An RDP computer in our environment updated it's OS and now is failing to boot. It was BitLocker encrypted and unfortunately the key had been lost. This of course was a bit of a dead end, but it got me interested in learning more about BitLocker encryption and methods of attack.
A few articles and cups of coffee later and now I want to learn more about cold boot attacks. The Volume Master Key(VMK) is stored in ram upon boot, so it can be validated against user input. Apparently it is possible to perform a ram dump from which you can extract the VMK. And bingo, you should be able to enter said key and access WinRE. Pray to the computer gods 💾and do some update rollbacks or restores to try to unfudge the OS.
In the articles and videos I've seen it's claimed they can cool down the ram to prevent data decay and quickly insert it into another device to perform the dump. Sounds a little complicated to perform, but heck, I'd be willing to try on an old machine of mine.
Does anyone have experience with this type of thing? It's not a necessity to fix this users computer; it just sparks my interest to learn more. It seems like a sensible enough of a need for their to be a tool in existence already. I image a stick of ram with a direct interface to an external machine, but haven't come across any.
[link] [comments]
from hacking: security in practice https://ift.tt/eZKcTGd
Comments
Post a Comment