BitLocker

Matheus Bichara de Assumpção, Marcelo Abdalla dos Reis, Marcos Roberto Marcondes, P. Eleuterio, V. H. Vieira

Starting from Windows 11, the Trusted Platform Module (TPM) 2.0 has become a computer requirement, providing hardware-based security capabilities. This poses a challenge to digital forensics experts, as the number of BitLocker-encrypted evidence protected by TPM tends to increase. This paper presents a forensic method for obtaining the BitLocker Volume Master Key (VMK) from TPM-protected evidence using Intel DCI technology and reverse engineering techniques. It shows how to enable Intel DCI in the fi rmware, reverse the Windows Boot Manager UEFI application, and debug the target computer using a USB 3 A e A cable to retrieve the VMK from memory. We have effectively applied the presented method on a computer with a 7th-generation Intel processor containing a BitLocker-encrypted volume with TPM protection and Windows 11 Pro. As a result, we were able to fully decrypt the BitLocker volume with the VMK and gain data access. We consider, however, that the success of the presented method depends on the ability to enable Intel DCI in the target computer, which may not be feasible in every system. © 2023 The Author(s). Published by Elsevier Ltd on behalf of DFRWS This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/).

Cheng Tan, Lijun Zhang, Liang Bao

Due to the popularity of Windows system, BitLocker is widely used as a built-in disk encryption tool. As a commercial application, the design of BitLocker has to consider a capability of disaster recovery, which helps a user to recover data stored on encrypted disk when a regular access is not available. In this case, it will inevitably lead to some security risks when using BitLocker. We have a deep exploration of BitLocker encryption mechanism in this paper. We present the decryption method of encrypted VMK in case of system partition encryption and non-system partition encryption, respectively. VMK is the core key in BitLocker, with which the encrypted partition or the entire disk can be further decrypted. As for security analysis on BitLocker, we firstly make a difficulty analysis of brute force cracking on BitLocker keys, and then we analyze a possible threat caused by key theft. Based on this, we propose a few countermeasures about BitLocker usage. Additionally, we give some suggestions about security enhancement of BitLocker encryption.

Elena Agostini, M. Bernaschi

BitLocker is a full-disk encryption feature available in recent Windows versions. It is designed to protect data by providing encryption for entire volumes and it makes use of a number of different authentication methods. In this paper we present a solution, named BitCracker, to attempt the decryption, by means of a dictionary attack, of storage units encrypted by BitLocker with a user supplied password or the recovery password. To that purpose, we resort to Graphics Processing Units (GPU) that are, by now, widely used as general-purpose coprocessors in high performance computing applications. BitLocker decryption process requires the computation of a very large number of SHA-256 hashes and also AES, so we propose a very fast solution, highly tuned for Nvidia GPU, for both of them. We analyze the performance of our CUDA implementation on several Nvidia GPUs and we carry out a comparison of our SHA-256 hash with the Hashcat password cracker tool. Finally, we present our OpenCL version, recently released as a plugin of the John The Ripper tool.

Stephen G. Lewis, Timothy Palumbo

Microsoft BitLocker full-disk encryption has been widely implemented at Lehigh University since 2014 on both laptop and desktop computers. This retrospective review will summarize BitLocker's selection factors, initial testing, mass deployment, and important lessons learned. Additionally, this review will also discuss the university's transition to Windows 10 and how it positively impacted the use of BitLocker.

Erina Malinda Lubis

Keamanan data at rest merupakan aspek krusial dalam perlindungan informasi digital, khususnya pada perangkat penyimpanan yang rentan terhadap akses tidak sah akibat pencurian, kehilangan perangkat, maupun serangan siber. Enkripsi disk penuh menjadi salah satu solusi utama untuk menjaga kerahasiaan dan integritas data. Penelitian ini bertujuan untuk mengimplementasikan serta mengevaluasi tingkat keamanan data at rest menggunakan dua teknologi enkripsi populer, yaitu BitLocker dan VeraCrypt. Metode penelitian yang digunakan meliputi implementasi BitLocker dan VeraCrypt pada media penyimpanan dengan skenario pengujian yang sama, diikuti dengan evaluasi keamanan dan kinerja sistem. Parameter evaluasi mencakup mekanisme enkripsi, autentikasi, manajemen kunci, dampak terhadap performa sistem, serta ketahanan terhadap upaya akses tidak sah. Pengujian dilakukan melalui simulasi serangan dasar dan analisis akses data tanpa kredensial yang sah. Hasil penelitian menunjukkan bahwa baik BitLocker maupun VeraCrypt mampu memberikan perlindungan yang efektif terhadap data at rest. BitLocker unggul dalam kemudahan integrasi dan efisiensi kinerja pada sistem operasi Windows, sedangkan VeraCrypt menawarkan fleksibilitas konfigurasi dan opsi keamanan yang lebih beragam. Temuan ini menegaskan bahwa pemilihan teknologi enkripsi data at rest perlu disesuaikan dengan kebutuhan keamanan, lingkungan sistem, dan tingkat kontrol pengguna. Penelitian ini diharapkan dapat menjadi referensi dalam penerapan enkripsi data at rest untuk meningkatkan keamanan informasi.