A cybersecurity researcher has demonstrated a method to bypass BitLocker encryption on Windows 11 (version 24H2) by extracting full volume encryption keys (FVEK) from memory.
Using a custom-built tool named Memory-Dump-UEFI, the researcher was able to retrieve sensitive cryptographic keys to decrypt a BitLocker-protected partition.
BitLocker, Microsoft’s full-disk encryption system, is designed to protect data by encrypting the entire volume of a device.
It is especially crucial for safeguarding sensitive information in enterprise environments. However, its security relies heavily on preventing unauthorized access to the encryption keys.
The method used in the demonstration exploits a common weakness: the residual data stored in RAM.
When a device is abruptly restarted, its RAM contents may remain intact for a short period. By leveraging this time window, an attacker can extract sensitive data stored in memory, including encryption keys.
The demonstration highlights several advanced methods to mitigate memory degradation, including techniques like physically cooling RAM modules or maintaining power to prevent data decay.
The researcher carefully outlined the steps to bypass BitLocker encryption. Here’s the summarized process:
The FVEK keys were traced to specific memory pools, with one consistent recovery location marked by the dFVE pool tag.
The keys were extracted in hexadecimal format and prepped for decryption by appending metadata about the encryption algorithm, such as XTS-AES-128. Using tools like Dislocker, the researcher successfully unlocked the encrypted volume.
According to the NoInitRD, this research underscores a critical vulnerability in systems where attackers can gain physical access.
While Microsoft has incorporated measures to overwrite sensitive data, some keys persist in memory and can be extracted under the right circumstances.
This revelation serves as a reminder that even sophisticated encryption systems like BitLocker can be vulnerable under specific attack conditions. Microsoft is expected to investigate these findings and improve BitLocker’s resilience.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free
A hacker operating under the alias “Satanic” has claimed responsibility for a massive data breach…
A critical vulnerability has been discovered in TP-Link’s Smart Hub, potentially exposing users’ Wi-Fi credentials…
Southeast Asian Advanced Persistent Threat (APT) group OceanLotus, also known as APT32, has been identified…
AkiraBot, identified by SentinelLABS, represents a sophisticated spam bot framework that targets website chats and…
A new vulnerability has been discovered in the Microsoft.Identity.Web NuGet package under specific conditions, potentially…
The cybersecurity realm has encountered a formidable adversary with the emergence of CatB ransomware, also…