About Bitlocker decryption without password/recovery key

[sosrecup]

Hello,

I came through a blog post https://pulsesecurity.co.nz/articles/TPM-sniffing saying that it's possible to extract a Bitlocker key from a Trusted Platform Module (TPM) and decrypt it.

This needs some electronic knowledge.

@fzabkar: you are THE expert in electronics in this forum (my opinion), could you please confirm if it's true what this security expert is saying?

Did anyone test this method before and could decrypt the Bitlocker key?

Please share your knowledge.

Kind regards

[sosrecup]

No one interested in this topic?

[mhp666]

Thanks for sharing the link.
Surely I can learn a lot from the post.

[DR-Kiev]

Hello,

I came through a blog post https://pulsesecurity.co.nz/articles/TPM-sniffing saying that it's possible to extract a Bitlocker key from a Trusted Platform Module (TPM) and decrypt it.

This needs some electronic knowledge.

@fzabkar: you are THE expert in electronics in this forum (my opinion), could you please confirm if it's true what this security expert is saying?

Did anyone test this method before and could decrypt the Bitlocker key?

Please share your knowledge.

Kind regards

What is the point of this actions? Getting access to the data from stolen laptops?
Users who are willing to recovery their files in 99% cases provide us with pass/key .

[sosrecup]

What is the point of this actions? Getting access to the data from stolen laptops?
Users who are willing to recovery their files in 99% cases provide us with pass/key .

Not necessary. some clients encrypt their hard drives and forget the password and forget to save the recovery key or forget where they put it.

[Doomer]

Why would anybody need to extract a key from TPM when they have access to TPM?

[sosrecup]

Why would anybody need to extract a key from TPM when they have access to TPM?

What if you forget the password and you don't remember where you put your recovery key (I had some clients in this situation), are you able to recover data from that drive?

[RolandJS]

"What if you forget the password and you don't remember where you put your recovery key (I had some clients in this situation), are you able to recover data from that drive?"
Billable hours, correct? Reading other discussion boards, I see a few threads about clients not having at the ready passwords or recovery keys.

[Doomer]

Why would anybody need to extract a key from TPM when they have access to TPM?

What if you forget the password and you don't remember where you put your recovery key (I had some clients in this situation), are you able to recover data from that drive?

Per my understanding TPM holds a key that unlocks Bitlocker
Should be able to unlock Bitlocker, using TPM with a boot CD on the original laptop

[RolandJS]

Why would anybody need to extract a key from TPM when they have access to TPM?

Doomer, I'm a beginner, what has been your experience with TPM? I never knew that one could use just TPM to unlock BitLocker. I'd like to learn more!

[Doomer]

Why would anybody need to extract a key from TPM when they have access to TPM?

Doomer, I'm a beginner, what has been your experience with TPM? I never knew that one could use just TPM to unlock BitLocker. I'd like to learn more!

There are several types of protectors that can be used with Bitlocker, one of them is TPM only protector, which is old but sometimes can still be found on Bitlocker protected volumes

[terminator2]

Hi Guys
Pls. refer my post in this regard which is still unanswered unfortunately .
Bitlocker in some cases can be decrypted without key /password in pc3000. I have raised concerns as how AES128 key can be decrypted.
Can someone pls.look at it particularly senior members like Doomer , Dr-Kiev ,fzabkar , pepe to name few.


here is the post -
https://forum.hddguru.com/viewtopic.php ... er#p278195

Thanks

[Doomer]

Hi Guys
Pls. refer my post in this regard which is still unanswered unfortunately .
Bitlocker in some cases can be decrypted without key /password in pc3000. I have raised concerns as how AES128 key can be decrypted.
Can someone pls.look at it particularly senior members like Doomer , Dr-Kiev ,fzabkar , pepe to name few.


here is the post -
https://forum.hddguru.com/viewtopic.php ... er#p278195

Thanks

Sometimes Bitlocker stores metadata called "clear key". Clear key can decrypt Bitlocker without a password
It has nothing to do with AES "crackability"

[terminator2]

Thanks Doomer

[Amarbir[CDR-Labs]]

Thanks Doomer

Hi,
Many Dell Laptops Use Bitlocker and TPM i have recovered a few of these combos in india for my clients and i have also done that magic were key is not required as explained by doomer [ Were key is stored and the app finds it ]

[terminator2]

Hi Guys
Pls. refer my post in this regard which is still unanswered unfortunately .
Bitlocker in some cases can be decrypted without key /password in pc3000. I have raised concerns as how AES128 key can be decrypted.
Can someone pls.look at it particularly senior members like Doomer , Dr-Kiev ,fzabkar , pepe to name few.


here is the post -
https://forum.hddguru.com/viewtopic.php ... er#p278195

Thanks

Sometimes Bitlocker stores metadata called "clear key". Clear key can decrypt Bitlocker without a password
It has nothing to do with AES "crackability"

hi Doomer
Is there any other software other than pc3000 DE which will sniff "clear key " password from Bitlocker metadata and decrypt it ?
My pc3000 is not updated and does not support this function.

[DR-Kiev]

Hi Guys
Pls. refer my post in this regard which is still unanswered unfortunately .
Bitlocker in some cases can be decrypted without key /password in pc3000. I have raised concerns as how AES128 key can be decrypted.
Can someone pls.look at it particularly senior members like Doomer , Dr-Kiev ,fzabkar , pepe to name few.


here is the post -
https://forum.hddguru.com/viewtopic.php ... er#p278195

Thanks

Sometimes Bitlocker stores metadata called "clear key". Clear key can decrypt Bitlocker without a password
It has nothing to do with AES "crackability"

hi Doomer
Is there any other software other than pc3000 DE which will sniff "clear key " password from Bitlocker metadata and decrypt it ?
My pc3000 is not updated and does not support this function.

UFS Explorer Pro, can do the same "trick" with "clear key" for Bitlocker encryption

[terminator2]

Hi Guys
Pls. refer my post in this regard which is still unanswered unfortunately .
Bitlocker in some cases can be decrypted without key /password in pc3000. I have raised concerns as how AES128 key can be decrypted.
Can someone pls.look at it particularly senior members like Doomer , Dr-Kiev ,fzabkar , pepe to name few.


here is the post -
https://forum.hddguru.com/viewtopic.php ... er#p278195

Thanks

Sometimes Bitlocker stores metadata called "clear key". Clear key can decrypt Bitlocker without a password
It has nothing to do with AES "crackability"

hi Doomer
Is there any other software other than pc3000 DE which will sniff "clear key " password from Bitlocker metadata and decrypt it ?
My pc3000 is not updated and does not support this function.

UFS Explorer Pro, can do the same "trick" with "clear key" for Bitlocker encryption

Thank you so much Dr-kiev

I have got a case of 512GB M.2 SSD from Thinkpad laptop. After windows updates suddenly Bitlocker has started to appear and asking for key.
Customer has not enabled it earlier ( by default it was enabled ). In fact customer was not aware of what is Bitlocker.

manage-Bde shows numeric key +TPM protectors.
I will give it a try using UFS explorer.
Thanks again.

Attachments

Screenshot 2021-10-02 164207.png (8.25 KiB) Viewed 13097 times

[terminator2]

I tried UFS explorer but it failed to decrypt the volume. What should I do now ?

Attachments

[terminator2]

Is there any way to read key from TPM directly ? I have asked customer to give his microsoft account details as well.
It seems protectors are not weak or "clear key" metadata is not present.
I am also sending it to one of my friend who is having updated DE.