Actually not. The hardware Firewire controller in your computer has direct memory access. Through the Passware kit you connect 2 computers using firewire. The target computer sees a new Firewire storage device connecting, and nothing else happens on screen. The attacking computer, running Passware Kit, makes a live memory dump of all physical memory over Firewire. Then you'll need a couple of minutes maximum to search the memory dump to recover the Bitlocker key.
We're talking about a Firewire FEATURE, not a bug. As I wrote earlier, Passware introduced this at the Passwords^10 conference, and you can see our video recording of their presentation and live demo (as well as others) here: ftp://ftp.ii.uib.no/pub/passwords10/ Yes, we were pretty amazed and scared at the same time when we saw it live. I don't remember, but you'll probably here some comments about superglue at the Q&A at the end of their presentation. Best regards, Per Thorsheim On Thu, 2011-02-24 at 21:25 +0000, Thor (Hammer of God) wrote: > I assume he's talking about after you have logged on and the computer is > locked and you retrieve it from "live" memory a.k.a the memory freezing > attack. I would actually like to see that work IRL. If it were that easy, > you wouldn't need recovery agents :) > -----Original Message----- > From: listbou...@securityfocus.com [mailto:listbou...@securityfocus.com] On > Behalf Of John Lightfoot > Sent: Thursday, February 24, 2011 12:37 PM > To: 'Per Thorsheim'; 'focus-ms' > Subject: RE: Bitlocker without PIN > > I agree that transparent Bitlocker is a great security tool. > > Per, could you provide more details where you say: > > "Using Passware Forensic Toolkit you can extract the bitlocker key using live > memory dumping through Firewire (either by using an existing Firewire port, > or by inserting an pcmcia/expresscard firewire card). No need to logon to > Windows there..." > > My understanding of the way Bitlocker works is that when you enable full-disk > encryption, Bitlocker creates a small, unencrypted partition that contains > the Windows login module. Once you've entered your credentials and they've > been validated, the login module uses them to access the TPM for the key to > decrypt the rest of the hard drive. I do not believe the encryption key is > resident in memory until after the login credentials are verified, so I don't > think the firewire hack or other memory scanning techniques would allow you > to retrieve the key prior to authentication. >
signature.asc
Description: This is a digitally signed message part
