BitLocker is a security feature which is used widely to protect data at rest. In this article, Arun Prasannan from CCL's R&D department describes some of the techniques that we can use during security testing engagements and forensic investigations when confronted by systems protected using BitLocker.
BitLocker is a volume encryption solution that is included with the Server, Pro, Enterprise and Education editions of Microsoft's Windows operating system. It is used to prevent unauthorised access to data: if a drive is lost or stolen, its contents remain protected by AES encryption.
A Trusted Platform Module (TPM) is a hardware device available on most modern computers which implements various cryptography and security related features. It has logic and firmware that is separate from the rest of the computer and is designed to be resistant to attacks. Combining BitLocker with TPM provides an additional layer of security: the contents of a volume are encrypted using a Full Volume Encryption Key (FVEK), which is in turn encrypted using a Volume Master Key (VMK), and the VMK is protected by the TPM. The VMK is only released if integrity of the system can be verified.
A related solution available on all editions of Windows (including Home) is 'device encryption'. When device encryption is in use, fixed drives in a computer start in a state that is equivalent to BitLocker's suspended state ('clear key'). If the computer is then attached to a Windows domain or if an administrator signs in with a Microsoft account, the 'clear key' is removed, a TPM protector and a recovery key are created, and the recovery key is uploaded to the domain server or to the Microsoft account.
Further details about BitLocker and device encryption can be found on the Microsoft website. Now let's consider some of the methods available to decrypt BitLocker volumes.
The recovery key is a 48-digit password that can be used to unlock a BitLocker encrypted volume in the absence of other valid protectors (such as the TPM) or if the system is deemed to have become compromised. Since we carry out our examinations using a forensic image usually, rather than on the original system directly, the recovery key can be essential to access encrypted volumes.
It may be possible to obtain a BitLocker recovery key from an organisation's IT department, the device owner's Microsoft account, a file saved on another drive, a snapshot of volatile memory, or from a running operating system. The recovery key can then be used to decrypt a volume, directly in Windows or by using third-party software.
Several vulnerabilities that affect the operating system (Windows) or computer firmware (UEFI) have been demonstrated to be useful to extract encryption keys or otherwise bypass BitLocker. CVE-2018-6622 (BitLeaker), CVE-2022-21894 (BlackLotus) and CVE-2024-20666 are some recent examples of such vulnerabilities.
Let's consider how one of those examples, CVE-2018-6622, could be used attack BitLocker: researchers discovered that the S3 (suspend to RAM) sleep state on some systems allowed them to subvert the TPM and reveal the BitLocker VMK. They then developed an open-source program named BitLeaker to extract the VMK and mount BitLocker enabled volumes in a Linux-based environment. This vulnerability can be mitigated by a firmware patch, by using BitLocker with a PIN, or by disabling the sleep feature.
Direct Memory Access (DMA) is a feature which enables peripherals to transfer data to/from a computer's main memory (RAM) directly, bypassing its central processor (CPU). DMA attacks exploit this capability to compromise the system, by reading or modifying the contents of RAM.
Early demonstrations of using DMA for memory capture date back to 2004 and relied on FireWire ports, which were prevalent on many devices back then. Such attacks continue to be viable using newer interfaces such as Thunderbolt and PCIe, especially on systems that do not implement modern security features such as Kernel DMA Protection (KDP) and Input/Output virtualization (AMD-Vi/Intel VT-d).
TPMs come in two main fashions: discrete (dTPM) and firmware (fTPM). A dTPM is a dedicated security chip which is installed on the motherboard of a computer. An fTPM on the other hand is implemented in firmware which runs on the CPU or the motherboard chipset.
Although a discrete TPM may be a secure device, the physical communication channel between it and the CPU/chipset may be vulnerable. TPM chips use well-known protocols (I2C, LPC and SPI) for this, and the traffic is often not encrypted. With physical access to the electrical traces on a motherboard, it may be possible to intercept and decode BitLocker keys. This vulnerability has been known publicly since at least January 2019.
A firmware TPM does not expose electrical traces that could be intercepted with an interposer or probes, but could be vulnerable to side channel and fault injection attacks. For example, in 2023, researchers at TU Berlin demonstrated a voltage fault injection (changing supply voltage to induce faults) attack that could compromise the fTPM in some AMD processors. They could use this approach to bypass some configurations of BitLocker encryption 'with 2-3 hours of physical access'.
This article covers some techniques that we can use at CCL to recover BitLocker keys and decrypt encrypted drives. It is very important for us to stay abreast of current research and to test innovative techniques. As a result, we are able to gain access to many devices which might otherwise go unexamined. Although Microsoft details several countermeasures to avoid attacks on BitLocker, there are plenty of un-patched and un-patchable computers around.
If you would like to discuss forensic examination or security assessment of a BitLocker-enabled system, do get in touch.
Our experts are on hand to learn about your organisation and suggest the best approach to meet your needs. Contact an expert today.
Get in touch