It is my understanding that this is not actually how it works. "A" key is in memory, but not "THE" key. I think that Mr. Lightfoot is more correct in that only certain files can be accessed when booted directly without a PIN. A valid user must log on in order to access data.
The file you reference is 1.7 gig, so I was hoping you could tell me if they actually DID anything with the key as in accessing datafiles after they got the key during the presentation. I would interested in what happened after that... t -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Per Thorsheim Sent: Thursday, February 24, 2011 2:42 PM To: John Lightfoot; focus-ms Subject: RE: Bitlocker without PIN To be 100% sure about my reply, I double-checked with Passware directly. Their answer is simple and straight forward: "By the time windows GUI loads and the windows logon screen is displayed the key is read from TPM and is available in memory. The only way around this is to use pre-boot authentication." Best regards, Per Thorsheim securitynirvana.blogspot.com On Thu, 2011-02-24 at 15:37 -0500, John Lightfoot wrote: > I agree that transparent Bitlocker is a great security tool. > > Per, could you provide more details where you say: > > "Using Passware Forensic Toolkit you can extract the bitlocker key using live > memory dumping through Firewire (either by using an existing Firewire port, > or by inserting an pcmcia/expresscard firewire card). No need to logon to > Windows there..." > > My understanding of the way Bitlocker works is that when you enable full-disk > encryption, Bitlocker creates a small, unencrypted partition that contains > the Windows login module. Once you've entered your credentials and they've > been validated, the login module uses them to access the TPM for the key to > decrypt the rest of the hard drive. I do not believe the encryption key is > resident in memory until after the login credentials are verified, so I don't > think the firewire hack or other memory scanning techniques would allow you > to retrieve the key prior to authentication.
