To be 100% sure about my reply, I double-checked with Passware directly. Their answer is simple and straight forward:
"By the time windows GUI loads and the windows logon screen is displayed the key is read from TPM and is available in memory. The only way around this is to use pre-boot authentication." Best regards, Per Thorsheim securitynirvana.blogspot.com On Thu, 2011-02-24 at 15:37 -0500, John Lightfoot wrote: > I agree that transparent Bitlocker is a great security tool. > > Per, could you provide more details where you say: > > "Using Passware Forensic Toolkit you can extract the bitlocker key using live > memory dumping through Firewire (either by using an existing Firewire port, > or by inserting an pcmcia/expresscard firewire card). No need to logon to > Windows there..." > > My understanding of the way Bitlocker works is that when you enable full-disk > encryption, Bitlocker creates a small, unencrypted partition that contains > the Windows login module. Once you've entered your credentials and they've > been validated, the login module uses them to access the TPM for the key to > decrypt the rest of the hard drive. I do not believe the encryption key is > resident in memory until after the login credentials are verified, so I don't > think the firewire hack or other memory scanning techniques would allow you > to retrieve the key prior to authentication.
signature.asc
Description: This is a digitally signed message part
