For example, we will simply run a test system with an active BitLocker and "imperceptibly" make a memory dump. So we will simulate a situation in which a colleague went out for lunch and did not lock his computer.
We run RAM Capture ( Link_ paid version )and in less than a minute we get a full dump in a file with the .mem extension and the size corresponding to the amount of RAM installed on the victim's computer.
Than to do a dump — by and large, it makes no difference. Regardless of the extension, this will turn out to be a binary file, which will then be automatically analyzed by EFDD in search of keys.
We write the dump to a USB flash drive or transfer it over the network, then we sit down at our computer and run EFDD.
- Select the "Extract keys" option and enter the path to the file with the memory dump as the key source.
BitLocker is a typical crypto container, like PGP Disk or TrueCrypt. These containers turned out to be quite reliable by themselves, but client applications for working with them under Windows are littering with encryption keys in RAM. Therefore, a universal attack scenario is implemented in EFDD. The program instantly finds encryption keys from all three types of popular crypto containers. Therefore, you can leave all the items marked — suddenly the victim secretly uses TrueCrypt or PGP!
After a few seconds, EFDD ( Elcomsoft Forensic Disk Decryptor) shows all the keys found in its window. For convenience, you can save them to a file — this will be useful in the future.
Now BitLocker is no longer a hindrance! You can conduct a classic offline attack — for example, pull out a colleague's hard drive and copy its contents. To do this, simply connect it to your computer and run EFDD in the "decrypt or mount disk" mode