Jump to content
Login new information ×
Login new information

How to unlock bitlocker encrypted drive

Vinnu

By Vinnu
in Software Chat

Recommended Posts

  • Replies 11
  • Views 2k
  • Created
  • Last Reply
wilmafingerdo

wilmafingerdo

Posted
Posted

It is possible, but would take a VERY long time to guess the password / hash.  I have seen people rent time on Amazon EC2 Elastic GPUs to crack the key / calculate the hash, most of the time you can expect to pay about $600 for a 64 bit hash, THOUSANDS for 128bit hash.  There is a GitHub program to guess the password and HashCat is working on a solution.... If you have any other means to recover the password / drive, I would use that 1st as the chances of guessing it with a program are slim, or it would cost you a fortune of cloud time to try.  

 

https://github.com/e-ago/bitcracker

 

https://github.com/hashcat/hashcat/issues/1117

 

https://aws.amazon.com/ec2/elastic-gpus/

 

Link to comment
Share on other sites
Dodel

Dodel

Posted
Posted

If you are part of an enterprise environment, the key should be stored against Active Directory, if not, and you don't have the Password, or the recovery key, you've no hope.

 

Link to comment
Share on other sites
straycat19

straycat19

Posted
Posted
12 minutes ago, Dodel said:

If you are part of an enterprise environment, the key should be stored against Active Directory, if not, and you don't have the Password, or the recovery key, you've no hope.

 

 

3 hours ago, Vinnu said:

how to unlock bitlocker encrypted drive

or any possibility to recover data bitlocker encrypted drive

 

Don't believe a word @Dodel said.  It is relatively easy to break bitlocker.  Any of the forensic software will do it and there are programs on the internet that will do it.  I don't have access to my archives right now, but if you google it I am sure you will find one.  If not I can help you when I get home tonight.

Link to comment
Share on other sites
Rekkio

Rekkio

Posted
Posted

What @Dodel said is right, there's theorically no hope.

 

It's easy to shit on BitLocker and say governments can decrypt it in the blink of an eye.

However he's no government, and the BitLocker encryption is very solid from that point.

 

What @dcs18 offers could be a solution, along with Passware Kit Forensic 2017.1:

 

Link to comment
Share on other sites
TechLord

TechLord

Posted
Posted

@Vinnu: A bitlocker encrypted drive (to make it easy to understand) is something like a Winrar archive protected with a password. In this case, the password is the "decryption key" of the bitlocker-encrypted drive.

 

Without the decryption key it is not possible to decrypt the drive, just as you cannot unlock the Winrar archive without a password. So you have 2 choices. Either you get hold of the key by some means or just brute-force it. If the password is weak, dictionary attacks and/or brute force may work. If it's strong, then it would not be feasible to decrypt the drive that easily.

 

There are  many methods to try to get hold of the key and discussion of all those methods is beyond the scope of this post. Specific suggestions to attempt to retrieve the key can only be given if you can be more specific in describing your actual scenario.

 

 

Link to comment
Share on other sites
straycat19

straycat19

Posted
Posted

Actually it is quite easy to decrypt a bitlocker drive.  I have done literally 100s of them.  Any real certified forensic investigator will tell you the same thing, that we have access to tools that allow us to decrypt encrypted drives using a 'key of the day' which the majority of encryption makers provide freely.  They are just small programs that provide the key of the day, so an investigator just mounts the forensic image in the forensic program of choice and enters the key provided by the program and the drive is decrypted.  A good commercial program is M3 Bitlocker Decrypter, which will brute force it if you don't have access to professional tools.

Link to comment
Share on other sites
Dodel

Dodel

Posted
Posted
10 hours ago, dcs18 said:

To decrypt drives encrypted by BitLocker:—

Elcomsoft Forensic Disk Decryptor

 

 

To break password-protection by BitLocker:

ElcomSoft Distributed Password Recovery

"

System Requirements

  • Windows 7, Windows 8/8.1, Windows 10, Windows Server 2003/2008/2012/2016
  • Approximately 8MB of free space on the hard disk
  • Administrator privileges (to create a memory dump)
  • Memory image or hibernation file containing disk encryption keys (created while the encrypted disk was mounted), or escrow/recovery key (FileVault 2, BitLocker or PGP), or a password"

Key required.... which they don't have..

 

 

57 minutes ago, straycat19 said:

Actually it is quite easy to decrypt a bitlocker drive.  I have done literally 100s of them.  Any real certified forensic investigator will tell you the same thing, that we have access to tools that allow us to decrypt encrypted drives using a 'key of the day' which the majority of encryption makers provide freely.  They are just small programs that provide the key of the day, so an investigator just mounts the forensic image in the forensic program of choice and enters the key provided by the program and the drive is decrypted.  A good commercial program is M3 Bitlocker Decrypter, which will brute force it if you don't have access to professional tools.

 

And again Direct from M3 Bitlocker Decrypter website.

 

"BitLocker Drive Decryption Recovery

As a Bitlocker recovery and Bitlocker decryption tool, M3 Bitlocker Recovery not only can decrypt data from damaged, corrupted, failed Bitlocker encrypted drive, but also can recover data from formatted, inaccessible, RAW, deleted or lost Bitlocker encrypted partition as long as we provide the password or 48-digit recovery key generated by BitLocker at the time the Bitlocker protected volume was created.

Three preconditions for Bitlocker drive decryption:

1. Bitlocker metadata must be intact: Bitlocker metadata was used to store the password and 48-digit recovery key when encrypting the drive with Bitlocker. In some situations, Bitlocker metadata has been corrupted so that data cannot be decrypted even if we have correct password or 48-digit recovery key.

2. Have correct password or 48-digit recovery key: The password or 48-digit recovery key is used to decrypt data from Bitlocker encrypted drive after the password or 48-digit recovery key that we enter matches the password or 48-digit recovery key stored in Bitlocker metadata. If the password or recovery key is unknown or lost, M3 Bitlocker Recovery cannot break into Bitlocker encrypted drive, please refer to: How to unlock Bitlocker encrypted drive without password or recovery key?.

3. Bitlocker encrypted drive is not physically failed/damaged: If Bitlocker encrypted drive is physically failed/damaged, please send it to a local data recovery service for help.

So we highly recommend every customer to try M3 Bitlocker Recovery before purchasing - How to test if M3 Bitlocker Recovery can help to decrypt data from Bitlocker encrypted drive?

"

 

Key required...which they don't have..

Link to comment
Share on other sites
dcs18

dcs18

Posted
Posted
42 minutes ago, Dodel said:
11 hours ago, dcs18 said:

To decrypt drives encrypted by BitLocker:—

Elcomsoft Forensic Disk Decryptor

 

 

To break password-protection by BitLocker:

ElcomSoft Distributed Password Recovery

"

System Requirements

  • Windows 7, Windows 8/8.1, Windows 10, Windows Server 2003/2008/2012/2016
  • Approximately 8MB of free space on the hard disk
  • Administrator privileges (to create a memory dump)
  • Memory image or hibernation file containing disk encryption keys (created while the encrypted disk was mounted), or escrow/recovery key (FileVault 2, BitLocker or PGP), or a password"

Key required.... which they don't have..

The key is not required — it can be acquired:—

 

 

Access Information Stored in Popular Crypto Containers

 

Quote

Acquiring Encryption Keys

 

There are at least three different methods for acquiring the decryption keys. The choice of one of the three methods depends on the running state of the PC being analyzed. It also depends on whether or not installation of a forensic tool is possible on a PC under investigation.

 

If the PC being investigated is turned off, the encryption keys may be retrieved from the hibernation file. The encrypted volume must be mounted before the computer went to sleep. If the volume is dismounted before hibernation, the encryption keys may not be derived from the hibernation file.

 

If the PC is turned on, a memory dump can be captured with any forensic tool if installing such a tool is permitted (e.g. the PC is unlocked and the currently logged-in account has administrative privileges). The encrypted volume must be mounted at the time of acquisition. Good description of this technology (and a list of free and commercial memory acquisition tools) is available at http://www.forensicswiki.org/wiki/Tools:Memory_Imaging.

 

Finally, if the PC being investigated is turned on but installing forensic tools is not possible (e.g. the PC is locked or logged-in account lacks administrative privileges), a DMA attack via a FireWire port can be performed in order to obtain a memory dump. This attack requires the use of a free third-party tool (such as Inception: http://www.breaknenter.org/projects/inception/), and offers near 100% results due to the implementation of the FireWire protocol that enables direct memory access. Both the target PC and the computer used for acquisition must have FireWire (IEEE 1394) ports.

 

Once the original encryption keys are acquired, Elcomsoft Forensic Disk Decryptor stores the keys for future access, and offers an option to either decrypt the entire content of encrypted container or mount the protected disk as another drive letter for real-time access.

 

Link to comment
Share on other sites
jcvo

jcvo

Posted
Posted

M3 Data Recovery PRO 5.6.8 by UZ1 Repack JCVO
Site: https://www.mirrored.to
Sharecode: /files/RXF6HGUF/M3_Data_Recovery_PRO_5.6.8_by_UZ1_Repack_JCVO.zip_links

M3 Data Recovery Technician 5.6.8 by UZ1 Repack JCVO
Site: https://www.mirrored.to
Sharecode: /files/RPIDKDQX/M3_Data_Recovery_Technician_5.6.8_by_UZ1_Repack_JCVO.zip_links

 

try and comment on how it went

Link to comment
Share on other sites
TechLord

TechLord

Posted
Posted
On 8/3/2018 at 11:30 PM, dcs18 said:

The key is not required — it can be acquired:—

 

Yes, as I'd mentioned in my post above, there are many ways to retrieve the key and it is not feasible nor possible to discuss all of them without knowing the actual scenario we are dealing with.

At present there are more than 150 known ways to retrieve the key, some of the complicated ones being using Liquid Nitrogen to freeze RAM etc etc.

 

My company had helped in Forensic Analyses of various forms of media in the past decade and as I said there are only 2 ways to decrypt the drive : Either get the key (retrieval) by some means OR brute-force it.

 

On 8/3/2018 at 9:33 PM, straycat19 said:

Any real certified forensic investigator will tell you the same thing, that we have access to tools that allow us to decrypt encrypted drives using a 'key of the day' which the majority of encryption makers provide freely.  They are just small programs that provide the key of the day,

Not sure if you are joking, but I hav enever heard of the "Key of the day" thing and I have been in the Cyber Forensics field for quite a while :)

 

 

On 8/3/2018 at 1:09 PM, Rekkio said:

It's easy to shit on BitLocker and say governments can decrypt it in the blink of an eye.

However he's no government, and the BitLocker encryption is very solid from that point

This is a very reasonable and true statement that agrees with what I'd said a couple of days ago.

 

Without getting hold of the key in some way or the other, it is pretty tough to get the drive decrypted.

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...