Understanding How Bitlocker Works

Thursday, May 8, 2008 by Mistlee

Can't see any images? - Click To View!

Click to Play

Nationwide Wireless Network...
Sprint Nextel, Clearwire, Google, Intel, Comcast, and Time Warner have all come together under the name of Clearwire, in an effort to produce a nationwide...

Recent Articles

Problems With Server Header Status Codes
Members at Webmaster World discusses about the problem of server header status codes. It is one of those topics that aren't touched often! According to the Webmasters World thread, almost every server...

Windows Vista SP1 Warrants Caution
If you're thinking about upgrading to Windows Vista SP1, you may want to think again. Although it was supposed to address users' and administrators' complaints about Vista, SP1 is itself creating enough problems to...

IP Address As Personal Information
In some very interesting news coming out of the European Union, the IP Address that you use should be regarded as "personal information" meaning it now has the potential to fall under the safeguards...

Router Down: Some Days You Just Can't Win
Some days you just can't win. One of my clients (you know who you are) had such a day yesterday. It started with doing some reprogramming of a Fortinet WiFi...

We Need A More Flexible Sense Of Ethics In...
One of my greatest mentors in information security is the CISO of a major educational institution; he has served the information security community well, with honor and with distinction over his many years in information...

Talking With Samba Team GPL Compliance Officer...
Simo Sorce is the Samba Team GPL Compliance Officer, hired by Red Hat in 2007 where he is a Senior Software Engineer, maintainer of Samba and expert on on Windows Integration and Identity Management.

SharePoint: Back Door Storage Play
We've been a SharePoint user, of sorts anyway, since the original beta. I didn't think much of it, to be honest, as eventually it became a giant pain in the rump just like every other tree oriented file system - once you...


Understanding How Bitlocker Works

By Dan Morrill

In an ongoing debate on if Bitlocker is truly secure, and if not what are the best ways to hack into the system, you need to understand how bitlocker works and what platforms it is used on.

Bitlocker is only available on Ultimate and Enterprise editions of Vista or those with SP 1 for Vista; it is also available on Windows Server 2008. While the Vista security folks deny that there is any back door access into bitlocker which is good, forensics folks are aware and use some of the vulnerabilities or data sets that can crack open a Bitlocker protected system. The Bitlocker key can be stored in a number of ways, one of the most obvious is that the key is stored on a USB thumb drive, and the user is required to insert the USB drive, and off they go (if the computer is new enough to read the key off the drive while still in boot mode).

The key can also be stored in the companies Active Directory, meaning direct access or nefarious access to the AD will allow someone to download the key and dump it to a USB drive as well (unless the AD is on a Bitlocker, which can be problematic in light of password recovery tools for AD (click here) that if you have the right credentials (domain) you can surf the AD for bitlocker recovery passwords.

The BitLocker Active Directory Recovery Password Viewer lets you locate and view BitLocker recovery passwords that are stored in AD DS. You can use this tool to help recover data that is stored on a volume that has been encrypted by using BitLocker. The BitLocker Active Directory Recovery Password Viewer is an extension for the Active Directory Users and Computers MMC snap-in. After you install this tool, you can examine a computer object's Properties dialog box to view the corresponding BitLocker recovery passwords. Additionally, you can right-click a domain container and then search for a BitLocker recovery password across all the domains in the Active Directory forest. Source: Microsoft

Another intriguing attack is to use the ghost hibernation file that still exists within memory by manipulating the RAM on the computer by cooling it down with a can of compressed air, then pulling the contents out of memory. All three systems, Apple, Linux, and Microsoft systems were vulnerable to this same kind of attack, and while this is an unlikely attack, it is still interesting to note that they found they could:

With the memory contents in hand, the next step was to crack the encryption and compensate for the sporadic memory errors. Here, the researchers relied on the fact that most decryption systems store information derived from the encryption keys in memory to speed calculations. These key schedules have a some known features that make finding them largely a matter of scanning for patterns in the memory. Once near matches are identified, they can be set aside for more detailed analysis (including corrections for memory errors), eliminating most brute force aspects of the cracking. Source: Ars Techica

The research paper is fascinating, but if people really to get into the computer; it is easier to steal the computer and look through the bag for a USB key (highly likely that it will be located physically near the computer, or in the computer depending on the user). Geeks with Blogs points out that Bitlocker is also vulnerable to these other methods, not are beyond the script kiddy, but fun to learn all the same:

Even with all of the new security that is provided by BitLocker, it can't stop everything. Some of the areas that BitLocker is helpless to defend against are:

• Hardware debuggers
• Online attacks-BitLocker is concerned only with the system's startup process
• Post logon attacks
• Sabotage by administrators
• Poor security maintenance
• BIOS reflashing

Source: Geeks with Blogs

Physical access to the computing system is a must to make most of these attacks work out. The other cool part is how the keys can be stored in AD for recovery processes, meaning if you can get into the AD system then you have unfettered access to the entire system of recovery keys across the bitlocker installation base. Those can then be burned to USB drives and used to hack or gain access to the system.

While in general it is a good system for people with Enterprise or Ultimate editions, or those who use SP 1 for Vista, there are physical and computer access issues with bitlocker depending on how the key recovery process was initiated, where the keys are stored, and the use of Ultimate or Enterprise editions of Vista. It is a good system, but there is nothing that does not say that the system is a direct panacea, and if important enough, there are ways around the physical and electronic security of a system.


About the Author:
Dan Morrill has been in the information security field for 18 years, both civilian and military, and is currently working on his Doctor of Management. Dan shares his insights on the important security issues of today through his blog, Managing Intellectual Property & IT Security, and is an active participant in the ITtoolbox blogging community.
About SysAdminNews
SysAdminNews is a collection of articles, news and commentary designed to keep system administrators informed about the latest trends impacting their profession. Updates and Advice for System Administrators

SysAdminNews is brought to you by:

SecurityConfig.com NetworkingFiles.com
NetworkNewz.com WebProASP.com
SysAdminNews.com SQLProNews.com
ITcertificationNews.com SysAdminNews.com
LinuxProNews.com WirelessProNews.com
CProgrammingTrends.com ITManagementNews.com

-- SysAdminNews is an iEntry, Inc. publication --
iEntry, Inc. 2549 Richmond Rd. Lexington KY, 40509
2008 iEntry, Inc.  All Rights Reserved   Privacy Policy   Legal

archives | advertising info | news headlines | free newsletters | comments/feedback | submit article

Unsubscribe from SysAdminNews.
To unsubscribe from SysAdminNews or any other iEntry publication, simply send an email request to: support@ientry.com

Database Forum Updates and Advice for System Administrators SysAdminNews News Archives About Us Feedback SysAdminNews.com About Article Archive News Downloads WebProWorld Forums iEntry Advertise Contact Jayde