Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account


Passware hdd decryption

- - - - -

  • Please log in to reply
4 replies to this topic



    Not really Newbie

  • Member
  • PipPipPipPipPipPipPip
  • 1,804 posts
  • Joined 13-January 06
It seems Passware found a way to "hack" bitlocker or brute force it : http://www.lostpassw...-decryption.htm.

How to remove advertisement from MSFN



    Gustatus similis pullus

  • Patrons
  • 11,030 posts
  • Joined 09-September 01
  • OS:Windows 10 x64
  • Country: Country Flag


It isn't so much a hack as it is a physical access problem - the keys for a running encrypted volume have to be stored *somewhere* in memory, and due to the design of Windows, they'll very likely be in the paging file. If you can get access to a running system with any encryption software (not just bitlocker) to run this, then you have physical access to the system already - decryption of the disk at that point is the least of one's problems. Bitlocker (or any other encryption package) won't protect you if someone has physical access to the system that the drive is encrypted on, and the keys are stored locally. If you're really worried about losing your machine and the data on it, don't let the firewire ports be enabled in the BIOS, and this hack can't work. That'll leave brute-force password key decryption as the only option, and that could take the attacker a very, very long time.

Nothing's foolproof if it runs on the machine, especially security software. It's just there to make the task of data theft harder, not impossible ;).
MCTS Windows Internals, MCITP Server 2008 EA, MCTS MDT/BDD, MCSE/MCSA Server 2003, Server 2012, Windows 8
Please read the rules before posting!
Please consider donating to MSFN to keep it up and running!




  • Member
  • PipPip
  • 153 posts
  • Joined 18-November 09
  • OS:none specified
  • Country: Country Flag
Like already mentioned, it highly depends on wether you have access to the system in a running state. There are more ways to "circumvent" such if you can get access to the running system.

Last year I posted a video about how one can remove McAfee Endpoint Encryption without the Authorisation Code and without the Windows password, by using MetaSploit remotely (given some assumptions); http://sanbarrow.com...opic.php?t=1671

But, in a fully patched and locked down environment, this should not be possible (unless you can exploit the OS)..




    The Finder

  • Developer
  • 16,010 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag
Yep, it's nothing like a crack or a password finding.

The "assumptions", just like in the nice procedure by joakim is that the "encrypted something" is ALREADY mounted or however accessible (possibly on the "native" hosting machine).

The known "firewire backport" is used to try and get a physical dump of memory, which is then searched for the encryption key.

Another more theoretical that practical (though interesting) exploit.




    gosh 2.0

  • Patrons
  • 2,341 posts
  • Joined 03-October 03
  • OS:none specified
  • Country: Country Flag
When i went to the windows 7 launch a jerk in the audience yelled out to the technet guy that bitlocker was cracked. The MS guy said as long as you follow normal security practices you cant crack bitlocker, and i agree.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users