All times are UTC - 5 hours [ DST ]


Forum rules


Please do not post questions about data recovery cases here (use this forum instead). This forum is for topics on finding new ways to recover data. Accessing firmware, writing programs, reading bits off the platter, recovering data from dust...



Post new topic Reply to topic  [ 9 posts ] 
Author Message
 Post subject: BITCRACKER AND HASHCAT DECRYPT BITLOCKER
PostPosted: January 19th, 2022, 8:43 
Offline

Joined: August 26th, 2021, 17:52
Posts: 61
Location: Brasil
Hello everyone

In my job we are evaluating the possibility of building a computer to work with bitlocker. I am still learning about bitlocker but I want to know if someone has a success case to share using bitcracker or hashcat softwares.

We are still thinking if this is worth it?
If there are enough clients willing to pay for this kind of service?
How many drives we receive and the client dont have the recovery key?

If someone can and wants to share his experience I am very grateful.

Thanks very much and my best regards.


Top
 Profile  
 
 Post subject: Re: BITCRACKER AND HASHCAT DECRYPT BITLOCKER
PostPosted: July 27th, 2022, 23:12 
Offline
User avatar

Joined: September 29th, 2005, 12:02
Posts: 3561
Location: Chicago
You can do a relatively simple math to determine that this program would be no use in majority of cases.
In absolute majority of Bitlocker cases there are no user passwords, so there are only two options, some form of TPM protection and a recovery password. If TPM attack is not available then you are left with a recovery password. The recovery password has 2^128 number of variations, with the bitcracker speed of 30 password per second you would be cracking it forever.

_________________
SAN, NAS, RAID, Server, and HDD Data Recovery.


Top
 Profile  
 
 Post subject: Re: BITCRACKER AND HASHCAT DECRYPT BITLOCKER
PostPosted: September 23rd, 2022, 0:57 
Offline

Joined: December 14th, 2020, 11:51
Posts: 50
Location: France
Doomer wrote:
You can do a relatively simple math to determine that this program would be no use in majority of cases.
In absolute majority of Bitlocker cases there are no user passwords, so there are only two options, some form of TPM protection and a recovery password. If TPM attack is not available then you are left with a recovery password. The recovery password has 2^128 number of variations, with the bitcracker speed of 30 password per second you would be cracking it forever.

Hi, can you clarify what do you mean by "There are no user passwords" ?


Top
 Profile  
 
 Post subject: Re: BITCRACKER AND HASHCAT DECRYPT BITLOCKER
PostPosted: September 23rd, 2022, 12:53 
Offline
User avatar

Joined: September 29th, 2005, 12:02
Posts: 3561
Location: Chicago
Spotmen wrote:
Hi, can you clarify what do you mean by "There are no user passwords" ?

Bitlocker can have several ways to store the encrypted volume key
For example
TPM
TPM+PIN
Recovery password
User password
External key

The user password is a passphrase that a user types in to unlock the drive. In absolute majority of cases this passphrase is not used on Bitlocker volumes. Common setup includes TPM (authentication goes through original TPM chip on a computer's motherboard) and a Recovery password (essentially 128 bits of a cryptorandom hash)

_________________
SAN, NAS, RAID, Server, and HDD Data Recovery.


Top
 Profile  
 
 Post subject: Re: BITCRACKER AND HASHCAT DECRYPT BITLOCKER
PostPosted: September 27th, 2022, 12:04 
Offline

Joined: December 14th, 2020, 11:51
Posts: 50
Location: France
I see thank you for claryfing.

I've heard numerous user reporting they never set Bitlocker, never turned it on, laptop was working and one day it's asking for Bitlocker pw. I've seen scenario three times here and when reading on internet forum, this is reported by numerous of user. For those three cases, nothing on AD, Azure or Microsoft live account.

I know customer don't tell the truth and forget their laptop but this behavior seems to be common, have you heard of it ?


Top
 Profile  
 
 Post subject: Re: BITCRACKER AND HASHCAT DECRYPT BITLOCKER
PostPosted: September 27th, 2022, 12:10 
Offline
User avatar

Joined: September 29th, 2005, 12:02
Posts: 3561
Location: Chicago
Spotmen wrote:
I know customer don't tell the truth and forget their laptop but this behavior seems to be common, have you heard of it ?

Of course, it's pretty common.
Whoever installed Windows on this computer would have the bitlocker recovery password, it's more than likely not the end user.
While the laptop works the user wouldn't even know the drive is encrypted because of TPM on-the-fly decryption. But if anything happens with the laptop - the drive becomes a grave for data.
Sometimes even BIOS update prevents TPM decryption.

_________________
SAN, NAS, RAID, Server, and HDD Data Recovery.


Top
 Profile  
 
 Post subject: Re: BITCRACKER AND HASHCAT DECRYPT BITLOCKER
PostPosted: September 27th, 2022, 13:08 
Offline

Joined: December 14th, 2020, 11:51
Posts: 50
Location: France
thank you, that helps to understand this behavior.


Top
 Profile  
 
 Post subject: Re: BITCRACKER AND HASHCAT DECRYPT BITLOCKER
PostPosted: September 29th, 2022, 5:49 
Offline

Joined: December 14th, 2020, 11:51
Posts: 50
Location: France
So if I get the text below, that means it has TPM and recovery pw ? In this case, the customer setup the password, he did enable bitlocker but he can't recall pw. he gave me a list of pw to try but none of them are working.


(I've modified guid and hostname).
LAPTOP-9H2 OS 18.07.2020
Trusted Platform Module (TPM):
GUID: {C380D5AE-B1CC-2355-ACB3-C329E09EDCA8}
Recovery password:
GUID: {5404AFA4-474D-292E-9165-CCBCDAE20818}


Top
 Profile  
 
 Post subject: Re: BITCRACKER AND HASHCAT DECRYPT BITLOCKER
PostPosted: September 29th, 2022, 10:30 
Offline
User avatar

Joined: September 29th, 2005, 12:02
Posts: 3561
Location: Chicago
Spotmen wrote:
So if I get the text below, that means it has TPM and recovery pw ?

yes
Spotmen wrote:
In this case, the customer setup the password, he did enable bitlocker but he can't recall pw. he gave me a list of pw to try but none of them are working.

there is no "list of passwords" in this case
The recovery password is unique for this drive and it's generated by Bitlocker at the moment of encryption, it is not used for unlocking the drive, normally, only for recovery reasons, it also has a unique GUID which specifically indicates what recovery passwords belongs to which volume.
more info (for some reason it's called a recovery key here) - https://support.microsoft.com/en-us/win ... 6f5ab347d6

_________________
SAN, NAS, RAID, Server, and HDD Data Recovery.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 9 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 12 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group