62b88a521d68

Bitlocker was aware there was an issue as demonstrated by the exclamation mark over the UNLOCKED padlock icon.

Imagine my surprise when powering up the now external 'BitLocker To Go' hard drive and witnessing all my files still in clear-text.

10729_96ce286d-c040-41c6-9bcb-3a5858caf27f
"When BitLocker is suspended, BitLocker keeps the data encrypted but encrypts the BitLocker volume master key with a clear key." – Is that so?

More digging around the documentation did finally reveal that yes, Microsoft knows that the system must be logged out "gracefully" for encryption to work.

So keep this in mind should someone 'accidentally' spill coffee (or drain cleaner) on your laptop when in your local coffee shop or airport.

Summary: Tools to 'bypass' BitLocker

  • One Ceiling – Preferably missing (as in snowman)
  • Shower pipe – Push to fit, preferably blocked
  • Drain Cleaner – Use entire contents, preferably organic dark roast.
  • Long springy wotsit
  • Towels – Lots to tidy up

*Ronin – Robert de Niro's character ambushed Sean Bean's character with a cup of coffee.

Latest SpiderLabs Blogs

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More