Question Have Police successfully cracked BitLocker in the past?

Please provide comments and solutions that are helpful to the author of this topic.

Studynxx

Level 4
Thread author
Jan 20, 2023
227
I've been trying to find evidence that they have access to some kind of backdoor in BitLocker, but unsuccessful thus far.
 

Bot

AI-powered Bot
Apr 21, 2016
4,533
There's no public evidence to suggest that police or any other authorities have a backdoor to BitLocker. It's designed to protect data by providing encryption, and Microsoft has always maintained that they do not provide backdoors to any government agencies.
 

TairikuOkami

Level 37
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,692
What backdoor, Bitlocker keys are generally stored in MSA, MS proudly admits that it is helping police as per law to access onedrive, outlook and such to help to fight the "crime".
Always encrypt files and file names before uploading them online, that should help you to avoid AI's private files detection, banning the account or facing criminal charges.

  • Microsoft does not provide any government with direct and unfettered access to our customers’ data, and we do not provide any government with our encryption keys or the ability to break our encryption.
Note the law talk, they do not provide the direct access, but they can, if asked for it, whether it is related to Patriot Act or hate speech is up for the interpretation by lawyers.
 

Vitali Ortzi

Level 27
Verified
Top Poster
Well-known
Dec 12, 2016
1,641
What backdoor, Bitlocker keys are generally stored in MSA, MS proudly admits that it is helping police as per law to access onedrive, outlook and such to help to fight the "crime".
Always encrypt files and file names before uploading them online, that should help you to avoid AI's private files detection, banning the account or facing criminal charges.


Note the law talk, they do not provide the direct access, but they can, if asked for it, whether it is related to Patriot Act or hate speech is up for the interpretation by lawyers.
If the system didn't reboot it will probably be easy to dump memory with some kind of an attack without a need to request access although they probably have other methods too and if everything fails they can just request legal access from Microsoft or if they are lazy And if Microsoft would have refused some departments have Israeli software that's built for iOS , android , windows etc
With all kinds of methods to crack , bypass etc
 

TairikuOkami

Level 37
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,692
If the system didn't reboot it will probably be easy to dump memory with some kind of an attack without a need to request access
Yes, several options are available, pagefile being the main one, removing it at shutdown works till the PC is reset, then it is pointless.
Code:
rem Encrypt the Pagefile
fsutil behavior set EncryptPagingFile 1

rem 1 - The device does not store the user's credentials for automatic sign-in after a Windows Update restart. The users' lock screen apps are not restarted after the system restarts.
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableAutomaticRestartSignOn" /t REG_DWORD /d "1" /f

rem Determines how many user account entries Windows saves in the logon cache on the local computer.
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "CachedLogonsCount" /t REG_DWORD /d "0" /f

rem 1 - Do not allow storage of passwords and credentials for network authentication in the Credential Manager
reg add "HKLM\System\CurrentControlSet\Control\Lsa" /v "DisableDomainCreds" /t REG_DWORD /d "1" /f

rem Digest Security Provider is disabled by default, but malware can enable it to recover the plain text passwords from the system’s memory (+CachedLogonsCount/+DisableDomainCreds/+DisableAutomaticRestartSignOn)
reg add "HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest" /v "Negotiate" /t REG_DWORD /d "0" /f
reg add "HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest" /v "UseLogonCredential" /t REG_DWORD /d "0" /f

rem Restrict Delegation of Credentials
rem https://medium.com/blue-team/preventing-mimikatz-attacks-ed283e7ebdd5
reg add "HKLM\System\CurrentControlSet\Control\Lsa" /v "DisableRestrictedAdmin" /t REG_DWORD /d "0" /f
reg add "HKLM\System\CurrentControlSet\Control\Lsa" /v "DisableRestrictedAdminOutboundCreds" /t REG_DWORD /d "1" /f

rem https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
reg add "HKLM\System\CurrentControlSet\Control\Lsa" /v "RunAsPPL" /t REG_DWORD /d "1" /f
reg add "HKLM\System\CurrentControlSet\Control\Lsa" /v "RunAsPPLBoot" /t REG_DWORD /d "2" /f
 

Vitali Ortzi

Level 27
Verified
Top Poster
Well-known
Dec 12, 2016
1,641
Yes, several options are available, pagefile being the main one, removing it at shutdown works till the PC is reset, then it is pointless.
Code:
rem Encrypt the Pagefile
fsutil behavior set EncryptPagingFile 1

rem 1 - The device does not store the user's credentials for automatic sign-in after a Windows Update restart. The users' lock screen apps are not restarted after the system restarts.
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableAutomaticRestartSignOn" /t REG_DWORD /d "1" /f

rem Determines how many user account entries Windows saves in the logon cache on the local computer.
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "CachedLogonsCount" /t REG_DWORD /d "0" /f

rem 1 - Do not allow storage of passwords and credentials for network authentication in the Credential Manager
reg add "HKLM\System\CurrentControlSet\Control\Lsa" /v "DisableDomainCreds" /t REG_DWORD /d "1" /f

rem Digest Security Provider is disabled by default, but malware can enable it to recover the plain text passwords from the system’s memory (+CachedLogonsCount/+DisableDomainCreds/+DisableAutomaticRestartSignOn)
reg add "HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest" /v "Negotiate" /t REG_DWORD /d "0" /f
reg add "HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest" /v "UseLogonCredential" /t REG_DWORD /d "0" /f

rem Restrict Delegation of Credentials
rem https://medium.com/blue-team/preventing-mimikatz-attacks-ed283e7ebdd5
reg add "HKLM\System\CurrentControlSet\Control\Lsa" /v "DisableRestrictedAdmin" /t REG_DWORD /d "0" /f
reg add "HKLM\System\CurrentControlSet\Control\Lsa" /v "DisableRestrictedAdminOutboundCreds" /t REG_DWORD /d "1" /f

rem https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
reg add "HKLM\System\CurrentControlSet\Control\Lsa" /v "RunAsPPL" /t REG_DWORD /d "1" /f
reg add "HKLM\System\CurrentControlSet\Control\Lsa" /v "RunAsPPLBoot" /t REG_DWORD /d "2" /f
They can just implement malware in some controller firmware and give the PC back to y XD
 

TairikuOkami

Level 37
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,692
They can just implement malware in some controller firmware and give the PC back to y XD
That is the reason I disable AMD PSP, Intel has something similar. I do not mind being paranoid, it pays off in a long run. 🤫

capture_12082024_171848.jpg
 
  • Applause
Reactions: simmerskool

Studynxx

Level 4
Thread author
Jan 20, 2023
227
If the system didn't reboot it will probably be easy to dump memory with some kind of an attack without a need to request access although they probably have other methods too and if everything fails they can just request legal access from Microsoft or if they are lazy And if Microsoft would have refused some departments have Israeli software that's built for iOS , android , windows etc
With all kinds of methods to crack , bypass etc
Wait, are you saying hibernating the PC with BitLocker enabled won't work, and they can still bypass the need for the BitLocker PIN?
 

Studynxx

Level 4
Thread author
Jan 20, 2023
227
Ot will have to go through a whole cold boot and that will fully stop only that specific method
The solutions above will partially protect against it
That means shutting it down, or does it mean shutting it down and then turning off the PSU (there's a switch in the back of the PC)?

And even if that's true, you're saying that there's many other methods we don't know, that agencies like the NSA or police do know about?
 

bazang

Level 8
Jul 3, 2024
374
And even if that's true, you're saying that there's many other methods we don't know, that agencies like the NSA or police do know about?
Governments and organized cyber criminals have all kinds of methods. They are on a continuous development cycle of probing any aspect of any software and hardware for ways to exploit it. They literally have hundreds of tricks in their rabbit hat.

There is a certain faction of people that believe the opinion below, so they've instigated Microsoft alternatives and at one time there was big drama about BitLocker.

Years back, speculation of a Bitlocker backdoor was all the rage amongst the paranoid and anti-establishment ideologues. The solution was TrueCrypt and then VeraCrypt when the TrueCrypt project s h i t the bed.

MicroSoft is the US Governments lapdog, when the government tells them to bark they will obey.
(Microsoft is no different than any other software publishers. Ideological people who contributed to FOSS projects meant to be anti-establishment have cooperated with many governments when those governments showed them who is boss. So much for those projects statement of "We will never cooperate! Never!")

I own a company. I could care less what ANY government does to you or anyone else. I am not going to risk my company to defend your data as part of some principle or ideology. Only a fool would not cooperate with the government and thereby bring down an avalanche of really negative consequences. Besides. Who knows. You could be a terrorist or criminal, and I never support them by not cooperating. Essentially, this is a global business policy.

If you worry about being a government getting access to your hard disk, then you've got much bigger problems. Never mind the fact that Dmitry and Igor Lybansky already have all your infos in their global network and gladly sell it to anyone willing to pay.
 

Victor M

Level 14
Verified
Top Poster
Well-known
Oct 3, 2022
650
NSA has been known to develop exploits and hacks. For example, NSA has engineered firmware backdoors for old 2002 era PCs and they were leaked. Snowden has found something else I forgot. And NSA has no reason to change their ways. Just be a 'normal' citizen and perhaps they wouldn't bother you.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top