this week i'm in copenhagen teaching a
cyber security class
and i showed the class a
small demo and it's something that i
recorded a little while back and i was
thinking
why on earth have i not shown you guys
fundamentally it's one of the most
important security things you will ever
see so if you want to know what it is
you better stay tuned
[Music]
greetings fellow youtubers andy malone
microsoft mvp as well as a microsoft
certified trainer welcome back to the
channel um this week i'm teaching a
cyber security class in copenhagen uh so
please forgive the audio and video
quality on this video i'm not in my
studio obviously and i'm teaching uh all
about encryption and one of the
fundamental technologies behind windows
10
everything in fact from windows vista
windows 7 8 and 10 has been a technology
called bitlocker now bitlocker is
microsoft's data at rest solution which
means um once implemented it will
encrypt all of your data at rest and it
does this by the use of using symmetric
key cryptography
and
in this case
i've discovered a flaw with it well
technically it's not a flaw with
bitlocker it's a problem with the
industry technology
um we have something called key escrow
in the industry which means um if you
can imagine if it was your laptop an
employee leaves the office
and his laptop is encrypted well key
escrow allows an administrator to
basically gain access to somebody's data
now to thwart this microsoft introduced
something called
a tpm module well it's they didn't
invent it's part of your
motherboard on your laptop or on your
desktop pc
a tpm means trusted platform module and
it's currently in version 1.2
so the idea of this is you can encrypt
your disk completely
and the keys so the private key
never leaves the
tpn the trusted platform module so it
never leaks into memory
and you're probably thinking well what
would happen if it did leak into memory
well i'm really glad you asked that
question because i love forensics and a
little while back i took a forensic look
at windows 10 bit locker
and i recorded the demo and i thought
you know i showed this yesterday to my
class and i was thinking god lee you
guys would love to see this and it's so
important
and such an important security feature
and it's also important to understand
what you can do to protect against the
attack that i'm going to show you
so the scenario here is that let's say
for example you're a bad guy all right
and
i suspect that you're up to no good so
what i've done is somehow i've got you
away from your laptop your laptop is
switched on
and what i've done is i've connected
using what we call a firewire cable now
that's not the only way to acquire a
forensic image there are other ways as
well but for this demo i i've done a
forensic image of your machine so what
i've done is i've taken a snapshot of
ram
and this is stored in what we call a bin
image a binary image and i've also taken
a dd image or a direct disk image of
your machine
and it just take a quick photo of
everything and what i've done is i've
got a little utility called disk 2 vhd
and i've converted that disk
into a virtual hard drive of which i'm
now going to attach to my windows
machine and let's just have a look at
what secrets
lie underneath
so here i am in windows 10 and i've gone
into my
disks here and what i'm going to do is
i'm first of all i'm going to attach
my image so i'd create you can see here
that i've got my converted vhd file
and it's called bitlocker to go so this
is a converted bit lockered uh image of
a dd image so i'm attaching it to my h
drive here as you can see
and now that i've done that i'm just
going to flip over into
file explorer
and i'm just going to scroll down
and i'm going to click on to that h
image now
um you can see here that there's a
little padlock on there which indicates
that this drive has been bit locked now
if i enter the password which of course
i don't know the password so i'm
actually stuck
so what i'm going to do is i'm going to
use a piece of very clever forensic
software here called password forensic
and what this is going to do is it's
going to give me access
now this there's a number of different
forensic packages and you can see that
we've got bitlocker truecrypt pgp
apple file vault
it doesn't really matter
the the type of encryption that you're
using
and as i said what we need to do is we
need to provide the system with the two
files the two forensic files that i've
done so you can hear i've got one with
the dd image which is the direct disk
and i've also got the other one here
which is the bin image and the binary
image yes so i'm just going to click
onto that and click open
now and now that that's loaded um
in essence what's happening is within
the scope of bitlocker there is a
recovery key
and the recovery key is always stored at
the front of an image so this is the
reason why it's here and i can now
simply copy that recovery key
please note the recovery key is also
stored um in your page file.sys file as
well
and which is your memory paging file so
again all i do now is go back into my h
drive
and in my h drive
um i don't know the password but of
course
now i do know the recovery key so i'm
just going to go ahead and paste that in
just paste that in there we go
and click on unlock so there you go
i have now if i just click back onto the
drive i've now got full access
to that bit locker image
isn't that cool
there you go
so you might then say okay how do i
defend against something like this andy
well here we go into the realm of do you
want convenience or do you want security
so as i mentioned the problem here that
made this attack possible
is that that recovery key gets bled into
ram
and when you bleed something into ram it
allows these security tools to be able
to work
so what
intel came up with is they came up with
something called a tpm module the
trusted platform module and the idea is
that all your secrets your passcodes and
passwords
stay locked away in this kind of secure
vault or chip on your computer and never
get bled into ram now the problem with
this of course is in practicality terms
it doesn't work because if you're in an
enterprise environment
you're going to want to be able to back
up those keys because if an employee
leaves the company you're going to want
to get access to their content
now okay that's fair enough so that's
the reason by the way while we had tools
like mbam the microsoft bitlocker
administration module
and all of those tools what they do is
they they store those recovery keys in
active directory or
you might put them into the azure key
vault or something like that but the
thing is yes it's great for you guys to
be able to recover that content
but in and keeping your stuff safe as
you're putting it in memory so as soon
as it's out away from a tpm it's
potentially vulnerable so there you go
that was my little demo on bitlocker i
think it's really important that you see
hey listen i would love your feedback
your questions your comments on that i
really want to know what you think about
that okay and if you enjoyed the video
please give me a big thumbs up all right
so very much appreciate you stopping by
and what can i say cheerio from
copenhagen and i'll see you next time
folks take care okay thanks
thanks for dropping by hope you enjoyed
the video go ahead and click on the
subscribe button and ring that bell and
you won't miss a thing see you next time
[Music]