On 2011-02-24 Per Thorsheim wrote: > "Transparent" Bitlocker with TPM and direct boot to Windows Logon is not > a good idea in terms of security. > > At the Passwords^10 conference in Dec 2010, Passware revealed their > newest versio of their forensic toolkit. You probably want to see that: > ftp://ftp.ii.uib.no/pub/passwords10/ > > Using Passware Forensic Toolkit you can extract the bitlocker key using > live memory dumping through Firewire (either by using an existing > Firewire port, or by inserting an pcmcia/expresscard firewire card). No > need to logon to Windows there... > > Depending on your configuration, the hibernation file may be > unencrypted. This can then be extracted from the disk and analyzed to > get the bitlocker decryption key as well. > > Lessons learned: > 1. Superglue for your Firewire and pcmcia/expresscard ports > 2. Do not allow hibernation mode OR encrypt the hibernation file as well > 3. Always use Pre-Boot Authentication (PBA) in some form (pin, password, > smartcard..)
4. http://www.securityresearch.at/publications/windows_firewire_blocker.pdf It should be able to mitigate the risks you outlined above. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
