Following on from my post “10 Things You Don’t Want To Know About Bitlocker”, “TPM Undressed” and “Firewire Attacks Revisited” it recently came to my attention that Passware, Inc. A feisty California company has released a version of their forensic software which will decrypt Bitlocker and TrueCrypt protected hard disks via the classic Firewire vulnerabilities.
A full write-up can be found on the Passware site, but simply, given a machine that’s running, but has encrypted drives (for example one using Bitlocker in TPM-only mode, or a machine which is suspended, not hibernated). As to how to do it, well they have implemented the exploit in a very neat and usable way:
Step 1 – capture a forensic memory image and disk images
1. Create the Firewire memory imager from the Passware Kit on a USB Stick
2. Connect the target computer to the forensic computer using a Firewire cable
3. Boot the forensic computer off the USB stick from step 1 to capture the image
4. Create disk images using tools such as Encase
Step 2 – Decrypt the disk images
1. Click “Recover Hard Disk Passwords” within the Passware Kit
2. Select Bitlocker or Truecrypt
3. Select the memory image file, and the disk image file
4. Click Next – Passware will now decrypt the disk image.
This is, to my knowledge, the first commercial implementation (or should that be exploitation?) of the Firewire memory attack, and should be considered by anyone intending to use products such as Bitlocker or Truecrypt, without making sure they implement them in a way which prevents this kind of exploitation. As always, encryption is no use without proper pre-boot authentication.
Please feel free to tweet me, Simon Hunt, @