Many people use the Windows encryption feature, but not everyone thinks about the security of this method of data protection. Today we will talk about Bitlocker encryption and try to figure out how well Windows disk protection is implemented.
By the way, you can read about how to set up Bitlocker in the article ““.
- Preface
- How does Bitlocker work?
- Vulnerabilities
- Recovery keys
- Opening BitLocker
- BitLocker To Go
- Conclusion
The article was written for research purposes. All information in it is for informational purposes only. It is addressed to security specialists and those who want to become one.
How does Bitlocker work?
What is Bitlocker?
BitLocker is a native drive encryption feature in operating systems. Windows systems 7, 8, 8.1, 10. This function allows you to securely encrypt confidential data on your computer, both on HDD and SSD, and on removable media.
How does BitLocker work?
The reliability of BitLocker should not be judged by the reputation of AES. A popular encryption standard may not frankly have weak points, but its implementations in specific cryptographic products are often replete with them. Microsoft does not disclose the full code of BitLocker technology. It is only known that in different versions of Windows it was based on different schemes, and the changes were not commented on in any way. Moreover, in build 10586 of Windows 10 it simply disappeared, and two builds later it reappeared. However, first things first.
The first version of BitLocker used ciphertext block chaining (CBC) mode. Even then, its shortcomings were obvious: the ease of attacking a known text, weak resistance to attacks such as substitution, and so on. Therefore, Microsoft immediately decided to strengthen protection. Already in Vista, the Elephant Diffuser algorithm was added to the AES-CBC scheme, making it difficult to directly compare ciphertext blocks. With it, the same contents of two sectors gave completely different results after encryption with one key, which complicated the calculation of the overall pattern. However, the key itself was short by default - 128 bits. Through administrative policies it can be extended to 256 bits, but is it worth doing?
For users, after changing the key, nothing will change externally - neither the length of the entered passwords, nor the subjective speed of operations. Like most full-disk encryption systems, BitLocker uses multiple keys... and none of them are visible to users. Here's a schematic diagram of BitLocker.
- When BitLocker is activated, a master bit sequence is created using a pseudo-random number generator. This is the volume encryption key - FVEK (full volume encryption key). It is with this that the contents of each sector are now encrypted.
- In turn, FVEK is encrypted using another key - VMK (volume master key) - and is stored in encrypted form among the volume metadata.
- VMK itself is also encrypted, but already different ways at user's choice.
- On new motherboards, the VMK key is encrypted by default using the SRK key (storage root key), which is stored in a separate cryptoprocessor - a trusted platform module (TPM). The user does not have access to the TPM content, and it is unique to each computer.
- If there is no separate TPM chip on the board, then instead of SRK, a user-entered PIN code or an on-demand USB flash drive with key information pre-recorded on it is used to encrypt the VMK key.
- In addition to the TPM or flash drive, you can protect the VMK key with a password.
This general pattern of BitLocker operation continued in subsequent releases of Windows until the present time. However, BitLocker's key generation methods and encryption modes have changed. So, in October 2014, Microsoft quietly removed the additional Elephant Diffuser algorithm, leaving only the AES-CBC scheme with its known shortcomings. At first, no official statements were made about this. People were simply given a weakened encryption technology with the same name under the guise of an update. Vague explanations for this step followed after independent researchers noticed simplifications in BitLocker.
Formally, the abandonment of Elephant Diffuser was required to ensure Windows compliance with the requirements of the US Federal Information Processing Standards (FIPS), but one argument refutes this version: Vista and Windows 7, which used Elephant Diffuser, were sold without problems in America.
Another imaginary reason for abandoning the additional algorithm is the lack of hardware acceleration for Elephant Diffuser and the loss in speed when using it. However, in previous years, when processors were slower, the encryption speed was somehow satisfactory. And the same AES was widely used even before separate instruction sets and specialized chips appeared to accelerate it. Over time, it was possible to make hardware acceleration for Elephant Diffuser, or at least give customers a choice between speed and security.
Another, unofficial version looks more realistic. The "elephant" interfered with employees who wanted to spend less effort decrypting the next disk, and Microsoft willingly interacts with authorities even in cases where their requests are not entirely legal. Indirectly confirms the conspiracy theory is the fact that before Windows 8, when creating encryption keys in BitLocker, the pseudo-random number generator built into Windows was used. In many (if not all) releases of Windows, this was Dual_EC_DRBG - a “cryptographic strong PRNG” developed by the US National Security Agency and containing a number of inherent vulnerabilities.
Of course, secretly weakening the built-in encryption caused a powerful wave of criticism. Under her pressure, Microsoft rewrote BitLocker again, replacing the PRNG with CTR_DRBG in new releases of Windows. Additionally, in Windows 10 (starting with build 1511), the default encryption scheme is AES-XTS, which is immune to manipulation of ciphertext blocks. In the latest builds of the “tens”, other known shortcomings of BitLocker were also fixed, but the main problem still remained. It is so absurd that it makes other innovations meaningless. We are talking about the principles of key management.
The task of decrypting BitLocker drives is also simplified by the fact that Microsoft is actively promoting an alternative method of restoring access to data through the Data Recovery Agent. The point of the “Agent” is that it encrypts the encryption keys of all drives within the enterprise network with a single access key. Once you have it, you can decrypt any key, and therefore any disk used by the same company. Comfortable? Yes, especially for hacking.
The idea of using one key for all locks has already been compromised many times, but it continues to be returned in one form or another for the sake of convenience. This is how Ralph Leighton wrote down Richard Feynman's memories of one characteristic episode of his work on the Manhattan Project at the Los Alamos Laboratory: “... I opened three safes - and all three with the same combination. I dealt with them all: I opened the safes with all the secrets of the atomic bomb - the technology for producing plutonium, a description of the purification process, information about how much material is needed, how the bomb works, how neutrons are produced, how the bomb works, what its dimensions are - in a word, everything, which they knew about in Los Alamos, the whole kitchen!
BitLocker is somewhat reminiscent of the safe design described in another fragment of the book You're Surely Joking, Mr. Feynman! The most impressive safe in a top-secret laboratory had the same vulnerability as a simple filing cabinet. “...He was a colonel, and he had a much more sophisticated, two-door safe with large handles that pulled four three-quarter-inch thick steel rods out of the frame. I examined the back of one of the imposing bronze doors and discovered that the digital dial was connected to a small lock that looked exactly like the lock on my Los Alamos cabinet. It was obvious that the system of levers depended on the same small rod that locked the filing cabinets... I began to turn the dial at random, pretending to be doing something. Two minutes later - click! - the safe opened. When the safe door or top drawer of a filing cabinet is open, it is very easy to find the combination. This is exactly what I did when you read my report, just to demonstrate to you the danger.”
BitLocker crypto containers themselves are quite secure. If they bring you a flash drive that came from nowhere, encrypted with BitLocker To Go, then you are unlikely to decrypt it in an acceptable time. However, the real-life scenario of using encrypted drives and removable media is full of vulnerabilities that can be easily exploited to bypass BitLocker.
BitLocker vulnerabilities
You've probably noticed that when you activate Bitlocker for the first time, you have to wait a long time. This is not surprising - the process of sector-by-sector encryption can take several hours, because even reading all the blocks of a terabyte HDD is not possible faster. However, disabling BitLocker is almost instantaneous - how can that be?
The fact is that when disabled, Bitlocker does not decrypt the data. All sectors will remain encrypted with the FVEK key. Simply, access to this key will no longer be limited in any way. All checks will be disabled, and the VMK will remain recorded among the metadata in clear text. Every time you turn on the computer, the OS bootloader will read the VMK (without checking the TPM, asking for a key on a flash drive or a password), automatically decrypt FVEK with it, and then all files as they are accessed. For the user, everything will look like a complete lack of encryption, but the most attentive may notice a slight decrease in the performance of the disk subsystem. More precisely, there is no increase in speed after disabling encryption.
There is something else interesting about this scheme. Despite the name (full-disk encryption technology), some data still remains unencrypted when using BitLocker. The MBR and BS remain open (unless the disk was initialized in GPT), damaged sectors and metadata. An open bootloader gives room for imagination. Pseudo-bad sectors are convenient for hiding other malware, and the metadata contains a lot of interesting things, including copies of keys. If Bitlocker is active, then they will be encrypted (but weaker than FVEK encrypts the contents of sectors), and if it is deactivated, they will simply lie in the clear. These are all potential attack vectors. They are potential because, in addition to them, there are much simpler and more universal ones.
Bitlocker recovery key
In addition to FVEK, VMK, and SRK, BitLocker uses another type of key that is created “just in case.” These are recovery keys, which are another popular attack vector. Users are afraid of forgetting their password and losing access to the system, and Windows itself recommends that they make an emergency login. To do this, the BitLocker encryption wizard prompts you to create a recovery key at the last stage. It is not possible to refuse its creation. You can only choose one of the key export options, each of which is very vulnerable.
In the default settings, the key is exported as a simple text file with a recognizable name: “BitLocker Recovery Key #”, where the computer ID is written instead of # (yes, right in the file name!). The key itself looks like this.
If you forgot (or never knew) your BitLocker password, simply look for the recovery key file. Surely it will be saved among the current user’s documents or on his flash drive. Maybe it's even printed on a piece of paper, as Microsoft recommends.
To quickly locate a recovery key, it is convenient to limit the search by extension (txt), creation date (if you know approximately when BitLocker could have been enabled) and file size (1388 bytes if the file was not edited). Once you find the recovery key, copy it. With it, you can bypass standard BitLocker authorization at any time. To do this, just press Esc and enter the recovery key. You will log in without any problems and can even change your BitLocker password to a custom one without specifying the old one!
Opening BitLocker
Real cryptographic the system is a compromise between convenience, speed and reliability. It should provide procedures for transparent encryption with on-the-fly decryption, methods for recovering forgotten passwords and convenient work with keys. All this weakens any system, no matter what strong algorithms it is based on. Therefore, it is not necessary to look for vulnerabilities directly in the Rijndael algorithm or in various schemes of the AES standard. It is much easier to detect them in the specifics of a particular implementation.
In the case of Microsoft, such “specifics” are enough. For example, copies of BitLocker keys are sent to SkyDrive and deposited in Active Directory by default.
Well, what if you lose them... or Agent Smith asks. It is inconvenient to keep a client waiting, and even more so for an agent. For this reason comparison cryptographic strength AES-XTS and AES-CBC with Elephant Diffuser fade into the background, as do recommendations to increase the key length. No matter how long it is, the attacker will easily get it in unencrypted form .
Obtaining escrowed keys from a Microsoft or AD account is the primary method of breaking BitLocker. If the user has not registered an account in the Microsoft cloud, and his computer is not on a domain, then there will still be ways to extract the encryption keys. During normal operation, open copies of them are always saved in random access memory(otherwise there would be no "transparent encryption"). This means that they are available in its dump and hibernation file.
Why are they even stored there?
As funny as it may seem - for convenience. BitLocker was designed to protect against offline attacks only. They are always accompanied by a reboot and connecting the disk to another OS, which leads to clearing of RAM. However, in the default settings, the OS dumps the RAM when a failure occurs (which can be triggered) and writes its entire contents to a hibernation file each time the computer goes into deep sleep. Therefore, if you have recently logged into Windows with BitLocker enabled, there is a good chance that you will receive a decrypted copy of the VMK key, and use it to decrypt the FVEK and then the data itself along the chain.
Shall we check? All the BitLocker hacking methods described above are collected in one program - Forensic Disk Decryptor, developed by the domestic company Elcomsoft. It can automatically retrieve encryption keys and mount encrypted volumes as virtual disks, decrypting them on the fly.
Additionally, EFDD implements another non-trivial way to obtain keys - an attack via the FireWire port, which is advisable to use in cases where it is not possible to run your software on the attacked computer. We always install the EFDD program itself on our computer, and on the computer we are hacking we try to do the minimum necessary steps.
For example, let’s simply launch a test system with BitLocker active and “quietly” take a memory dump. So we will simulate a situation in which a colleague went out for lunch and did not lock his computer. We launch RAM Capture and in less than a minute we receive a complete dump in a file with a .mem extension and a size corresponding to the amount of RAM installed on the victim’s computer.
By and large, it doesn’t matter what you do with the dump. Regardless of the extension, this will result in a binary file, which will then be automatically analyzed by EFDD in search of keys.
We write the dump onto a flash drive or transfer it over the network, after which we sit down at our computer and launch EFDD.
Select the “Extract keys” option and enter the path to the memory dump file as the key source.
BitLocker is a typical crypto container, like PGP Disk or TrueCrypt. These containers turned out to be quite reliable in themselves, but client applications for working with them under Windows litter the encryption keys in RAM. Therefore, EFDD implements a universal attack scenario. The program instantly finds encryption keys from all three types of popular crypto containers. Therefore, you can leave all the boxes checked in case the victim secretly uses PGP!
After a few seconds, Elcomsoft Forensic Disk Decryptor shows all found keys in its window. For convenience, you can save them to a file - this will be useful in the future.
Now BitLocker is no longer a problem! You can carry out a classic offline attack - for example, removing the hard drive and copying its contents. To do this, simply connect it to your computer and run EFDD in "decrypt or mount disk" mode.
After specifying the path to the files with the saved keys, EFDD will, at your choice, perform a full decryption of the volume or immediately open it as a virtual disk. In the latter case, files are decrypted as they are accessed. In any case, no changes are made to the original volume, so the next day you can return it as if nothing had happened. Working with EFDD occurs without a trace and only with copies of data, and therefore remains invisible.
BitLocker To Go
Starting with Windows 7, it became possible to encrypt flash drives, USB-HDDs and other external media. A technology called BitLocker To Go encrypts removable drives in the same way as local drives. Encryption is enabled using the appropriate item in the Explorer context menu.
For new drives, you can use encryption of only the occupied area - anyway, the free space of the partition is filled with zeros and there is nothing to hide there. If the drive has already been used, it is recommended to enable full encryption on it. Otherwise, the location marked as free will remain unencrypted. It may contain recently deleted files that have not yet been overwritten.
Even fast encryption of only the occupied area takes from several minutes to several hours. This time depends on the amount of data, interface bandwidth, drive characteristics, and the speed of cryptographic calculations of the processor. Because encryption is accompanied by compression, the free space on the encrypted disk usually increases slightly.
The next time you connect an encrypted flash drive to any computer running Windows 7 or higher, the BitLocker wizard will automatically be called to unlock the drive. In Explorer, before unlocking, it will be displayed as a locked disk.
Here you can use both the already discussed options for bypassing BitLocker (for example, searching for the VMK key in a memory dump or hibernation file), as well as new ones related to recovery keys.
If you don't know the password, but managed to find one of the keys (manually or using EFDD), then there are two main options for accessing the encrypted flash drive:
- use the built-in BitLocker wizard to directly work with a flash drive;
- use EFDD to completely decrypt the flash drive and create its sector-by-sector image.
The first option allows you to immediately access the files recorded on the flash drive, copy or change them, and also write your own. The second option takes much longer (from half an hour), but has its advantages. The decrypted sector-by-sector image allows you to further perform a more refined analysis of the file system at the forensic laboratory level. In this case, the flash drive itself is no longer needed and can be returned unchanged.
The resulting image can be opened immediately in any program that supports the IMA format, or first converted to another format (for example, using UltraISO).
Of course, in addition to detecting the recovery key for BitLocker2Go, EFDD also supports all other BitLocker bypass methods. Just go through all the available options in a row until you find a key of any type. The rest (up to FVEK) will be decrypted along the chain, and you will have full access to the disk.
Conclusion
BitLocker full-disk encryption technology differs between versions of Windows. After adequate configuration, it allows you to create crypto containers that are theoretically comparable in strength to TrueCrypt or PGP. However, the mechanism built into Windows for working with keys negates all algorithmic tricks. In particular, the VMK key used to decrypt the master key in BitLocker is recovered using EFDD in a few seconds from an escrowed duplicate, a memory dump, a hibernation file, or a FireWire port attack.
Once you have the key, you can perform a classic offline attack, quietly copy and automatically decrypt all the data on the “protected” drive. Therefore, BitLocker should only be used in conjunction with other security measures: Encrypting File System (EFS), Rights Management Service (RMS), Program Launch Control, Device Installation and Attachment Control, as well as more stringent local policies and general security measures.
The article uses materials from the site:
No one is at all surprised by the fact that purely personal information or corporate data of high value can be stored on a personal computer. It is undesirable if such information falls into the hands of third parties who can use it, causing serious problems for the former owner of the PC.
Depending on the circumstances, Bitlocker can be activated or deactivated.
It is for this reason that many users express a desire to take some action aimed at limiting access to all files stored on the computer. Such a procedure actually exists. Having performed certain manipulations, no outsider, without knowing the password or the key to recovering it, will be able to gain access to the documents.
You can protect important information from being accessed by third parties by encrypting your drive with Bitlocker. Such actions help ensure complete confidentiality of documents not only on a specific PC, but also in the event that someone HDD extracted and inserted into another personal computer.
Algorithm for enabling and disabling the function
Bitlocker disk encryption works on Windows 7, 8 and 10, but not all versions. It is assumed that on motherboard, which is equipped with a specific computer on which the user wants to perform encryption, must have a TPM module.
ADVICE. Don't be upset if you know for sure that there is no such special module on your motherboard. There are some tricks that allow you to “ignore” such a requirement and, accordingly, install without such a module.
Before you begin the process of encrypting all files, it is important to note that this procedure is quite lengthy. It is difficult to give an exact amount of time in advance. It all depends on how much information is on the hard drive. During the encryption process, Windows 10 will continue to work, but it is unlikely to be able to please you with its performance, since the performance indicator will be significantly reduced.
Enabling the feature
If Windows 10 is installed on your computer, and you have an active desire to enable data encryption, use our tips so that you not only succeed, but also the way to realize this desire is not difficult. Initially, find the “Win” key on your keyboard, sometimes it is accompanied by the Windows icon, hold it down, and simultaneously hold down the “R” key. Pressing these two keys at the same time opens the Run window.
In the window that opens, you will find an empty line in which you will need to enter “gpedit.msc”. After clicking the “Ok” button, a new “Local Group Policy Editor” window will open. In this window we have a short way to go.
On the left side of the window, find and immediately click on the line “Computer Configuration”, in the submenu that opens, find “Administrative Templates”, and then in the next submenu that opens, go to the option located first in the list and called “Windows Components”.
Now move your gaze to the right side of the window, find “Bitlocker Disk Encryption” in it, and double-click to activate it. Now a new list will open, in which your next goal should be the line “Operating system disks”. Click on this line as well, you just have to make one more transition to get closer to the window where Bitlocker will be directly configured, allowing you to turn it on, which is exactly what you want.
Find the line “This policy setting allows you to configure the requirement for additional authentication at startup,” double-click to expand this setting. In the open window you will find the desired word “Enable”, next to which you will find a checkbox, in it you need to put a specific mark in the form of a tick of your consent.
Just below in this window there is a subsection “Platforms”, in it you need to check the checkbox next to the offer to use BitLocker without a special module. This is very important, especially if your Windows 10 does not have a TPM.
The configuration of the desired function is completed in this window, so you can close it. Now move the mouse cursor over the “Windows” icon, just right-click on it, which will allow an additional submenu to appear. In it you will find the line “Control Panel”, go to it, and then to the next line “Bitlocker disk encryption”.
Be sure to indicate where you want the encryption to occur. This can be done on both hard and removable drives. After selecting the desired object, click on the “Enable Bitlocker” button.
Now Windows 10 will start an automatic process, occasionally attracting your attention, prompting you to specify your desires. Of course, it is best to make a backup before undertaking such a process. Otherwise, if the password and its key are lost, even the PC owner will not be able to recover the information.
Next, the process of preparing the disk for subsequent encryption will begin. While this process is running, you are not allowed to turn off the computer, as this action can cause serious damage to the operating system. After such a failure, you simply will not be able to start your Windows 10, therefore, instead of encryption, you will have to install a new operating system, wasting extra time.
As soon as the disk preparation is successfully completed, the actual setting up of the disk for encryption begins. You will be prompted to enter a password, which will provide later access to the encrypted files. You will also be asked to create and enter a recovery key. Both of these important components are best kept in a safe place, preferably printed. It is very stupid to store the password and recovery key on the PC itself.
During the encryption process, the system may ask you which part specifically you want to encrypt. It is best to subject the entire disk space to this procedure, although there is an option to encrypt only the occupied space.
All that remains is to select an action option such as “New encryption mode”, and then run an automatic scan of the BitLocker operating system. Next, the system will safely continue the process, after which you will be prompted to restart your PC. Of course, fulfill this requirement and reboot.
After the next Windows startup 10 you will be convinced that access to documents without entering a password will be impossible. The encryption process will continue, you can control it by clicking on the BitLocker icon located in the notification panel.
Disabling the feature
If for some reason the files on your computer are no longer of high importance, and you don’t really like entering a password every time to access them, then we suggest that you simply disable the encryption function.
To perform such actions, go to the notification panel, find the BitLocker icon there, and click on it. In the lower part open window you will find the line “Manage BitLocker”, click on it.
Now the system will prompt you to choose which action is preferable for you:
- archive the recovery key;
- change the password for accessing encrypted files;
- remove a previously set password;
- disable BitLocker.
Of course, if you decide to disable BitLocker, you should choose the last option offered. A new window will immediately appear on the screen, in which the system will want to make sure that you really want to disable the encryption function.
ATTENTION. As soon as you click on the “Disable BitLocker” button, the decryption process will begin immediately. Unfortunately, this process is not characterized by high speed, so you will definitely have to prepare yourself for some time, during which you will simply have to wait.
Of course, if you need to use a computer at this moment, you can afford it; there is no categorical prohibition on this. However, you should prepare yourself for the fact that PC performance at this moment may be extremely low. It’s not difficult to understand the reason for this slowness, because the operating system has to unlock a huge amount of information.
So, if you want to encrypt or decrypt files on your computer, you just need to read our recommendations, then without haste carry out each step of the indicated algorithm, and upon completion, rejoice at the result achieved.
To encrypt your personal data, you can use many methods, and more specifically, software third party companies. But why, if there is BitLocker from Microsoft. Unfortunately, some people have problems recovering files after BitLocker encryption. When encrypting BitLocker, you need to create a special recovery key, it needs to be saved, and it doesn’t matter where, as long as it’s secure. You can print it or save it using an account, but not a local one, but from Microsoft. If the disk does not unlock itself, then you need to use the same key, otherwise there is no other way.
But there are also cases when the key is lost. What to do then? Sometimes you can forget your login password, which makes the decryption process extremely difficult. Let's try to study all these problems and understand what to do. This article should help you solve problems with BitLocker .
Some articles about data encryption:
What to do with the recovery key, what if it is lost?
So, the human factor is such a thing that when it comes to memory, which at a certain moment is very necessary, it fails us. If you forgot where you put the recovery key, then remember how you saved it in BitLocker. Since the utility offers three ways to save the key - printing, saving to a file and saving to an account. In any case, you had to choose one of these methods.
So, if you saved the key in your account, then you need to go to OneDrive from the browser and enter the section "BitLocker Recovery Keys". Log in to the system with your credentials. The key will definitely be there, provided that you uploaded it there. If it's not there, maybe you saved it in another account?
It happens that a user creates more than one key, then you can determine a specific one using the identifier in the BitLocker utility and compare it with the one from the key; if they match, then this is the correct key.
If your computer doesn't want to boot into the system due to BitLocker?
Let's say you encrypted system disk and a problem occurs in which the system does not want to unlock, then there is probably some problem with the TRM module. It should unlock the system automatically. If this is indeed the case, then a picture will appear before your eyes that says: and you will be asked to enter the recovery key. And if you don’t have it because you lost it, then you’ll hardly be able to log into the system. Most likely, only reinstalling the system will help. So far I don’t know how to unlock BitLocker without a key, but I will try to study this issue.
How to unlock BitLocker encrypted drives in Windows?
If you have a couple of partitions or external hard drives encrypted with BitLocker but need to be unlocked, I will try to help.
Connect the device to the PC (if it is external). Launch “Control Panel”, you can do it from the search, and go to the “System and Security” section. Find the section there "BitLocker Drive Encryption". By the way, this operation can only be performed on PRO versions, keep this in mind.
Find the disk you encrypted in the list that you need to decrypt. Click next to option "Unlock disk".
Now enter the unlocking data you need (PIN or password). Don't have this data? Don't you remember them? Then click "Extra options" and select the item.
As a conclusion, I want to say one thing. If you lose your password or PIN code, it is possible to restore access to the drive using a recovery key, this is 100%. You must store it in a safe place and always remember where it is. If you have lost this key, you can say goodbye to your data. So far I have not found a method where you can decrypt BitLocker without a key.
BitLocker encryption technology first appeared ten years ago and has changed with every version of Windows. However, not all changes in it were designed to increase cryptographic strength. In this article, we will take a closer look at different versions of BitLocker (including those pre-installed in the latest builds of Windows 10) and show how to bypass this built-in protection mechanism.
WARNING
The article was written for research purposes. All information in it is for informational purposes only. It is addressed to security specialists and those who want to become one.
Offline attacks
BitLocker technology was Microsoft's response to the increasing number of offline attacks that were especially easy to carry out against Windows computers. Anyone can feel like a hacker. It will simply turn off the nearest computer, and then boot it up again - this time with its OS and a portable set of utilities for finding passwords, confidential data and dissecting the system.
At the end of the working day, you can even organize a small crusade with a Phillips screwdriver - open the computers of departed employees and pull out the drives from them. That same evening, in a quiet home environment, the contents of the extracted disks can be analyzed (and even modified) in a thousand and one ways. The next day, just come early and return everything to its place.
However, it is not necessary to open other people’s computers right at the workplace. A lot of confidential data leaks after recycling old computers and replacing drives. In practice, secure erasure and low-level formatting of decommissioned disks are done by very few people. What can stop young hackers and collectors of digital carrion?
As Bulat Okudzhava sang: “The whole world is made of restrictions, so as not to go crazy with happiness.” The main restrictions in Windows are set at the level of access rights to NTFS objects, which do not protect against offline attacks. Windows simply checks read and write permissions before processing any commands that access files or directories. This method is quite effective as long as all users work in a system configured by the administrator with limited accounts. However, as soon as you boot into another operating system, not a trace will remain of such protection. The user will reassign access rights or simply ignore them by installing another file system driver.
There are many complementary methods to counter offline attacks, including physical security and video surveillance, but the most effective ones require the use of strong cryptography. Bootloader digital signatures prevent foreign code from running, and the only way to truly protect the data on your hard drive itself is to encrypt it. Why has full disk encryption been missing from Windows for so long?
From Vista to Windows 10
There are a lot of different people working at Microsoft, and not all of them code with their back left foot. Alas, the final decisions in software companies have long been made not by programmers, but by marketers and managers. The only thing they really consider when developing a new product is sales volume. The easier it is for a housewife to understand the software, the more copies of this software will be sold.
“Just think, half a percent of clients are concerned about their safety! The operating system is already a complex product, and here you are scaring the target audience with encryption. We can do without him! We managed before!” - Microsoft’s top management could have reasoned approximately this way until the moment when XP became popular in the corporate segment. Among administrators, too many specialists have already thought about security to discount their opinion. Therefore, the long-awaited volume encryption appeared in the next version of Windows, but only in the Enterprise and Ultimate editions, which are aimed at the corporate market.
The new technology is called BitLocker. This was probably the only good thing about Vista. BitLocker encrypted the entire volume, making user and system files unreadable, bypassing the installed OS. Important documents, cat photos, registry, SAM and SECURITY - everything turned out to be unreadable when performing an offline attack of any kind. In Microsoft terminology, a “volume” is not necessarily a disk as a physical device. A volume can be a virtual disk, a logical partition, or vice versa - a combination of several disks (a spanned or striped volume). Even a simple flash drive can be considered a connectable volume, for end-to-end encryption of which, starting with Windows 7, there is a separate implementation - BitLocker To Go (for more details, see the sidebar at the end of the article).
With the advent of BitLocker, it became more difficult to boot a third-party OS, since all bootloaders received digital signatures. However, a workaround is still possible thanks to Compatibility Mode. It is worth changing the boot mode in the BIOS from UEFI to Legacy and disabling the Secure Boot function, and the good old bootable flash drive will come in handy again.
How to use BitLocker
Let's look at the practical part using Windows 10 as an example. In build 1607, BitLocker can be enabled through the Control Panel (section "System and Security", subsection "BitLocker Drive Encryption").
However, if the motherboard does not have a TPM crypto processor version 1.2 or later, then BitLocker simply cannot be used. To activate it, you will need to go to the local group policy editor (gpedit.msc) and expand the branch “Computer Configuration -> Administrative Templates -> Windows Components -> BitLocker Drive Encryption -> Operating System Drives” to the setting “This policy setting allows you to configure the requirement additional authentication at startup." In it you need to find the setting “Allow BitLocker without a compatible TPM...” and enable it.
In the adjacent sections of local policies, you can specify additional BitLocker settings, including the key length and AES encryption mode.
After applying the new policies, return to the control panel and follow the instructions of the encryption setup wizard. For additional protection, you can choose to enter a password or connect a specific USB flash drive.
Although BitLocker is considered a full-disk encryption technology, it allows partial encryption of only occupied sectors. This is faster than encrypting everything, but this method is considered less secure. If only because in this case, deleted but not yet overwritten files remain available for direct reading for some time.
After setting all the parameters, all that remains is to reboot. Windows will require you to enter a password (or insert a USB flash drive), and then will start normally and begin the background process of encrypting the volume.
Depending on the selected settings, disk size, processor frequency and its support for individual AES commands, encryption can take from a couple of minutes to several hours.
After this process is completed, new items will appear in the Explorer context menu: changing your password and quickly going to BitLocker settings.
Please note that all actions except changing the password require administrator rights. The logic here is simple: since you have successfully logged into the system, it means you know the password and have the right to change it. How reasonable is this? We'll find out soon!
Continuation is available only to members
Option 1. Join the “site” community to read all materials on the site
Membership in the community within the specified period will give you access to ALL Hacker materials, increase your personal cumulative discount and allow you to accumulate a professional Xakep Score rating!
And protect sensitive data. We set the password using the standard Windows applications- BitLocker. This is a very strong encryption system that helps prevent unauthorized access to information from your flash drive. If you want to put a password on a flash drive, then I would recommend this method to you.
But many users put a password on a flash drive, which is the only one in the house and is used to solve universal problems. Someone plays music from it in the car, someone watches movies on TV or inserts it into a game console. Therefore, after encrypting your data using BitLocker, all these actions will be impossible. This means that you will need to disable BitLocker and unlock your flash drive. But how to disable BitLocker and can this be done using built-in Windows tools?
Yes, you can disable data encryption on a flash drive and do it quite simply. And if you don’t know how to do this, I will give you simple and understandable instructions. The data does not need to be deleted or transferred to a computer before decryption, all of it will remain on the flash drive, the protection will simply be removed.
How to disable BitLocker:
- 1Insert the flash drive into your computer, open it and enter the password to gain access to its contents. Now you need to go to the Control Panel. You can do this through Start, or you can hold down the win+R buttons and enter the “control” command in the line that appears.
- In the Control Panel we need to go to the “System and Security” menu
- Now you need to find and select “BitLocker Drive Encryption”
- At this stage, you need to find the flash drive on which protection is installed, in the form of a password. After this, you will see the “Disable BitLocker” option, which you must select.
- Wait until the disk is decrypted. The procedure can take a long time, it all depends on the number of files on the disk. After it is completed, the protection will be removed from the flash drive and you can use it normally.