BYPASSING LOCAL WINDOWS AUTHENTICATION TO DEFEAT FULL DISK ENCRYPTION presented at BlackHatEU 2015

by Ian Haken,

Summary : In 2007, starting with Windows Vista, Microsoft began shipping a full disk encryption feature named BitLocker with professional and enterprise versions of Windows. Full disk encryption helps protect users from threats that include physical access. This can, for example, prevent the exposure of proprietary information and account credentials if a company laptop is lost, stolen, or even left temporarily accessible to an attacker.
Under the hood, BitLocker utilizes a system's Trusted Platform Module (TPM) to store the secret key used for full disk encryption, and is able to use the features of the TPM to safely provide transparent, passwordless decryption of the disk on boot. Because BitLocker can work transparentlywithout any extra passwords or prompts on bootmany enterprises have opted to enable this form of full disk encryption as a part of their data loss prevention strategy.
However, in this presentation, I will demonstrate how one can abuse physical access in order to bypass Windows authenticationthus accessing all of a user's dataeven when the disk is fully encrypted by BitLocker. This platform-independent attack effectively bypasses all of the protection offered by BitLocker, reliably and quickly allowing an attacker to retrieve all of the sensitive data on the machine, all without having to perform any cryptographic brute-forcing or hardware manipulation.