How to identify Bitlocker protectors

[bunty]

I have got a SSD for data recovery , laptop was booting due to some OS issue.
I cloned SSD on another disk .Initially it was showing unallocated space. I have recovered 2 volume (service partition FAT32 unlocked and main OS volume)
It is showing Bitlocer encryption. However customer says they have not enabled bitlocker.
When I run Manage-bde -protectors , I get No protectors found. This volume is not protected using password. How Can I identify whether Key was stored in TPM ?
I dont have access to original laptop.

Attachments

[RolandJS]

Did the client mention which BitLocker - Hasleo Anywhere BitLocker or Windows? I ask because Hasleo has a data recovery program, albeit expensive, that allegedly can help unlock a partition.

[posidon]

Modern day implementation of Bitlocker is dependent on two other security features –

TPM (not a requirement for Bitlocker, but offers the hardware security which is much needed)
Windows Measured Boot (a security feature of Windows implemented using the TPM capabilities)
TPM can create cryptographic keys and encrypt them so that they can only be decrypted by the TPM. This process is called wrapping or “binding a key to TPM.” The key as generated is wrapped/bound using a master wrapping key (unique to each TPM), called the Storage Root Key (SRK).

SRK is a RSA 2048 bit public-private key pair where the SRK_Pub is used for encryption operation as it is exposed outside TPM. However, only the TPM can decrypt the encrypted content as only it has the SRK_Priv (this is stored within TPM and is never exposed outside)

A TPM can also create a key that has not only been wrapped, but is also tied to certain Platform measurements (PCR values). This process is referred to as “sealing the key to the TPM.”

Binding a key to TPM with platform measurement ensures that it can be unsealed only when current platform measurement matches with the measurement values with which the key was sealed.

[bunty]

Did the client mention which BitLocker - Hasleo Anywhere BitLocker or Windows? I ask because Hasleo has a data recovery program, albeit expensive, that allegedly can help unlock a partition.

Thanks RolandJs
I will download Trial version and will check.

[bunty]

Modern day implementation of Bitlocker is dependent on two other security features –

TPM (not a requirement for Bitlocker, but offers the hardware security which is much needed)
Windows Measured Boot (a security feature of Windows implemented using the TPM capabilities)
TPM can create cryptographic keys and encrypt them so that they can only be decrypted by the TPM. This process is called wrapping or “binding a key to TPM.” The key as generated is wrapped/bound using a master wrapping key (unique to each TPM), called the Storage Root Key (SRK).

SRK is a RSA 2048 bit public-private key pair where the SRK_Pub is used for encryption operation as it is exposed outside TPM. However, only the TPM can decrypt the encrypted content as only it has the SRK_Priv (this is stored within TPM and is never exposed outside)

A TPM can also create a key that has not only been wrapped, but is also tied to certain Platform measurements (PCR values). This process is referred to as “sealing the key to the TPM.”

Binding a key to TPM with platform measurement ensures that it can be unsealed only when current platform measurement matches with the measurement values with which the key was sealed.

Thanks posidon
Does that means If a new SSD with new OS in installed in that laptop ,bitlocker key will be same as from crashed SSD ? In that case if I connect cloned volume of crashed SSD to this laptop via USB ,it will get autodecrypted as both keys are identical ?
Does TPM takes care of all encryption /decryption and no unique key is generated with each windows install ?
Those who have worked with TPM and bitlocker might be able to shed light.

[bunty]

Did the client mention which BitLocker - Hasleo Anywhere BitLocker or Windows? I ask because Hasleo has a data recovery program, albeit expensive, that allegedly can help unlock a partition.

Hi RolandJs
I tried Hasleo trial version ,but it asks for key /password without which it will not be able to recovery volume.

[RolandJS]

Thanks for letting me know. I guess the DIY DR route is too much money and too much work, earlier I passed on same.

[posidon]

Yes anything related to encryption is pretty complex.
We have PC3000 udma , latest data extractor supports auto decryption of Bitlocker though it works in some particular cases where bitlocker was enabled by default and not activated later manually.
Can someone give us more details as in which cases UDMA can decrypt bitlocker without key /password ? That will help larger community.
Unfortunately I have not updated TS so I have older version of DE.
Here is excel file I have created if someone could just put his observtions that will really help.
download link -- https://drive.google.com/file/d/1CJrgSf ... sp=sharing

Attachments

[posidon]

Hi friends
I have got success in this case and UDMA was successful to decrypt volume without password or key.(I handed over this case to my friend having updated DE)
I will greatly appreciate if somone could update excel file with more details as in which case UDMA works that will help us all to access such cases.

[terminator2]

Congrats
I am confused as I was of opinion that AES 128 which bitlocker uses is so secure that its US govt. official standard for confidential clasified data.
Then how its possible that even without even key this can be cracked ?
Someone pls. explain as otherwise whole security system is flawed We can no longer suggest AES as a secure standard for there data security.

Attachments