As hard-wired as any Application Specific Integrated Circuit it seems the Infosec community can't go a week without some ruckas. This holiday it's Russian ElcomSoft and their Forensic DiskDecryptor tool. Yours for only $299! (or £300 if you read El Reg) which makes it between 9,131 & 14,813 Rubles at today's rate.
This tool can reportedly grab encryption keys from memory thereby upsetting users of BitLocker, PGP, TrueCrypt. Another tool (Passware Forensic Kit) adds FileVault2 to the list.
However, some guy called Bruce didn't believe it was 'all that', causing the following reaction:
This SpiderLabs post is only concerned with my own unique BitLocker bypass technique, allow me to lighten the mood somewhat and jump right in, to April 2009 to be precise.
We don't need no steenkin' tools (and other movie references)
O.K. BitLocker has a number of known (mostly theoretical) vulnerabilities but arguably the most critical, only seems to have been acknowledged by Microsoft themselves.
What if I told you I could access Mr Bean's encrypted laptop by ambushing him with nothing more than a cup of coffee?*
…and that according to Microsoft this is expected behaviour?
Bit Locker is supposed to protect against moving an encrypted drive from one machine to another.
Not necessarily… not if the user never logged out.
Time to clean up
So how did I find this out?
Back in April 2009 and only a month into my probation with SpiderLabs I killed my Trusted Platform Module (TPM) and BitLocker enabled Vista laptop with drain cleaner.
The laptop was logged in on the kitchen table when I decided to unblock the shower during my lunch break. The drain cleaner which had been left to do it's work for 24 hours had failed, so using a springy pipe cleaner designed for the purpose, the blockage was removed… along with the cheap 'push to fit' plumbing. I should perhaps mention that this was a recently installed bathroom to replace the previously leaky bath/shower and the reason why there was no ceiling in the kitchen. Consequently all the drain cleaner and water poured directly onto the kitchen table and laptop below… (Sorry Nick!)
I imagine CSI forensic investigators can tell you the same thing. A few inches of fluid can go a long way. The laptop had shorted out and the drain cleaner had already started to melt the keyboard. Pulling out the now dead power supply and racing to extract the hard drive seemed my only hope.
I never did mind the little things
Had I saved my Bitlocker encryption keys? Where? A call to IT Support told me they didn't have them. A few deep breaths and they were recovered from a logical place. Now I just needed a SATA docking device to read the disk. A quick trip to the local electronic store and normal service could resume. Well, not quite. Real world instructions for BitLocker are not exactly forthcoming. After much frustrated hunting around umpteen Microsoft web pages and blog posts I had the necessary manage-bde.exe and instructions. I needn't have bothered.
Bitlocker was aware there was an issue as demonstrated by the exclamation mark over the UNLOCKED padlock icon.
Imagine my surprise when powering up the now external 'BitLocker To Go' hard drive and witnessing all my files still in clear-text.
"When BitLocker is suspended, BitLocker keeps the data encrypted but encrypts the BitLocker volume master key with a clear key." – Is that so?
More digging around the documentation did finally reveal that yes, Microsoft knows that the system must be logged out "gracefully" for encryption to work.
So keep this in mind should someone 'accidentally' spill coffee (or drain cleaner) on your laptop when in your local coffee shop or airport.
Summary: Tools to 'bypass' BitLocker
- One Ceiling – Preferably missing (as in snowman)
- Shower pipe – Push to fit, preferably blocked
- Drain Cleaner – Use entire contents, preferably organic dark roast.
- Long springy wotsit
- Towels – Lots to tidy up
*Ronin – Robert de Niro's character ambushed Sean Bean's character with a cup of coffee.
