Cyber Security News

Windows 11 BitLocker Encryption Bypassed to Extract Full Volume Encryption Keys

A cybersecurity researcher has demonstrated a method to bypass BitLocker encryption on Windows 11 (version 24H2) by extracting full volume encryption keys (FVEK) from memory.

Using a custom-built tool named Memory-Dump-UEFI, the researcher was able to retrieve sensitive cryptographic keys to decrypt a BitLocker-protected partition.

BitLocker, Microsoft’s full-disk encryption system, is designed to protect data by encrypting the entire volume of a device.

It is especially crucial for safeguarding sensitive information in enterprise environments. However, its security relies heavily on preventing unauthorized access to the encryption keys.

The method used in the demonstration exploits a common weakness: the residual data stored in RAM.

When a device is abruptly restarted, its RAM contents may remain intact for a short period. By leveraging this time window, an attacker can extract sensitive data stored in memory, including encryption keys.

The demonstration highlights several advanced methods to mitigate memory degradation, including techniques like physically cooling RAM modules or maintaining power to prevent data decay.

Bypassing BitLocker: Demonstration of the Attack

The researcher carefully outlined the steps to bypass BitLocker encryption. Here’s the summarized process:

  1. Preparing a Bootable USB Tool
    A USB storage device larger than the system’s RAM was prepared using a script provided by the research tool.
  2. Restarting the Target System
    By shorting the reset pins on the motherboard, the researcher forced an abrupt restart of the system while preserving power to the RAM. This ensured minimal data degradation.
  3. Dumping Memory Data
    The system was booted using the USB device, launching the Memory-Dump-UEFI tool. This program dumped the contents of the RAM into files for further analysis.
  4. Analyzing Memory Dumps
    Using tools such as concatDumps and xxd, the researcher analyzed the memory dumps. Key cryptographic data, including FVEK, was located by identifying specific memory pool tags such as dFVE (allocated by dumpfve.sys).
Boot from the USB Device

The FVEK keys were traced to specific memory pools, with one consistent recovery location marked by the dFVE pool tag.

Key Recovery

The keys were extracted in hexadecimal format and prepped for decryption by appending metadata about the encryption algorithm, such as XTS-AES-128. Using tools like Dislocker, the researcher successfully unlocked the encrypted volume.

According to the NoInitRD, this research underscores a critical vulnerability in systems where attackers can gain physical access.

While Microsoft has incorporated measures to overwrite sensitive data, some keys persist in memory and can be extracted under the right circumstances.

  1. Enable Device Lockdown: Ensure devices are secured in tamper-proof environments to prevent unauthorized physical access.
  2. Configure BitLocker with TPM: A Trusted Platform Module (TPM) adds a layer of hardware-based security, reducing the risk of key theft.
  3. Rapid Shutdown Protocols: Emphasize complete power-off mechanisms to clear RAM.
  4. Educate Users: Organizations should train employees on best security practices, especially regarding physical device security.

This revelation serves as a reminder that even sophisticated encryption systems like BitLocker can be vulnerable under specific attack conditions. Microsoft is expected to investigate these findings and improve BitLocker’s resilience.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…

22 hours ago

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code execution…

22 hours ago

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…

22 hours ago

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…

22 hours ago

EU Targets Stark Industries in Cyberattack Sanctions Crackdown

The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…

1 day ago

Venice.ai’s Unrestricted Access Sparks Concerns Over AI-Driven Cyber Threats

Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…

1 day ago