Friday, July 20, 2018

Daily Blog #427: Bitlocker Experiments Part 1

Hello Reader,
          In a prior Sunday Funday regarding Bitlocker drives and Windows upgrades I extended my ask a bit too far in what I put into the challenge and justifiably received no submissions. I haven't stopped looking into the question though of how does Windows temporarily disable Bitlocker to allow the machine to boot for an upgrade and how can we as examiners take advantage of it.

In my research into this I've learned about the 'clearkey' which I've heard of before. The 'clearkey' means that the key to decrypt the bitlocker volume is left in plaintext within the volume. This allows for the bitlocker volume to be present and allows the user to in the future, if they so choose, to protect the volume with a password and recovery key. It appears as though some Surface computers come with this mode on when shipped.

However that did not answer my question about upgrades, as the drive isn't being re-encrypted in the upgrade process. It turns out there is an option to temporarily set an existing image into 'clearkey' mode. To do this you would execute the following command in an administrative command prompt

manage-bde -protectors -disable c:

Here is a screenshot of it successfully running

Checking the status of the drive with the command

manage-bde -status

I see the following


 Notice it has left the protection off for 1 reboot by default, just enough for an update to complete.

I'm going to encrypt a vhd next week and do some testing to see how the tools recognize this. When I'm back in the office in a week (still in Abu Dhabi!) I'll let one my machines upgrade and see if 'cleartext' mode is in fact enabled on my Bitlocker drives allowing me to decrypt them!