All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 29 posts ]  Go to page Previous  1, 2
Author Message
 Post subject: Re: About Bitlocker decryption without password/recovery key
PostPosted: October 4th, 2021, 6:50 
Offline

Joined: March 7th, 2009, 12:43
Posts: 1080
Location: Angel Data Recovery
terminator2 wrote:
Is there any way to read key from TPM directly ? I have asked customer to give his microsoft account details as well.
It seems protectors are not weak or "clear key" metadata is not present.
I am also sending it to one of my friend who is having updated DE.


In your case key is not empty. Solution with "clear key" won't work.
Ask your client about his Microsoft account.
Specify model of your ThinkPad laptop.

_________________
Angel Data Recovery


Top
 Profile  
 
 Post subject: Re: About Bitlocker decryption without password/recovery key
PostPosted: October 4th, 2021, 9:09 
Offline

Joined: November 23rd, 2010, 13:32
Posts: 461
Location: brisbane
DR-Kiev wrote:
terminator2 wrote:
Is there any way to read key from TPM directly ? I have asked customer to give his microsoft account details as well.
It seems protectors are not weak or "clear key" metadata is not present.
I am also sending it to one of my friend who is having updated DE.


In your case key is not empty. Solution with "clear key" won't work.
Ask your client about his Microsoft account.
Specify model of your ThinkPad laptop.

Thank you so much DR-Kiev . Customer is not having microsoft account so even that option is cannot be used.
I think recovery will not be possible in this case.
How particular numeric key is assigned or key is created when customer is saying he has not done anything and he is not even aware of Bitlocker.


Top
 Profile  
 
 Post subject: Re: About Bitlocker decryption without password/recovery key
PostPosted: October 4th, 2021, 9:29 
Offline

Joined: November 23rd, 2010, 13:32
Posts: 461
Location: brisbane
DR-Kiev wrote:
terminator2 wrote:
Is there any way to read key from TPM directly ? I have asked customer to give his microsoft account details as well.
It seems protectors are not weak or "clear key" metadata is not present.
I am also sending it to one of my friend who is having updated DE.


In your case key is not empty. Solution with "clear key" won't work.
Ask your client about his Microsoft account.
Specify model of your ThinkPad laptop.


Is it anyway possible to access TPM & extract key from TPM ?


Top
 Profile  
 
 Post subject: Re: About Bitlocker decryption without password/recovery key
PostPosted: October 5th, 2021, 0:43 
Offline
User avatar

Joined: May 13th, 2010, 11:17
Posts: 2785
Location: Kuwait
terminator2 wrote:
DR-Kiev wrote:
terminator2 wrote:
Is there any way to read key from TPM directly ? I have asked customer to give his microsoft account details as well.
It seems protectors are not weak or "clear key" metadata is not present.
I am also sending it to one of my friend who is having updated DE.


In your case key is not empty. Solution with "clear key" won't work.
Ask your client about his Microsoft account.
Specify model of your ThinkPad laptop.


Is it anyway possible to access TPM & extract key from TPM ?


In case you wanted to try

https://github.com/SySS-Research/icesti ... pm-sniffer

https://www.youtube.com/watch?v=-Fj3SeZww3M
:wink:

_________________
Kuwait Data Recovery - UNIX GTC
The only reason for time is so that everything doesn't happen at once. By: Albert Einstein


Top
 Profile  
 
 Post subject: Re: About Bitlocker decryption without password/recovery key
PostPosted: October 5th, 2021, 2:05 
Offline
User avatar

Joined: March 6th, 2010, 3:46
Posts: 601
Location: Kolding | Denmark
Did use LPC sniffing in a BitLocker TPM-only mode case. SSD had a lot of reading errors, windows could not boot but TPM still unlocking the drive.
Sniffing worked fine and VMK was found and used in DE to decrypt. In this case it was useful to get the SSD moved to DE for imaging. Could probably have used a live CD to boot the pc and made a image that way, but without power control imaging would not have been successful. Drive hang itself on every reading error.

In your case terminator2, as i understand it, TPM is not decrypting the drive and there is no "clear key" in meta. To sniff VMK TPM encryption needs to work, so i cant see how sniffing will solve your case.

_________________
Digitalsupport Data Recovery
https://digitalsupport.dk


Top
 Profile  
 
 Post subject: Re: About Bitlocker decryption without password/recovery key
PostPosted: October 5th, 2021, 8:14 
Offline

Joined: November 23rd, 2010, 13:32
Posts: 461
Location: brisbane
digisupport wrote:
Did use LPC sniffing in a BitLocker TPM-only mode case. SSD had a lot of reading errors, windows could not boot but TPM still unlocking the drive.
Sniffing worked fine and VMK was found and used in DE to decrypt. In this case it was useful to get the SSD moved to DE for imaging. Could probably have used a live CD to boot the pc and made a image that way, but without power control imaging would not have been successful. Drive hang itself on every reading error.

In your case terminator2, as i understand it, TPM is not decrypting the drive and there is no "clear key" in meta. To sniff VMK TPM encryption needs to work, so i cant see how sniffing will solve your case.


Wo great explanation digisupport .
Thanks a lot for logically explaining this mechanisam. :good: :-D


Top
 Profile  
 
 Post subject: Re: About Bitlocker decryption without password/recovery key
PostPosted: October 10th, 2021, 0:43 
Offline

Joined: November 23rd, 2010, 13:32
Posts: 461
Location: brisbane
Hi Guys
I have been reading various articles regarding Bitlocker and I have read that there are many triggers which can provoke Bitlocker pop up asking to enter key . Some of them are harmless like - 1) updating Bios 2) Changing keyboard type 3) changes in Bios settings etc.
In this case protectors are TPM+PIN ,
I just want to know whether both TPM and key must be present (Recovery is only possible from original laptop and all combinations of protectors must be present for decryption)
In that case working on only hard disk may not be of any use. I think if correct password is entered then only Key from TPM is fetched.
Also in such cases if original laptop is missing or is damaged then recovery be impossible altogether.
Those who have done research on bitlocker pls. help.


Top
 Profile  
 
 Post subject: Re: About Bitlocker decryption without password/recovery key
PostPosted: October 11th, 2021, 5:43 
Offline

Joined: October 9th, 2021, 9:56
Posts: 11
Location: Hungary
Hi,
If the required key can be sniffed (i.e. LPC communication is not encrypted) then it should be possible to be extracted by booting a linux and accessing TPM with trousers/tpm-tools (in case secure boot is not enabled). If it's still not working, then you can still try to throw the windows installation under a virtual machine which emulates the TPM, so you can basically sniff the TPM in a 'soft' way, without having to actually solder wires on TPM chip.


Top
 Profile  
 
 Post subject: Re: About Bitlocker decryption without password/recovery key
PostPosted: October 11th, 2021, 6:16 
Offline

Joined: November 23rd, 2010, 13:32
Posts: 461
Location: brisbane
alpy wrote:
Hi,
If the required key can be sniffed (i.e. LPC communication is not encrypted) then it should be possible to be extracted by booting a linux and accessing TPM with trousers/tpm-tools (in case secure boot is not enabled). If it's still not working, then you can still try to throw the windows installation under a virtual machine which emulates the TPM, so you can basically sniff the TPM in a 'soft' way, without having to actually solder wires on TPM chip.


hi alpy
thanks a lot , at least I come to know there is way out. I will give it a try.Unfortunately customer is not having microsoft account so no backup is present. :good: :-D


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 29 posts ]  Go to page Previous  1, 2

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: Google Adsense [Bot] and 78 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group