How To Crack Bitlocker Password
Finally, we are there. BitLocker passwords are used to protect volumes stored on external devices (including regular BitLocker and BitLocker To Go). The password is also the default when it comes to protecting fixed, non-system volumes. In other words, BitLocker passwords are extremely likely to be used on anything but the system. Looks like what the information above is like a thumbprint for a certificate, which is really just a shorthand way of identifying the public key. Anyway, without the recovery key or password, there is no chance of recovery of your data. When BitLocker is enabled it has you store the recovery key. Look on your flash drives for it. Matthew7560 Dec 5, 2018 at 4:45 AM. I ran into this issue if bitlocker was running while the system was doing updates or installing them after the download. Also, if the computer detects a hardware change after bitlocker has ran it can trigger this as well. Best bet would be to decrypt and run bitlocker again. In the event that you cannot access a BitLocker protected drive, you may be called upon to perform a BitLocker recovery. This can be done in a variety of ways. The user can type in the 48-digit recovery password. A domain administrator can recover the password from Active Directory Domain Services if that is where the password was stored.
BitLocker is a full volume encryption feature included with Microsoft Windows versions starting with Windows Vista. It is designed to protect data by providing encryption for entire volumes. By default, it uses the AES encryption algorithm in cipher block chaining or XTS mode with a 128-bit or 256-bit key.
We use BitCracker for this purpose
Now after clone the repo and build we got excutable binary in the build folder
Copy your drive to the folder which have bitlocker set and make the hash of the password of the drive
After this we got two files hash_user_pass.txt and hash_recv_pass.txt
We have to crack the hash_user_pass.txt for the password. We will use john the ripper for this purpose.
If password is common and in the wordlist we are able to crack the passsword for the drive.
As explained in “Should you pull the plug?” and “BitLocker Forensics” you should always capture the RAM of a live system. If there is a BitLocker volume mounted there is a good chance you will be able to extract the key from the memory. In this post, I will explain how to extract the key from a RAM dump using Passware Recovery Kit Forensic.
In BitLocker Forensics I explained how you can export the recovery key on a live system. But there are times where you might not be able to export the key (e.g. the system is locked down in some way) but you are able to capture the ram. The RAM capture contains a lot of information, including the BitLocker keys. There quite a few tools on the market that are able to extract the key from a RAM capture. In this post, I will be using Passware Recovery Kit Forensic. It’s an affordable sub $1000 solution and it’s easy to use. As a disclaimer, let me state that I am not affiliated with Passware and their products in any way.
In the main screen of PRKF there are several recovery options, in order to extract the key from a memory dump we need to choose “Full Disk Encryption“.
PRKF supports several popular encryption methods. This includes:
Lost Bitlocker Password
- BitLocker
- TrueCrypt
- VeraCrypt
- PGP Whole Disk Encryption
- FileVault
- Apple Disk Utility Encryption
- LUKS
The one we are interested in is BitLocker, so we select the “BitLocker” option.
In the next window, we need to select a few things. First, we need to select the BitLocker volume image file. This should be the image of the encrypted disk, in this example, I am using an encrypted VHD (Virtual Hard Disk) file. Secondly, we need to choose our memory image. It’s possible the extension isn’t recognized by default, you might want to select “All Files (*.*)” when browsing for the image file.
Note the bottom option for a Brute-force attack. Even when you are using a high-end system this attack will be too slow to be a viable way to attack a good BitLocker password. When you click “Next” the attack will start.
On my system, using an i7-6700K and a GTX 1060 the attack will take just under 2 minutes to complete. Please note that both AMD and NVIDIA cards are supported for GPU acceleration. I highly recommend getting high-end NVIDIA cards if you need to crack passwords on regular basis.
After 1 minute and 43 seconds, the attack has completed and the key is revealed. This key can now be used to access the BitLocker volume.
Free Bitlocker Cracker
Please note that the amount of time needed for extracting the key depends on the size of the volume, the size of the ram capture and the hardware of the machine running PRKF.