How to HACK Windows Bitlocker - MUST SEE!
Вставка
- Опубліковано 27 сер 2024
- Windows has a secret! An encryption technology designed to keep your stuff safe and secure. But if not configured correctly, it can be hacked!! In this short session I'll take you through a full forensic demo on how to hack Microsoft Windows 10 / 11 disk encryption technology. I'll show you how it works and more importantly how you can defend against this attack. As always I love your feedback, comments and questions. if you enjoy please hit the like button.
Visit me at www.Andymalone.org
** Please note I do NOT offer product support for any of the products featured in this video. Please contact the vendor directly at www.passware.com/
Thank you for this video, this was helpful to a bitlocker Noob exploring how secure bitlocker is. So just to clear up the following as to what was stated, and someone please correct me if any of these are wrong...
A.) The PC/Laptop is vulnerable if it is powered on, AND already logged in, where someone who has access can take a dd image and memory image, and then later mount the image and use forensics software to extract the decryption key. Later, that key can key entered in when unlocking the harddrive.
B.) Using a laptop with a TPM will prevent the keys from being stored in RAM, and the computer is a lot more secure and less vulnerable to having the hard drive decrypted if stolen.
C.) TPM is not used as often in enterprise applications, because administrators want to backup the keys, for when employees leave the company and therefore they can still access the data on the employee's laptop.
D.) TPM chips are okay for personal laptops when you are the owner of the hardware and will not be using that computer under a corporate account.
If it is the case that someone can simply power on the laptop, and there is no bitlocker pin to enter, then after the laptop boots up they can take an image with a usb or firewire cable without being logged in, that is a serious problem, unless a TPM is being used.
You got it.
@@AndyMaloneMVP Great, thanks Andy. But does the user need to be logged on to an account, or simply turning on the computer will allow this access to make an image?
@@johnson554671 switched on
@@AndyMaloneMVPIf I encrypt the disk only using TPM and do not save the recovery key, do I still need to reboot the PC to remove it from memory in order to avoid being captured by someone who has access to my machine (afterwards but before it is being switched off)?
@@AndyMaloneMVP Also, does the newer version of TPM 2.0 have the same weakness?
Here is the problem. The innocent buyer of your product knows nothing about your system, and is now locked out of his PC, did not put in any passwords; and more often the seller has no knowledge of this! So the poor consumer pays and suffers! That is just brilliant!!!
they should know they are using a encryption system and should know how thne system they use works, if they don't do research its they own fault anyway for not having backups and stuff.
does this work for win11 though? tpm 2.0 is neigh unbreakable. 😢 my sister's laptop just suddenly got locked and needed bitlocker key
They’ve completely conned me out of several hundred dollars
Hello Andy! Amazing video and I really like your teaching skills! Clear, slow and straight to the point! :)
Great video! Follow-up question:
How exactly did you create the forensic 'DD' image that you mentioned at approximately the 3:48 time mark? It sounds like you mentioned a Firewire cable, but I cannot make it out for sure and no further explanation is given for the process to create the direct disk image of the encrypted BitLocker drive?
You need to purchase Passware forensic. It comes with a utility to take the snapshots. Unfortunately it's not cheap (sorry). Glad you enjoyed the video though.
@@AndyMaloneMVP Thank you for your reply! I've read through the Passware Forensic documentation and it seems like that tool uses the Passware Bootable Memory Imager tool to boot from a USB to capture the RAM in 2GB "Physical memory image files", but I don't see how the "Encrypted BitLocker volume image file" is captured -- I was asking how you created the 'direct disk image' from the encrypted machine (which you then converted to the virtual disk in your video). The Passware Bootable Memory Imager seem to only create the memory image files, not the the 'DD image'... how did you go about creating the encrypted disk image from the locked/encrypted Windows machine?
@@Matt4istal Cool. I've not used the tools for a while so you're probably more up to date than me 🙂
@@AndyMaloneMVP Sorry to be persistent, but the question I'm asking is how you did what you did in the video:
How did you create the 'direct disk image' from the encrypted Bitlocker machine (which you then converted to the virtual disk in your video)?
@@Matt4istal for the last time I used the Passware utility and a FireWire cable. I booted a second machine with the utility which is connected to the target computer. The utility created both the DD image and the memory bin file. If you want details I’m sorry I can’t remember as I recorded that video a long time ago. You will need to contact Passware for the most up-to-date tools. Sorry I could not be of more help. Thanks again.
6:33 When you say "the recovery key is always stored at the front of the image" are you talking about the memory image or the disk image. If it's the disk image that'd be equivalent to taping the key to the safe I'd think. It also seems bizarre that the recovery key is ever loaded into memory or saved in the page file at all. What purpose does that serve other than to make the encryption pointless? Can you show us what encryption settings you used for Bitlocker when making that disk?
You’re right it’s memory.😊
memory image. For specifics please reach out to the vendor for support.
TPM 2.0 exists since Ryzen 5000 and X570 Mainboards so if im not mistaking longer than this video. Forsure the standard was set 2014 but not directly overtaken by manufactorers.
that was absolutely brilliant. I wonder if it is possible to live boot Linux along side a windows that was properly shut down not in read only mode and be able to use similar tools to grab the same password or are they only windows tools. I think this is useful also if one gets a virus on their machine and has to be able to turn bitlocker off to gain full admin access. Love videos like this and looking forward to more.
Hi Spencer thanks for your response. Of course the other way to grab a memory dump. It’s to take a copy of Windows hyberfi.sys file. But yes you make some good points. Great to have you on board and I hope you enjoy my channel.
v interesting - i have done many hours of security and didnt know this - even did the AZ-500 and CASP last year ! Thanks for sharing this and Happy Halloween :)
This is way beyond the exam my friend😀 Happy halloween 👍
Hey Andy, very interesting video. I'm curious, if you never had a Bitl-ocker key established I have to imagine this would not work?
If you did not have a machine that is not encrypted then it's open for all to access. If they have your device of course.
@@AndyMaloneMVP I believe what Ron Andrews was referring to is if the user did not knowingly choose to encrypt the drive. I've heard reports that MS sometimes automatically encrypts drives without the user even knowing about it. I have not witnessed this firsthand, but sounds like it can happen when logging into Office 365 etc. I believe in these cases a recovery key is still established, it is just saved in the user's MS acct if I'm not mistaken. If so, the answer to Ron's question would be YES, this process should still work because there is still a recovery key established even though the user did not do it knowingly.
Interesting, I purchased a Dell factory refurb laptop. Went through the process of setting up windows and all the updates never invoked Bitlocker, the Laptop then crashed and DOA. Had Dell tech come out and replace MoBo and he left with the blue Bitlocker screen up. Unfortunately I was not present when he left, tried to call him, but he never reached back out. Since I never set up Bitlocker, I’m thinking the TPM and the new hardware created this situation. So here we are 😑
Question 2 - I also listened several times, and I never heard what your suggestion(s) are as to how we can protect ourselves against this. In your comments you mention the video will tell us how to defend ourselves against someone doing this to us. Can you direct me to the specific time spot where it is explained?
Forgive me, but I recorded this video quite some time ago and I no longer use the software. Don’t be paranoid with cryptography. Your only danger is that somebody delete your data. Not even cryptography can defend against this. Just practice good management techniques, including ensuring that you back up your cryptographic keys. Also use a TPM 2.1 module on your laptop. This is a good protection mechanism. Since this video was recorded crypto has come on along way. Do some reading. docs.microsoft.com is an excellent resource. Thanks again and all the best, Andy
Thanks for the video, very interesting stuff. Stumbled onto your channel while trying to help a friend with their computer.
One question I have which I didn't totally understand from your video - it sounds like this will only work if you have access to the encrypted computer WHILE IT'S BOOTED and in Windows, is that correct? If the computer is turned off, the data is flushed from RAM, is it not? So if you try booting the encrypted computer and do not know the password to get into the user's profile, is the Recovery key still able to be extracted using your method?
Hi there, to be honest, I recorded this video quite some time ago and I no longer use the software. That said bit locker is what we call key escrow which means that the recovery keys are normally within the software itself. This allows Admins to recover a users data, if the user leaves the company. so, although I can’t be 100% sure I would say that, yes they would eventually be able to crack the data. For more information on the locker, I fully recommend going to docs.microsoft.com as all the documentation is here. Also visit passware.com. They have a good resource base for questions and answers. All the best and thanks again
Apple uses the T2 chip for the same reasons and it works better than TPM 2.0 (FTPM Vs DTPM).
Unfortunately my laptop won't boot, and it is always asking for the recovery key, which is not in the microsoft account. I removed the SSD, used an SSD reader + Sata to USB cable to read it external with another laptop. When I check the drives, they are still asking for the recovery key. I checked the passware software but it is like 1000 dollars or something. Is there any way to unlock this recovery key, having access to the physical drive? thank you
Thanks very much for your question. Unfortunately I’m looking at the information that you sent me it would be difficult to restore this disc without the recovery key. I do appreciate the software is very expensive. I think in this case however, I would recommend contacting a specialist data recovery person. Other than that I hope you have a back up! Thanks again and all the best.
I have the same case like you
@@orbitdhbc2006 have you resolved your recovery key issue.
so if we store the keys in AD, they're vulnerable to this hack, but if we store them in the TPM only, they are safe? Want to make sure I understand.
Correct
and this happens to any other encryption method not just bitlocker.
Loved this video, Presented an interesting forensic case with demo ✨
Many thanks I appreciate the feedback 👍😀
That was fantastic andy! well done for sharing another gem. I love forensics stuff like this, I think it is really cool and nerdy. And yeah, i completely agree there is always a trade off with security and usability or accessibility. What do you think of 3rd party password managers? I often say to people that you are putting all your eggs in one basket and trusting that company will never become a victim. I generally have a tierd password and email set up where very few companies will get my no.1 personal email address or password. Mostly just a secondary spam email specifically for all the crap we are often forced to sign up to.
Thanks for the comments MFA is the only way to go forward.
@@AndyMaloneMVP I lost the password, lost the recovery code, so is there any way to get the data?
help me.
Thanks
@@nhavuontv590 I’m afraid not
It’s probably best to simply use an offline password manager that is blocked from accessing the internet using your firewall.
So the recovery key gets leaked into the memory when the PC is in use. OK. You say the the key does to the memory and also to the page file. So the question is: if I turn off the machine, I am safe? The receovery key is not on memory anymore, and the pagefile, even if it is not purged of the recovery key when tou shutdown, it is on an encrypted drive, inacessible without the password or key. What I am asking is: if I shutdown the machine, I am safe against this attack of imaging the disk and memory? Thank you.
Hi Andy
Thank you for the great video. What is the software you use to create dd image (Direct disk image) & Memory bin?
Passware has a utility that you boot with a FireWire cable
@@AndyMaloneMVP
Thank You! Can I use to take memory image using FTK Imager utility as well? Then memory image will be .mem and not .bin. Need to try it out but out of curiosity I asked.
Thanks!
@@MAslamJiffry To be honest, I don’t see a problem however I would recommend that you check with Passwares website just to be sure. Thanks again and all the best. Andy
@@AndyMaloneMVP but if you boot doesn’t that mean the recovery key is deleted from RAM?
@@eddie1975utube You don’t boot the victims machine. You would boot the investigators laptop, take a snapshot of ram and then use it to find the recovery key. If I were you I would take a look at Passware forensics website, they’ve got some great resources. They can help you much more than I can. Thanks again and all the best, Andy
I really disagree that this is a hack, because you need the RAM snapshot. So this would only work if you have access to the already unlocked machine.
If you have this already as an attacker, the security is already gone.
If an attacker finds your encrypted disk or steals your device there is no way to get this RAM image. So...what's the deal?
With many western crypto algorithms they come with Key escrow which potentially allows an admin access to the data.
@Andy Malone MVP that's right, but the way you show to decrypt the bitlocker encrypted disk has nothing to do with escrow, right?
Escrowing means that the backup key is stored centrally for administrative purposes, as you also explain correctly in your video.
But to use an escrowed backup key I do not need any of your tools or procedures.
Usually, I like your videos, but here it seems like click baiting to me: shocking headline and the content is not really about it nor are you technically right on the assumptions you use here or you are mixing them up.
@@matthiasfleschutz1518 q of course, click baiting is the way that UA-cam works. If I just put in regular titles, nobody would ever view my videos. It’s sad, but true I’m afraid.
@@AndyMaloneMVP uh, really? Although it will not matter, a reason for me to unsub. There are so many tech content creators that don't follow that route...
@@matthiasfleschutz1518 and I hope I’m one of them. You will notice that there are very few of my videos that I like that. Anyhow, sorry to see you go.
I woke up this morning to find bitlocker had locked me out of my computer. I never set this up, nor did I even know about this program. And for some reason, my computer isn't registered on my microsoft account. Even though I thought I had to set this up when setting up my computer. And it turns out that I don't have a copy of windows to factory reset my computer with. I have spent hours trying to find some sort of work around to no avail. All I was trying to do was play some minecraft. 😑 I'm going to try again tomorrow. Amd maybe have my husband try a few things. Probably going to have to reformat my hard drive...
Hi Andy: Thanks for your feedback and presentation. As a last resort, I am going to try what you presented. The video went rather fast and was hard to keep u p with you. I imagine I can just click on stop so as to get a better feel of what you are presenting. I do see the idea behind this and it is good protection. If it works for me, then I am so happy that I can get my laptop to work again. If not, well, I will chalk it up to not being smart to encrypt it in the first place. It is an expensive ordeal making this mistake. HP wants to charge me $300-$400 to fix it. I just might as well buy another computer. At least I can salvage the SSD drive so it won't be a total loss. If the computer still was under warranty, maybe
it wouldn't have cost anything. I will see what happens and let you know one way or the other, if it works. Thanks again.
Thanks for this and I’m sorry to hear of your predicament. As I said in the video that was merely a demonstration. passware.com is the source of information regarding this tool. Beyond that I would get professional help. Unfortunately, I cannot provide a support service for this product. There are loads of documentation sources on Google. You may wish to take a look at those as well. Either way, I wish you the best of luck, Andy
Clearly articulated. So, what's the solution in your opinion? weighing all the risks what do enterprise admin have to do with it?
Windows 11 with a TPM 2.1 back up keys to Azure key vault. Never lose sight of your device.
Does veracrypt have this vulnerability?
Great Video but what Programs did you use to create the memory shot and the DD drive ?
Passware Forensic
I have a machine i just got locked out from. i dont have the 48 digits code, it is not stored at my microsoft account. What can i do to get back in to it? its an Dell machine and doesnt have tpm options in the bios to enable or disable either....
Obtain the technical support of a forensics specialist.
Well from what i can understand, this "hacking" can only work if the hacker has access to the laptop/desktop which was used to make the encryption. If however, someone encrypts his whole USB flash drive or external HDD using Bitlocker, then removes that device from his computer and takes it with him, goes outside and loses it, then the person who finds that device will not be able to access the files inside it. Am i right?
In principle yes, however there are professional cracking tools that law-enforcement could use to potentially unlock it. That is beyond this conversation of course
@@AndyMaloneMVP Thank you a lot for the very quick reply, i appreciate that a lot. I don't really mind the police since i don't have something illegal to hide, nor i am planning to in the future. I am mostly concerned about protecting my personal files and information from malicious people. Then again if law enforcement can use tools which can unlock it, so can criminals. I might consider veracrypt too for very important files. Thanks again, cheers!
You’re welcome 👍
@@stratvar you don't need to have something to hide to want to have privacy
So i have a question, if my workmate's PC happens to be destroyed before i take those "snapshots", theres no other way to unlock the recovered encrypted drive?
No. It's gone, sorry.
thank you for the video!
are there any free or open source alternatives to the 1195 $ Tool (Passware) ?
Not that I know of
Am I missing something?
We're saying that an attacker with access to a powered on, fully decrypted laptop can access the bitlocker recovery key?
If an attacker has access to a decrypted laptop it's game over anyway right?
Why make life harder for yourself by encrypting it again... only to decrypt it?
If you have sufficient access to pull an image of the disk and the ram you'd be able to just dump any sensitive files.
Decrypted is wide open.
Right so we're not suggesting that this is a viable attack?
Just that this is a quirk of how the bitlocker recovery key is stored?
If we have sufficient access to dd & image the RAM we have sufficient access to steal any sensitive info anyway.
We could also just use powershell to output the recovery key.
I have two questions. What if there is a different case where police only takes the hardware (hdd/ssd) without taking the whole pc. Would they still be able to access the memory ram / snapshot the drive and crack the password? Would it make it less effective or there would not be any vulnerability to encrypt without TPM modular method in this case?
Hi Andre I’ll be honest with you I recorded this video sometime ago and I now use a Mac. I would strongly recommend that you get support from either Microsoft or Passware.com. I wish you the best of luck.
THANK YOU MY BROTHER FROM ANOTHER COUNTRY AND ANOTHER FAMILY!!!
You’re very welcome 👍😊
tldr:
1) Export memory content
2) Read recovery key
That PASSWARE software is so expencsive !!
I'm a bit late to the party, but still must ask: haven't they implemented RAM encryption as well? Pretty sure I've seen such a switch in my laptop's BIOS. It seems such a decision should metigate the issue.
Probably, I record this video sometime ago. However, experience shows it’s always a back door somewhere
Is the cord an ethernet cord? What if your bitlockered out and you never logged into Microsoft on the locked out computer? Then what? Throw it away?
No, I’m using a fire wire cable
@@AndyMaloneMVP Thank you!
IN order to get an image of memory you need to be an admin already or cold boot so this doesn't work
Thanks for adding to the conversation
Not working I had try all ways like Microsoft help desk etc still not recover key
Sorry to hear that. Good luck 👍
Hello Andy, We have forgotten Microsoft ID/PWD and backed up all the DATA on D and E partition, can it possible to recover bit locker key for D and E?
If you’re using Windows 11, your recovery key is normally tied to your Microsoft account. You might want to check that. Other than that I cannot help you I’m afraid.
@@AndyMaloneMVP thank you for reply. yes, we are using windows 11. But, we don't have the Microsoft account details which are default comes with laptop from Lenovo, and Lenovo also not supporting. that's why I ask u.
how did you produce the .bin file? I tought it was the memory dump of the original pc (which we can't use because its disk is bitlocker-ed). the dd file is like the clone of the disk in .dd file iirc?
Via a connected laptop with FireWire. It’s a bootable image capture via Passware forensic
when none of that works can you just replace the memory and hard drive because this didnt work
@Andy, does this also work for a laptop with an external hdd, which of the laptop has been formatted a couple times, where the external drive is encrypted? Or if the ram module has been changed?
You know have to be honest here. I don’t know. I’ve never encountered that situation. You could reach out to Passware and ask for the support.
@@AndyMaloneMVP fun thing is, i have an external hhd with the bitlocker and i forgot the key, but when i use data recovery from minitool, it almost recoveres evedything from the drive. Some files are corrupted, but a lot are saved. Maybe a tip for someone else. Thanks for your quick reply btw and great explanation on your video!
@@alphawarriorthegrandmaster hey. Saw your comment about minitool used to recover files from external hard drive. Wondering if I can attach Drive externally and do that.
@@eddie1975utube hi Eddie, yes my drive was also an external hdd.
Minitool requires you to know the bitlocker key.... Otherwise it doesn't see anything on the drive.
Would this also work on a bitlocked drive where you cannot get past the bitlocker recovery screen? The reason why I am asking is that I have a dell computer and after a bios update, the computer wants me to enter the recovery key. However, I never set it and also it is not in any of my Microsoft accounts. The computer is of course verifiably mine (you can check that at least with dell laptops with TPM, this occurs more often). I am struggling with how I would then make a sufficient enough snapshot of the RAM and the disk.
Hmm this is a tricky situation. In the first instance I’d probably reach out to Dell support as if you didn’t set a bit locker key they may be able to help you. Also you could also consider submitting a support ticket with Microsoft again they may be able to help you. I am sure that a forensic tool could also help, but suspect they would be substantial cost involved on your part for the recovery. Good luck anyway and I wish you all the best.
After the BIOS update, did it de-select SecureBoot?
I have the exact same problem on an HP laptop that's not even a week old. Microsoft said they couldn't help me and to contact HP support. HP support just gave me instructions on how to do a clean install of Windows. I'd advise anyone to just disable BitLocker.
I do have same issue ...I have some Important files in c drive and I want to recover those files and then I don't have any issue if I clud do rei stall a window in my hp laptop...can you please help me out to recover my files if I cannt access it because of bitlocker
Teacher, what if, on the verge of physical access to the computer, the memory was removed and broken, would the attacker have access in some way?
I don’t know
I had tried every video on UA-cam and nothing seems to work to recover my BitLocker key in my screen appears only the blue screen I have not option to did look to type in anything please help me to recover my bitlocker key
You can purchase the software from passware.com. I download the software in my video. The best of luck.
Easy method is
1) press esc
2)click skip the drive
3)uef settings
4)search for security boot and turn it on
It's not working every laptops some where done with this trick
@@kuldeepsingh0023 Turn ptt something on
it's not clear exactly where you got the recovery key.
- when you say that it is always at the front of an image, do you mean that it is readable from the disk without having to decrypt that disk?
- i'm assuming that the recovery key is loaded into memory so that it can be backed up somewhere: how do you avoid it getting into memory?
Use a TPM module. This prevents the key from leaking into memory. For more details on this product, please visit passware.com
@@AndyMaloneMVP oh i see. i thought that it leaked into memory even with a TPM
Hello I’m Locked out of my laptop. Once I enter my password it goes to test mode.I’ve forgotten my administrative password and it ask for that
iboysoft.com/bitlocker/unlock-bitlocker-without-password-recovery-key.html
Does this method (passware) work if the drive is locked with TPM ?
It depends on the Ransomware
i just forget bitlocker recovery key and password. could you help me.
I can’t help you personally but if you reach out to Passware forensic support pages I’m sure you’ll find out. Best of luck
Dear my laptop updated in yesterday, but when i am enter our registered bit locker key in my laptop it shows incorrect, I am enter endpoint registered bit locker key.
Oh dear I’m sorry to hear that. You may want to reach out to Microsoft support who I’m sure can help. 👍
Are you saying that when you backup the Bitlocker Key to Azure it is in memory for a little bit? Is this just a short term concern like the day the key is backed up?
It is.
sir disk2vhd showing error : unable to image encrypted drive
Unfortunately I cannot offer personal product support. Please reach out to the vendor, many thanks.
Frankly, I don't care about security ... I and my machine stay home ... I am looking for removal of Bitlocker so it will not lock-up my machine
👍
Please help me as a novice because I have locked up my external drive, and the computer I used for the encryption is damaged. Also, I don't have the password or bitlocker key.
If you’re using Windows 11 your Bitlocker recovery key should be backed up to your Microsoft account. You may want to check there.
@@AndyMaloneMVP I only saved it on another USB flash drive. I checked on my Microsoft email account and there was no device linked to this account.
When someone steal my pc, TPM 2.0 Enhanced 20 Char Pin, is he able to decrypt it and get my stuff? Video is 2 years old, maybe Bitlocker is safe now? Any advice on better encryption software/methods?
It would be VERY challenging
@@AndyMaloneMVP So possible? Then why does bitlocker even exist when it is not secure.
so for transporting company secrets through an airport, bitlocker is fine as long as everything is powered off?
Correct 👍
We are not able to take the dd image of bitlock drive through dd utility on windows... it's throwing an error while taking dd image of bitlock drive stating that "to take the dd image first you need to off the bitlocker on the drive"
Thanks for your comment unfortunately I cannot provide personal support for this product. Please reach out to passware@passware.com
A "friend" had my Dell laptop win 11 and would not return it.
I logged unto my ms account and locked it and displayed a note on the screen to return my computer.
Now I have it back and cannot get past the login page.
Of course I logged back into my ms account and found this computer,
but IT DID NOT LET ME UN-LOCK IT!
Incredible.
There is no button at all now. No Lock on this device and no unlock!
I tried and tried many things and called ms service and they cannot help me!
With nothing to lose at this point, I decided to Remove this Device from my account hoping the lock would release but it did not.
This is a huge oversight on microsoft's part - letting us lock our device but not letting us un-lock them!
Any ideas?
Sorry I wish I could help
Do you have to creat a vhd in order to use passware?
It depends on what you’re trying to do. Visit there website for more details
so then, tmp+pin ? set a pre-boot PIN ?
So does this only works if you image the ram while the drive is unlocked and logged into the OS? Or can this work if imaging while locked prior to os login?
This was an old video. I check out passware.com for an up-to-date guide.
Teacher, is the recovery key dumped into memory before password authentication? (considering that there is no TPM chip and you just used the password to encrypt the disk)
Yes. The recovery key is also stored on the disk.
I mistakenly encrypted my external hard drive. Anytime I try decrypting, it takes hours but never decrypts. What should I do?
Did you have a backup of your recovery key? Do remember that this process CAN take hours and hours.It's possible you tried and interrupted the process. Unfortunately in this case you possibly damaged the data. Do you have a backup of your data? If not you may need support. Best of luck and thanks for reaching out.
Interesting video Andy.....but far too complicated for me!!
I have just bought a dell xps 13 from a bankruptcy auction in Nottingham.
Its locked with bitlocker.
If I discard the hard drive and install a new one, will I be able to do a clean install of windows without any need for bitlocker keys?
Thanks
Pete
Wipe the disk and reinstall from fresh install
@@AndyMaloneMVP Thanks for the reply Andy, but I would like install a new pcie drive. Can I just format it and install windows without any consequences from the TPM chip?
Thanks
How do you call HACK when you already know the recovery key
It was a demo. And at that point, I didn’t know the recovery key.
i had 1040s irs files in my bitlocker. For a week or two pop-ups asked me to open my bitlocker. two or three times a week , which i ignored. then it stopped and a week later i got curious and opened my bitlocker. The files were gone and 5-6 files of "Wipe Out" a video game show of kids jumping across a pool to win prizes. I deleted those and a month or two later the IRS sent a letter from Fresno, CA office that something was up. Then another IRS letter from Atlanta,GA same note about some document i was said to have sent them. Well, no other letters from IRS. It must have been an attempt to file my taxes and get my refund.
hey I have a question, if my laptop has TPM and windows 11, is it safe from this hack? or do I need to do something else to protect the sensitive data bled in memory?
Honestly I’ve not tried it. I’m a Mac user now 😊
So actually its a problem for all those software encrypter programs. But still better than having no protection because you reduce the amount of people who are able to do it.
Windows 11 now backs up your bit locker recovery key to your Microsoft account so recovery is easier
@@AndyMaloneMVP yeah but recovery is not the problem if someone can read it out of the rams its a problem. Isnt it?
OK, cool. thank you, but how shall we protect a BitLocker-encrypted computer data from accessing by bad guys, if such a computer is not a member of company AD? I was expecting to see that. Is it then the combination of TPM and PIN entered with every boot, or?
With the latest next gen machines Bitlocker key recovery is linked to the user Microsift account.
Is this scenario with tpm enabled? So the key does leave the module into ram at some point
@Andy Malone MVP - thanks for the heart I'll take that as a yes. I was wondering that because prior to some windows 10 version you had the option to leave keys outside of tpm in case you didn't have one, I guess that option is no longer available and the recovery in ram scenario applies regardless. I've seen other videos where tpm is not used in older windows versions and you could even get the password used to encrypt thru drive by getting the hash of it. Recovery key option also applies to this non tpm scenario.
Did it bled to memory because it was in a domain and using mbam (is it the name?) or its always available while logged in?
Correct. You got it 👍
hi, i received this msg "The Bitlocker encryption on this drive isn't compatible with your version of Windows.Try opening the drive using a newer version of Windows." And am not able to unlock the drive now. Any avenue to unlock it? I m currently using W11 and previously it was W10.
This should help www.minitool.com/partition-disk/fix-the-drive-where-windows-installed-locked.html?amp and here answers.microsoft.com/en-us/windows/forum/all/windows-10-how-to-unlock-the-drive-error-the-drive/43ebf234-4f2a-4c11-8d1b-9f7c5519c968
I had an interrupted windows os update, got my drive D locked by bitlocker I don't know the recovery or any password in it all my important school files are stored there, just using my hdd to run my computer.
Hello , where can I get that 2 file from 6:03 ? Is it already on my device or I had to do another step to get that file ?
Passware forensic is the tool. Passware.com
I have 4 keys in the tpm module of my corporate laptop and I need to crack it to retrieve the recovery key. I believe it's possible only with flasher device that attaches on the TPM and Kali Linux Dislocker tool or something?
Good luck my friend. 👍
Ayuda por favor, pasa que formatee una PC ALL ONE DELL 7ma Generación, Windows 10, guarde todos los archivos en la Unidad D, formatee la unidad C, terminó la instalación del windows 10, abro Este Equipo y veo que la Unidad D tiene un candado amarillo, no se como se puso ese candado, tengo información de office muy importante, que hacer por favor
Bitlocker. You’ll need to reformat
How to do that if I have only .img file? How to get the recovery key if it is lost?
You can’t. However for more support I’d reach out to Passware.com
Would this work in a situation were a third party got onto my computer and activated bitlocker thus blocking me out?
Possibly. For any support issues I’d advise you reach out to Passware directly at Passware.com
Is that still possible with TPM 2.0 or not anymore
If you backup your key via azure key vault of any other means, then your key will slip into memory I’m is it Taga will still work
So in a scenario where i have one tpm module, a win 11 and win 10 installation as a lab, though i want both bitlocker protected, i have to disable tpm bitlocker on one osd. So if i understood your video correctly the one without the tpm is (with usb or password) is vunerable and the other is safe?
Since if i use tpm bitlocker on both oses one will have a nonrecoverable nonbootable drive.
To be honest, I recorded this video sometime ago. I now use a Mac to windows 11, so in this case I’m not the best person to consult here. I would typically visit learn.microsoft.com or go to passware.com for more support on this matter. I wish you the best of luck. 😊
Please Advice.. I have a hard disk which holds backups of my pc's.. My staff had put an encryption on the device without making a backup of the key.. The PC was formatted due to a virus attack and the backup now cannot be accessed.. There is a lock symbol on it and in the properties additional users (without names) are showing up.. Any way of recovering the data??
I would suggest contacting the local third-party data recovery organisation to help you
Hello.
So. Which steps I should follow to protect my Personal Computer.
I understood thah one step is to have TPM, and the second is to disable PAGEFILE.SYS.
Is this the correct way.
Can you make a video about VeraCrypt? About what you think and your kwoledge (that is impressionant).
Great video!
The first way to protect your computer don’t be paranoid. If you were to use cryptography, use it in a sensible way. If you don’t have a TPM (which most new computers do have today) then, to be honest, there is little value in using a bit locker. There are a number of cloud-based services that offer very good encryption, for example Microsoft 365 information protection. This can be invaluable and not only protecting your data but also in a disaster recovery scenario. I hope this helps
@@AndyMaloneMVP apologize for been paranoid. But.
I don't understand what I shoud do in case I have TMP (NOT 2.0 BUT TPM1.2).
So. Can I trust in Bitocker?
Should I have to use VeraCrypt instead.
As I said. Apologize for beeing so paranoid. But I localy store sensitive data such as Medical Information, Religious an Politics info...
Thanks a lot for your answer. There are few youtube channels that reply comments.
Thanks!!!!!
how to create image file for dd file and bin file ?
You need a forensic tool for this
Can you please tell me how I am supposed to get the img file? The Disk2VHD will not create an img as it is telling me it is bitlocked. Also I tried the bootable USB from passware to try to get the bin file, but no luck. How do I get this? I didn't even know this was on my machine and I have so much work I have done on it. Do you offer a service to unlock this or can recommend someone who does?
support.passware.com/hc/en-us/articles/1500000308641-How-to-use-Passware-Bootable-Memory-Imager
@@AndyMaloneMVP Thank you very much for your quick reply, working on this now.
You’re welcome and Passware’s support pages are excellent. Good luck and thanks for dropping by.
@Adam Jacobs You are correct only the paid product has this. This was the version I was using.
Thanks Andy! Passware are of course very helpful but I would like your opinion as you are objective. How reliable is the Passware Bootable USB Memory Imager on a system with a BitLocker-enabled boot drive? I am surprised that the keys reside in memory for long enough after the system is shut down and are not wiped from RAM. Best wishes.
The keys are loaded as part of windows. Bitlocker key escrow is a feature of the Bitlocker encryption system. There is no way around it. As I said in the video many encryption technology is use this especially in the west. There are other vendors of course, and in this demo I just used Passware. However from experience, they are much of a muchness in comparison with the others. Thanks for your question and I’m delighted you’re enjoying my channel. Andy
Have a lovely Christmas
i have a question the forensic software costs alt and i excitingly bitlocked my files
i tried using yhe software but it dident eork properly i followed every step
I would reach out to Passware, their support is very good :-) Have a great Christmas also.
How did you make a RAM dump bin file?
With a utility that comes with the software.
So when we replace old ram and added new one it is not recoverable with new ram right?
Correct
Wait so is the bad guy the one that left their computer on or the guy that sneaks over to it and hacks into it stealing data from it?
Hopefully neither with good policies and procedures👍
Please can start in the beginning cause same if your video begin in the midst of practice . I will like to learn a lot about security . Thanks
Hi Andy I have a laptop Inspiron 13 5000 I have never set up Bit Locker (my Microsoft A/C confirms this) and I now have the blue screen calling for a recovery key I can not remove the SSD as I have no caddy capable of connecting it to my desktop is there nothing I can do to recover the drive other than a reset back to factory settings? Thanks for your help
I’m sorry to say that I’m afraid so my friend. I. Future place all you critical files in a cloud drive. That way it’s easy to recover. 😊
I encrypted pendrive with bitlocker in windows 11 in my Sony viao laptop which purchased in 2011. Now I forgot password. How many times wrong password i put without locking the drive till I reach right password. I intentionally deleted recovery key and formate the c drive many times. No back up of recovery online/offline. So how many wrong passwords I can try.
Sorry to hear that I m sorry but I’d seek out the services of a support professional near you. Good luck.
This was a waste as if someone "Hacker" or unscrupulous script installed the key, now next time the customer signs on it wants to know that key. This video will not help you with getting access to your drive that hes been hacked.
Correct.
Does it work if a hard drive was encrypted in another system and try to recover in another system. Does the key gets stored in ram page file of next computer.
Passware do other tools for this. Please can you sort the password.com details
Hello Andy I have a surface pro I found in the trash I think it was used as a display however I can't factory reset it because of bitlocker and I don't know the password. What should I do?
Reformat
Hi. I need advice. I have the recover key but after putting the bitlocker key, it's stucked and not proceeding to boot to windows. I also used sata reader and try to read it from another laptop and it asked for recovery key. But after putting it, it stucked again and doing nothing. How can I fix this? Thank you :(
Please seek out Microsoft support for this topic. You can also visit the Microsoft tech community. For Passware forensicvisit,passware.com.
HI, Have a ASUS tablet with soldered HD so cant connect to other computer to erase drive. All boot USB attempts keep triggering Bitlocker. So i want to erase drive and install Win 8 but how can i do this? Can i use command prompt in recovery blue screen F8 area or will i still need key. As you explained, will erasing drive totally still leave Key with TPM and still lock me out?
No idea sorry
Greetings! How do you bypass the bitlocker screen without the key in order to gain access to my system? Microsoft never provided the key.
You cannot
could have been a good video but thumbs down for the rock music intro.
does that really add any value to the video?
I am completely locked out of my laptop and don’t have any way to save my data. Is it even possible to clean reset the pc without bitlocker key
Do a low level disk format. Delete then rebuild