A cybersecurity researcher has demonstrated a method to bypass BitLocker encryption on Windows 11 (version 24H2) by extracting full volume encryption keys (FVEK) from memory.
Using a custom-built tool named Memory-Dump-UEFI, the researcher was able to retrieve sensitive cryptographic keys to decrypt a BitLocker-protected partition.
BitLocker, Microsoft’s full-disk encryption system, is designed to protect data by encrypting the entire volume of a device.
It is especially crucial for safeguarding sensitive information in enterprise environments. However, its security relies heavily on preventing unauthorized access to the encryption keys.
The method used in the demonstration exploits a common weakness: the residual data stored in RAM.
When a device is abruptly restarted, its RAM contents may remain intact for a short period. By leveraging this time window, an attacker can extract sensitive data stored in memory, including encryption keys.
The demonstration highlights several advanced methods to mitigate memory degradation, including techniques like physically cooling RAM modules or maintaining power to prevent data decay.
The researcher carefully outlined the steps to bypass BitLocker encryption. Here’s the summarized process:
The FVEK keys were traced to specific memory pools, with one consistent recovery location marked by the dFVE pool tag.
The keys were extracted in hexadecimal format and prepped for decryption by appending metadata about the encryption algorithm, such as XTS-AES-128. Using tools like Dislocker, the researcher successfully unlocked the encrypted volume.
According to the NoInitRD, this research underscores a critical vulnerability in systems where attackers can gain physical access.
While Microsoft has incorporated measures to overwrite sensitive data, some keys persist in memory and can be extracted under the right circumstances.
This revelation serves as a reminder that even sophisticated encryption systems like BitLocker can be vulnerable under specific attack conditions. Microsoft is expected to investigate these findings and improve BitLocker’s resilience.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free
A federal jury in California has ordered Israeli spyware maker NSO Group to pay approximately…
The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations, particularly…
As artificial intelligence continues to reshape the technological landscape, tools like Snowflake’s CORTEX Search Service…
UNC3944, a financially-motivated threat actor also linked to the group known as Scattered Spider, has…
Cybersecurity researcher has uncovered a massive malware campaign targeting MacOS users through approximately 2,800 compromised…
Cybersecurity researchers have uncovered a critical flaw in the content moderation systems of AI models…