Access Bitlockered Drive w/out recovery key

gunbunnysoulja

Hello,

Does anyone know if it's possible to access a drive encrypted with bitlocker without having the recovery key?

I'm not sure how, but the recovery key's that typically back-up to AD didn't take place for this specific workstation. So we have no way to access the drive and we need/want the data.

Any ideas?

Thanks!

swild

According to the 70-680 study material from MS, no.

but anything can be hacked if you have the time.

gunbunnysoulja

I have no problem sending it out for Data Recovery, IF it can be retrieved. I just don't wanna ship it off with unrealistic expectations.

Thanks!

demonfurbie

what have you tried so far?

RobertKaucher

Do you have a data recovery agent configured?

How Do You Want to Recover BitLocker-Protected Drives?

gunbunnysoulja

I haven't tried anything because I didn't know what my options would be. The recovery key isn't in AD. And there is no alternative PIN backed up to USB or anything. I'm not even sure HOW/WHY the key isn't in AD but either way it's not there. It's for a LTC in the Army and he wants/needs his data so I'm just trying to find out if there are any user steps to try outside of data recovery (and even if that's an option).


There is no data recovery agent as we utilized bitlocker keys backing up to AD (which wasn't useful for this workstation). I'm assuming some tech here did bitlocker off the network so it didn't upload to AD and saved it local somewhere instead.


Edit: Just spoke to my POC @ Kroll On-Track Data Recovery and they said without the key, there is no way to decrypt/recovery the drive.

Thanks!

RobertKaucher

I think his data is just gone. I highly doubt that anyone is going to be able to recover the data within a realistic time frame via a hack. I would hope he understood the dangers of using encryption before he allowed his drive to be encrypted.

colemic

RobertKaucher wrote: »

I think his data is just gone. I highly doubt that anyone is going to be able to recover the data within a realistic time frame via a hack. I would hope he understood the dangers of using encryption before he allowed his drive to be encrypted.

That probably didn't happen. Gunbunny is your entire site using bitlocker on ALL workstations? I thought MobileArmor was the requirement (ok, thats for laptops, whatever the equivalent is for desktops.) I haven't seen any other bases/posts/installations/whatever using it for desktops.

Stiltz79

The laptop shouldn't have Bitlockered without being on the network. Does he know the PIN? Have you tried reconnecting it to the network and turning it on. Maybe once it is connected to the network it will add the key to AD.

GAngel

Yes absolutely. It's been cracked since 2008 (have done it personally a few years ago) and is a totally unsecure method of data security. You jut need to do some searches.

Fugazi1000

GAngel wrote: »

Yes absolutely. It's been cracked since 2008 (have done it personally a few years ago) and is a totally unsecure method of data security. You jut need to do some searches.

Really?

This method doesn't count. Bitlocker Broken/Cracked

RobertKaucher

GAngel wrote: »

Yes absolutely. It's been cracked since 2008 (have done it personally a few years ago) and is a totally unsecure method of data security. You jut need to do some searches.

Now pay attention, Neither BitLocker nor any other drive encryption system is designed to protect data on a drive when the machine is booted, and someone with administrator privileges has access to the machine. People keep conveniently glossing over this fact. BitLocker is designed to prevent off-line attacks such as the ‘stolen/lost laptop’ scenario. If you login to your computer, then hand it to someone, nothing in the world will protect your data.
All of this sensationalist drivel would like you to believe that if you can get at the data which is protected by a disc encryption system from a logged in machine as an administrator that there is some huge security vulnerability. There isn’t. If you have that kind of access to the machine why not just turn off the encryption and save yourself the trouble.

Please explain the method you used personally...

gunbunnysoulja

Stiltz79 wrote: »

The laptop shouldn't have Bitlockered without being on the network. Does he know the PIN? Have you tried reconnecting it to the network and turning it on. Maybe once it is connected to the network it will add the key to AD.

He knows the pin but it doesn't update to AD after the fact. The option when creating bitlocker if off the LAN is to save it local. Now I am being told this didn't happen, but if not then I have NO idea why it wouldn't show in AD. Someone obviously messed up.

gunbunnysoulja

colemic, we use bitlocker on all laptops. I just happened to refer to this laptop as a workstation.

4_lom

You have to use a recovery agent.

gunbunnysoulja

Recovery Agent wasn't configured as we back up recovery keys to AD (which wasn't helpful in this scenario!). Also, is that even an option with Windows Vista?

4_lom

What mode was used? TPM, TPM and Pin, TPM and smart card, TPM and startup key, or just a startup key alone? Are you able to access recovery mode? Sorry if these questions were already answered. I just skimmed through the thread, don't have time to read it all. I'm at work

kriscamaro68

Have you tried viewing other computers in AD to make sure you can view any computers bitlocker recovery key?

Could he possibly be in an ou that doesnt allow the groups you are associated with to view the recovery key for his laptop?

4_lom

kriscamaro68 wrote: »

Have you tried viewing other computers in AD to make sure you can view any computers bitlocker recovery key?

Could he possibly be in an ou that doesnt allow the groups you are associated with to view the recovery key for his laptop?

There's a policy for that??

gunbunnysoulja

Recovery keys work for everyone else. This has been setup and working for quite some time... It's for a DoD installation.

We use TPM and Startup PIN. Recovery Keys store in AD. The OU is correct. Users can't view the key, only the Sys Admin's which state it's not there.

The laptop has the screen to enter the recovery key and can't utilize the normal pin as something has changed, either TPM or BIOS thus prompting for the key.

kriscamaro68

Is this a lenovo laptop by chance?

gunbunnysoulja

No, all our laptops are Dell E65x0 series...

4_lom

gunbunnysoulja wrote: »

Recovery keys work for everyone else. This has been setup and working for quite some time... It's for a DoD installation.

We use TPM and Startup PIN. Recovery Keys store in AD. The OU is correct. Users can't view the key, only the Sys Admin's which state it's not there.

The laptop has the screen to enter the recovery key and can't utilize the normal pin as something has changed, either TPM or BIOS thus prompting for the key.

Was the BIOS admin password enabled? And is the TPM enabled in the BIOS? Maybe there was a glitch in the Matrix. Is it possible that someone changed the key? Are the admins able to view any keys at all?

gunbunnysoulja

There was no bios password enabled (unfortunately) however I think there was a glitch with the system as we've seen periodic bizarre issues with TPM.

TPM is enabled in the BIOS. Admins can view any bitlocker recovery keys as they are the ones who manage them for the installation.