In-depth technology research: finding new ways to recover data, accessing firmware, writing programs, reading bits off the platter, recovering data from dust.
Forum rules
Please
do not post questions about data recovery cases here (use
this forum instead). This forum is for topics on finding new ways to recover data. Accessing firmware, writing programs, reading bits off the platter, recovering data from dust...
January 19th, 2022, 8:43
Hello everyone
In my job we are evaluating the possibility of building a computer to work with bitlocker. I am still learning about bitlocker but I want to know if someone has a success case to share using bitcracker or hashcat softwares.
We are still thinking if this is worth it?
If there are enough clients willing to pay for this kind of service?
How many drives we receive and the client dont have the recovery key?
If someone can and wants to share his experience I am very grateful.
Thanks very much and my best regards.
July 27th, 2022, 23:12
You can do a relatively simple math to determine that this program would be no use in majority of cases.
In absolute majority of Bitlocker cases there are no user passwords, so there are only two options, some form of TPM protection and a recovery password. If TPM attack is not available then you are left with a recovery password. The recovery password has 2^128 number of variations, with the bitcracker speed of 30 password per second you would be cracking it forever.
September 23rd, 2022, 0:57
Doomer wrote:You can do a relatively simple math to determine that this program would be no use in majority of cases.
In absolute majority of Bitlocker cases there are no user passwords, so there are only two options, some form of TPM protection and a recovery password. If TPM attack is not available then you are left with a recovery password. The recovery password has 2^128 number of variations, with the bitcracker speed of 30 password per second you would be cracking it forever.
Hi, can you clarify what do you mean by "There are no user passwords" ?
September 23rd, 2022, 12:53
Spotmen wrote:Hi, can you clarify what do you mean by "There are no user passwords" ?
Bitlocker can have several ways to store the encrypted volume key
For example
TPM
TPM+PIN
Recovery password
User password
External key
The user password is a passphrase that a user types in to unlock the drive. In absolute majority of cases this passphrase is not used on Bitlocker volumes. Common setup includes TPM (authentication goes through original TPM chip on a computer's motherboard) and a Recovery password (essentially 128 bits of a cryptorandom hash)
September 27th, 2022, 12:04
I see thank you for claryfing.
I've heard numerous user reporting they never set Bitlocker, never turned it on, laptop was working and one day it's asking for Bitlocker pw. I've seen scenario three times here and when reading on internet forum, this is reported by numerous of user. For those three cases, nothing on AD, Azure or Microsoft live account.
I know customer don't tell the truth and forget their laptop but this behavior seems to be common, have you heard of it ?
September 27th, 2022, 12:10
Spotmen wrote:I know customer don't tell the truth and forget their laptop but this behavior seems to be common, have you heard of it ?
Of course, it's pretty common.
Whoever installed Windows on this computer would have the bitlocker recovery password, it's more than likely not the end user.
While the laptop works the user wouldn't even know the drive is encrypted because of TPM on-the-fly decryption. But if anything happens with the laptop - the drive becomes a grave for data.
Sometimes even BIOS update prevents TPM decryption.
September 27th, 2022, 13:08
thank you, that helps to understand this behavior.
September 29th, 2022, 5:49
So if I get the text below, that means it has TPM and recovery pw ? In this case, the customer setup the password, he did enable bitlocker but he can't recall pw. he gave me a list of pw to try but none of them are working.
(I've modified guid and hostname).
LAPTOP-9H2 OS 18.07.2020
Trusted Platform Module (TPM):
GUID: {C380D5AE-B1CC-2355-ACB3-C329E09EDCA8}
Recovery password:
GUID: {5404AFA4-474D-292E-9165-CCBCDAE20818}
September 29th, 2022, 10:30
Spotmen wrote:So if I get the text below, that means it has TPM and recovery pw ?
yes
Spotmen wrote: In this case, the customer setup the password, he did enable bitlocker but he can't recall pw. he gave me a list of pw to try but none of them are working.
there is no "list of passwords" in this case
The recovery password is unique for this drive and it's generated by Bitlocker at the moment of encryption, it is not used for unlocking the drive, normally, only for recovery reasons, it also has a unique GUID which specifically indicates what recovery passwords belongs to which volume.
more info (for some reason it's called a recovery key here) -
https://support.microsoft.com/en-us/win ... 6f5ab347d6
Powered by phpBB © phpBB Group.