I’ve been using TrueCrypt for a while, and have recently switched to BitLocker. My main purpose is to encrypt backup disks that are taken off site, though I plan to use BitLocker for an internal data volume as well.
Recently a colleague noticed that a $495 program called Passware Kit Enterprise is claiming “Instant decryption of BitLocker To Go USB disks.” In fact they claim to be able to decrypt BitLocker and TrueCrypt disks, as well as PGP volumes. Really? How does that work? Are my efforts to encrypt sensitive data useless?
I should note that I am by no means a high-level security guru, but as an I.T. professional, I need to understand and advise customers on suggested best practices for mitigating security risks. Here’s what I found out in a few minutes of research on Passware and BitLocker.
Need a Live Memory Dump
This page at the Passware site describes the main prerequisite for decrypting a BitLocker or TrueCrypt volume: the target computer must be running and you must be able to get a full memory dump. This makes sense, since the key to decrypt the drive must be stored in memory while the computer is running.
The page lists three tools for getting the memory image:
– Passware FireWire Memory Manager (included in $795 Passware Forensic edition). This requires a FireWire port on the target machine. Oh no, my server doesn’t support FireWire! If yours does, take it out. Note that this could be a vulnerability on laptops.
– Mantech Physical Memory Dump Utility. I downloaded this free tool from SourceForge and ran it. Based on the Usage instructions, it can only dump the memory of the current computer, and only if you are logged on as an administrator. If you can log on as an administrator, the BitLocker volume is probably already unlocked; you don’t really need to crack the password.
– Win32dd, now part of MoonSols Windows Memory Toolkit. I downloaded the free Community Edition of this tool and checked the command-line parameters. It appears more sophisticated than Mantech: it can run in client and server mode, allowing the client to send a dump across the network to the Win32dd server. But running the client would still require being logged on to the target machine.
This PC Magazine article includes a response from Microsoft about the Passware tool. Basically, it’s, “Yeah, we knew that.” To quote the quote, “We have always been up front in our discussions of Windows BitLocker and that it is intended to help protect data at rest (e.g. when the machine is powered off).”
For more arcane information about BitLocker that you ever wanted to know, see the Microsoft System Integrity Team Blog.
The rule of thumb with any full-disk encryption product seems to be for best protection, either prevent physical access to the machine (servers) or turn it off when not in use (laptops). Sleep is not enough; hibernation is probably okay. As long as the hacker does not have access to live system memory, they are stuck with a brute force attack on the volume, which could take a very long time.
Update March 2, 2011: Passware now claims here that if the system was hibernated, the BitLocker keys “could be possibly recovered from the hiberfil.sys file.” Failing that, they resort to brute force. So turn your computer completely off, don’t just hibernate it.
Update August 26, 2013: Elcomsoft Forensic Disk Decryptor also claims it can unlock Bitlocker. Their product page does a good job of explaining the prerequisites and includes a link to an open-source tool called Inception that is designed to exploit a FireWire vulnerability (IEEE 1394 SBP-2 DMA). Inception’s page, in turn, suggests mitigating the risk in Windows by blocking the SBP-2 driver as described in this Microsoft Knowledge Base article: Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker.