Bitlocker cracking

[careless223]

I thought of this idea driving home from working out and debating whether I should buy Vista tomorrow.

So I got to thinking about Bitlocker drive encryption. Apparently it encrypts system files and the swap space along with all the user’s files. So what I was thinking (this is still just theory) is that if the system files are encrypted which includes little files that don't vary such as icons, you can take the encrypted file and compare it to an unencrypted version of that file to determine the password used to encrypt it with. For example: the Firefox icon. If you have a Firefox icon that is excrypted with bitlocker and one that is not, could you theoretically scan and compare the 2 files to find the original password used to encrypt them? It is encrypted with AES which is essentially just an algorithm that you plug the password into which then generates the rules for encrypting that file or in this case the entire drive. Then with the password in hand you could unencrypt the entire drive.

Is this even possible or am I just stupid?

[Sparda]

Your are not stupid :P

This depends upon how the encryption is implemented.

If the implementation is any good it should be impossible to be able to get directory listings let alone get the data for a file.

So, while you are correct in one respect (be able to work out the key used to encrypt a file if you have the encrypted file and the unencrypted file) you are (hopefully) wrong in another respect (it should be impossible to distinguish one files data from any other files data on an encrypted volume).

[careless223]

Well from what I understand and have read, it does not encrypt the FAT table. So from there could you not go to the physical portion of the disk to get the file if you know that it is so many bits in length?

[Sparda]

Well from what I understand and have read, it does not encrypt the FAT table. So from there could you not go to the physical portion of the disk to get the file if you know that it is so many bits in length?

If thats true (and I don't know that it is or it isn't) then theoretically you could I suppose. There is probably a good reason that doesn't work that I'm currently blind to lol

[careless223]

Well it should be interesting to see how this unfolds. Can you imagine having the switchblade automatically find some files like that so you can later steal the laptop and access all the secret information?

[Shaun]

Well from what I understand and have read, it does not encrypt the FAT table. So from there could you not go to the physical portion of the disk to get the file if you know that it is so many bits in length?

I don't think that's right, well, I know it's not right. First of all NTFS doesn't have a FAT, it has an MFT and the MFT is encrypted (clicky).

[sneaky_rupert]

They're right. With the encryption in place, it encrypts the whole volume...not just on a file to file basis. It looks like random data when it is encrypted.

Good thinking though, when you think like that you cross from the realm of being a script kiddie :-). If you have more ideas like this, please feel free to share them with us! I always like to entertain new ideas like this. And who knows, you might stumble on to something that everyone can benefit from! I know I am always adding to my Pen Testing kit, or my overall understanding.

[Shaun]

Known plaintext attacks aren't exactly a new idea, they've been used for a very long time.

[sneaky_rupert]

Known plaintext attacks aren't exactly a new idea, they've been used for a very long time.

Well yes, but easy cracking hard drive encryption is not really mainstream. I wasn't saying it was a NEW idea, but I was applauding his efforts to develop methodology to make a somewhat tedious effort a little easier.

[mubix]

Great ideas guys. I actually just posted on http://www.room362.com/ a short blurb about bitlocker. Check it out.

[twist3r]

for old hardware would this work?

store your keys on your thumbdrive in a truecrypt volume? hrm but this would mean that you already had to be booted into windows...

I guess I need to find some more information on bitlocker

[careless223]

I just read you blurb and it sorta fills in the holes in my logic.

So basically the files are encrypted until you access them right? Could you then maybe steal these files from a laptop or desktop that is logged on with a U3 thumbdrive via a batch script to copy the specific files that you need?

[SomeoneE1se]

yes and no Vista no longer autoruns anything... sorry

[mubix]

yes and no Vista no longer autoruns anything... sorry

Have you tried the Hacksaw and the Switchblade on Vista? I don't have mine on me right now or I would try.

[careless223]

So no autoplaying CDs? That sucks.

[SomeoneE1se]

So no autoplaying CDs? That sucks.

Kinda it does what XP dose for USB drives it asks what you would like to do biased on what it finds on the disk.

[VaKo]

yes and no Vista no longer autoruns anything... sorry

Have you tried the Hacksaw and the Switchblade on Vista? I don't have mine on me right now or I would try.

The Amish switchblade kinda works on vista, but it has trouble with the user passwords. Should be ok if someone rejigs it to work with NTLM.

[careless223]

Amish is the man.

So no U3 for Vista then? :(

[a5an0]

Amish is the man.

So no U3 for Vista then? :(

Give it time.