As explained in “Should you pull the plug?” and “BitLocker Forensics” you should always capture the RAM of a live system. If there is a BitLocker volume mounted there is a good chance you will be able to extract the key from the memory. In this post, I will explain how to extract the key from a RAM dump using Passware Recovery Kit Forensic.
In BitLocker Forensics I explained how you can export the recovery key on a live system. But there are times where you might not be able to export the key (e.g. the system is locked down in some way) but you are able to capture the ram. The RAM capture contains a lot of information, including the BitLocker keys. There quite a few tools on the market that are able to extract the key from a RAM capture. In this post, I will be using Passware Recovery Kit Forensic. It’s an affordable sub $1000 solution and it’s easy to use. As a disclaimer, let me state that I am not affiliated with Passware and their products in any way.
In the main screen of PRKF there are several recovery options, in order to extract the key from a memory dump we need to choose “Full Disk Encryption“.
PRKF supports several popular encryption methods. This includes:
- PGP Whole Disk Encryption
- Apple Disk Utility Encryption
The one we are interested in is BitLocker, so we select the “BitLocker” option.
In the next window, we need to select a few things. First, we need to select the BitLocker volume image file. This should be the image of the encrypted disk, in this example, I am using an encrypted VHD (Virtual Hard Disk) file. Secondly, we need to choose our memory image. It’s possible the extension isn’t recognized by default, you might want to select “All Files (*.*)” when browsing for the image file.
Note the bottom option for a Brute-force attack. Even when you are using a high-end system this attack will be too slow to be a viable way to attack a good BitLocker password. When you click “Next” the attack will start.
On my system, using an i7-6700K and a GTX 1060 the attack will take just under 2 minutes to complete. Please note that both AMD and NVIDIA cards are supported for GPU acceleration. I highly recommend getting high-end NVIDIA cards if you need to crack passwords on regular basis.
After 1 minute and 43 seconds, the attack has completed and the key is revealed. This key can now be used to access the BitLocker volume.
Please note that the amount of time needed for extracting the key depends on the size of the volume, the size of the ram capture and the hardware of the machine running PRKF.