Software claims to be able to decrypt BitLocker To Go flash drives in less than 20 minutes.

But this isn’t exactly a kid in his mother’s basement. The program is from Passware Inc., which develops password recovery, decryption and cyber forensics solutions to corporations, law enforcement agencies, and the government. They showed their talents this week at the 2010 International Training Conference by High Technology Crime Investigation Association in Atlanta.

Their product, Passware Kit Forensic 10.1 that allows for cracking of BitLocker To Go USB Disks. Passware’s BitLocker decryption capabilities, first introduced in November 2009, support all types of hard disk images, including raw image files, images created with Guidance EnCase or any other forensic tool.

“This enhanced solution for computer forensics allows the entire memory capture and decryption process to take no more than 40 minutes regardless of the complexity of the password,” said Dmitry Sumin, president of Passware, Inc.

This new ability includes live target memory acquisition and BitLocker encryption key recovery that allows computer forensics to gain easily full access to the contents of the encrypted USB disk. Passware Kit Forensic now also supports BitLocker To Go images saved as Virtual Hard Disks (VHD) — a format that allows attaching BitLocker hard disks in Windows 7 and Server 2008 without using any third-party disk mounting tools.

You can get your hands on Passware Kit 10.1 for about $800.

BitLocker Drive Encryption is a full disk encryption feature included with the Ultimate and Enterprise editions of Windows Vista and 7, as well as the Windows Server 2008 and Windows Server 2008 R2 server platforms. By default it uses the AES encryption algorithm in CBC mode with a 128 bit key, combined with the Elephant diffuser for additional disk encryption specific security not provided by AES.

About The Author

John Guilfoil is the editor-in-chief of Blast: Boston's Online Magazine and the Blast Magazine Network. He can be reached at [email protected]. Tweet @johnguilfoil.

2 Responses

  1. Ryan

    Ironically, according to Passware’s own website, you can easily defeat it:

    NOTE: If the target computer is turned off and the TrueCrypt/BitLocker volume was dismounted during the last hibernation, neither the memory image nor the hiberfil.sys file will contain the encryption keys. Therefore, instant decryption of the volume is impossible. In this case, Passware Kit assigns Brute-force attacks to recover the original password for the volume.

    As the description stated, if you take preventive measure against this method, then you have nothing to worry about.


Leave a Reply