Crack Bitlocker Password

16-08-2021
 |  [RAND-100] - Comments

As explained in “Should you pull the plug?” and “BitLocker Forensics” you should always capture the RAM of a live system. If there is a BitLocker volume mounted there is a good chance you will be able to extract the key from the memory. In this post, I will explain how to extract the key from a RAM dump using Passware Recovery Kit Forensic.

The PIN will not stop the system from booting, if allowed in the BIOS, the PIN is for decrypting the drive at system start up. Booting the system to a password reset sticks/CD will work, but will not be able to recover account passwords from the BitLocker encrypted drive. As for inconvenience/security feature. BitCracker - BitLocker Password Cracking Tool (Windows Encryption Tool) BitLocker is a full-disk encryption feature available in recent Windows versions (Vista, 7, 8.1 and 10) Pro and Enterprise. BitCracker is a mono-GPU password cracking tool for memory units encrypted with the password authentication mode of BitLocker (see picture below). BitCracker - BitLocker Password Cracking Tool (Windows Encryption Tool) BitLocker is a full-disk encryption feature available in recent Windows versions (Vista, 7, 8.1 and 10) Pro and Enterprise. BitCracker is a mono-GPU password cracking tool for memory units encrypted with the password authentication mode of BitLocker (see picture below).

In BitLocker Forensics I explained how you can export the recovery key on a live system. But there are times where you might not be able to export the key (e.g. the system is locked down in some way) but you are able to capture the ram. The RAM capture contains a lot of information, including the BitLocker keys. There quite a few tools on the market that are able to extract the key from a RAM capture. In this post, I will be using Passware Recovery Kit Forensic. It’s an affordable sub $1000 solution and it’s easy to use. As a disclaimer, let me state that I am not affiliated with Passware and their products in any way.

In the main screen of PRKF there are several recovery options, in order to extract the key from a memory dump we need to choose “Full Disk Encryption“.

PRKF supports several popular encryption methods. This includes:

  • BitLocker
  • TrueCrypt
  • VeraCrypt
  • PGP Whole Disk Encryption
  • FileVault
  • Apple Disk Utility Encryption
  • LUKS

The one we are interested in is BitLocker, so we select the “BitLocker” option.

In the next window, we need to select a few things. First, we need to select the BitLocker volume image file. This should be the image of the encrypted disk, in this example, I am using an encrypted VHD (Virtual Hard Disk) file. Secondly, we need to choose our memory image. It’s possible the extension isn’t recognized by default, you might want to select “All Files (*.*)” when browsing for the image file.

Note the bottom option for a Brute-force attack. Even when you are using a high-end system this attack will be too slow to be a viable way to attack a good BitLocker password. When you click “Next” the attack will start.

Crack

On my system, using an i7-6700K and a GTX 1060 the attack will take just under 2 minutes to complete. Please note that both AMD and NVIDIA cards are supported for GPU acceleration. I highly recommend getting high-end NVIDIA cards if you need to crack passwords on regular basis.

After 1 minute and 43 seconds, the attack has completed and the key is revealed. This key can now be used to access the BitLocker volume.

Please note that the amount of time needed for extracting the key depends on the size of the volume, the size of the ram capture and the hardware of the machine running PRKF.

BitLocker is a full volume encryption feature included with Microsoft Windows versions starting with Windows Vista. It is designed to protect data by providing encryption for entire volumes. By default, it uses the AES encryption algorithm in cipher block chaining or XTS mode with a 128-bit or 256-bit key.

How To Crack Bitlocker Password

We use BitCracker for this purpose

Now after clone the repo and build we got excutable binary in the build folder

Copy your drive to the folder which have bitlocker set and make the hash of the password of the drive

After this we got two files hash_user_pass.txt and hash_recv_pass.txt

Software To Crack Bitlocker Password

We have to crack the hash_user_pass.txt for the password. We will use john the ripper for this purpose.

Crack Bitlocker Recovery Password

If password is common and in the wordlist we are able to crack the passsword for the drive.