Thursday, April 3, 2025
HomeCVE/vulnerabilityWindows 11 BitLocker Bypassed to Extract Encryption Keys

Windows 11 BitLocker Bypassed to Extract Encryption Keys

Published on

SIEM as a Service

Follow Us on Google News

An attacker with physical access can abruptly restart the device and dump RAM, as analysis of this memory may reveal FVEK keys from recently running Windows instances, compromising data encryption. 

The effectiveness of this attack is, however, limited because the data stored in RAM degrades rapidly after the power is cut off.

The script flashimage.sh creates a bootable USB device for a target system by flashing an image file onto the USB storage device, which must be larger than the target system’s RAM.

To minimize downtime, abruptly restart the target system during the Windows boot process, specifically before the login screen appears, as this approach has proven effective in scenarios involving the retrieval of Full Volume Encryption Keys (FVEKs).

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

To initiate the memory dump, boot the system from the USB drive containing the Memory-Dump-UEFI application. Navigate to and execute “app.efi” within the UEFI shell. 

When this is complete, the application will proceed to generate dump files in a sequential fashion until all of the system memory has been processed. 

generating dump files
generating dump files

Multiple memory dumps may exist due to FAT32’s 4GB file size limit so concatenate these dumps chronologically using the provided concatDumps tool and analyze the raw memory data within the dumps using xxd for human-readable output. 

Make use of searchMem to locate specific hex patterns within the concatenated dump in an effective manner and to quickly jump to their offsets within the xxd output for the purpose of conducting additional research.

NoInitRD researcher investigated Windows kernel memory pools for cryptographic keys. While traditional pool tags like FVEc and Cngb were not found on Windows 11, the key was located in two alternative memory pools, indicating a shift in key storage practices within the operating system.

pool tag and FVEK key 
pool tag and FVEK key 

The FVEK key was primarily found under the dFVE pool tag, indicating its association with BitLocker drive encryption. The key’s presence was consistent and easily located, and the key was partially found under the None tag, suggesting its allocation through the ExAllocatePool routine. 

The algorithm identifier, such as 0x8004, must be appended to the obtained key in little-endian format in order to unlock the BitLocker-protected partition. 

Convert the resulting hexadecimal string to binary using xxd and save it to a file, and use the dislocker tools to determine the correct algorithm identifier and unlock the drive with the generated key file.

By kernel-level debugging with WinDbg, the researcher observed BitLocker operations during the Windows boot process, which revealed that while Microsoft attempts to erase encryption keys using functions like SymCryptSessionDestroy, some keys persist on the heap, potentially due to incomplete key destruction mechanisms.

Find this News Interesting! Follow us on Google NewsLinkedIn, and X to Get Instant Updates!

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Secure Ideas Achieves CREST Accreditation and CMMC Level 1 Compliance

Secure Ideas, a premier provider of penetration testing and security consulting services, proudly announces...

New Phishing Campaign Targets Investors to Steal Login Credentials

Symantec has recently identified a sophisticated phishing campaign targeting users of Monex Securities (マネックス証券),...

UAC-0219 Hackers Leverage WRECKSTEEL PowerShell Stealer to Extract Data from Computers

In a concerning development, CERT-UA, Ukraine's Computer Emergency Response Team, has reported a series...

Hunters International Linked to Hive Ransomware in Attacks on Windows, Linux, and ESXi Systems

Hunters International, a ransomware group suspected to be a rebrand of the infamous Hive...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

New Phishing Campaign Targets Investors to Steal Login Credentials

Symantec has recently identified a sophisticated phishing campaign targeting users of Monex Securities (マネックス証券),...

UAC-0219 Hackers Leverage WRECKSTEEL PowerShell Stealer to Extract Data from Computers

In a concerning development, CERT-UA, Ukraine's Computer Emergency Response Team, has reported a series...

Hunters International Linked to Hive Ransomware in Attacks on Windows, Linux, and ESXi Systems

Hunters International, a ransomware group suspected to be a rebrand of the infamous Hive...