dell bitlocker

[Alandata Recovery]

I have a dell laptop with nvme sata drive

pulled drive - its bitlocker encrypted

customer has no key 

put the drive back into the laptop

it boots to his user password screen

he doesnt remember the password

tried forgot password

he doesnt know what MS account he signed up with - 

says he never had a live, hotmail, outlook, account

when i changed option to login using pin

and then picked forgot password then

it shows me a abdnov@gmail account

so tried password recovery with that but ms

asks a bunch of questions to verify who you are

but still says he is not the owner

its booting up

so its obviously decrypting

how to bypass this ?

--

Alandata Data Recovery -  (949)287-3282  
"Cleanroom Data Recovery of RAID, VMware, NAS, Linux, Tape, Disk, Forensics"

www.alandata.com   www.alandataRecovery.com

[PCLAB]

If no password available and no other way to get it, I don't think it's possible.

By the way: is he the real owner??

[Markus Bauer]

If he had a unsecure password you could try PassWare: https://www.passware.com/kit-forensic/

But I am not sure how long that process would take...

A good wordlist to try woule be rockyou.txt: https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt

[Markus Bauer]

There are more tools for that - https://www.elcomsoft.de/efdd.html

I am pretty sure you could use also hashcat or JohnTheRipper in some way - just google it.

[Data Recovery Guru]

Dell has its own encryption product, based on older Credant. Maybe is that?

How do you know it is actually Bitlocker? When you connect the drive on your machine, Bitlocker window pops up asking for recovery key?

Sometimes they are encrypted via TPM with Bitlocker. I had one customer last year who I could not help with their non-booting machine. Corporate environment with end user's machine not booting. Came pre-encrypted from the vendor (CDW was the vendor I believe). No recovery key was provided by the vendor.

Mounting the SSD on my machine would ask for Bitlocker recovery key. In the laptop's BIOS, they had TPM 2.0 enabled.

--
Data Recovery Certification Group / for issue with google group please email sc...@myharddrivedied.com
---
You received this message because you are subscribed to the Google Groups "DataRecoveryCertification" group.
To unsubscribe from this group and stop receiving emails from it, send an email to datarecoverycertif...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/datarecoverycertification/b88ea0cc-1598-43eb-95e5-af7d60184a61n%40googlegroups.com.

[Rames Lopes]

Hi friends, how are you? In this case you should do forensic cloning of the disk and initialize the cloned encrypted disk in the notebook
 
1st download the software and boot
Lazesoft Recovery Suite Home Page

2nd Boot the notebook and boot from the system and boot Lazesoft Recovery Suite Home

3rd Create a new user with a reset password or try resetting the MS account password offline through Lazesoft Recovery Suite Home

4th Recover Files with some data recovery program

To view this discussion on the web visit https://groups.google.com/d/msgid/datarecoverycertification/CAHoXmq%3DxuuRWvCSfsMLFofSS4gs9t2k4HD-zRkNStn4Zc9VKhA%40mail.gmail.com.

--

[Akram El Gebali]

Hi Rames

I guess the Lazesoft Recovery is only for Windows pw and not for HD, isn't it?

To view this discussion on the web visit https://groups.google.com/d/msgid/datarecoverycertification/CAG68MtQ9GgkiRtGzgD1eQ2G20ZWOsMabPrRu9oQa-zBU4CVfwA%40mail.gmail.com.

--

Akram El Gebali

This electronic transmission contains confidential information guaranteed by professional privacy. Any reproduction, distribution or spreading of the content is strictly forbidden. If you are not the intended addressee, you are kindly requested not to disclose nor to copy this transmission and to notify me as soon as possible by email to the elge...@gmail.com address. 

 

Best wishes,
 
 

[Rames Lopes]

I have a dell laptop with nvme sata drive

pulled drive - its bitlocker encrypted

customer has no key 

put the drive back into the laptop

it boots to his user password screen

he doesnt remember the password

tried forgot password

yes you will turn on the cloned notebook notebook and create a new user or clear a password

To view this discussion on the web visit https://groups.google.com/d/msgid/datarecoverycertification/CAJW%3Dg17g7hKcCf0eQ%2BbU_SWo0oz%2B-ocAMSZ7S5J3XOHuAt%3DX5A%40mail.gmail.com.

--

[Fraser Corrance]

I have never had the chance to try this one out but I am curious if it actually works. 

https://www.youtube.com/watch?v=gue6suh7ZlM

Fraser

[t...@desertdatarecovery.com]

Interesting. Thanks for sharing Fraser.

 

Tim Homer - Lead Engineer

Desert Data Recovery

t...@desertdatarecovery.com

www.desertdatarecovery.com

To view this discussion on the web visit https://groups.google.com/d/msgid/datarecoverycertification/10441a32-1b36-4a4c-94fe-067292a2d2e7n%40googlegroups.com.

[Markus Bauer]

That should work - I use JTR and Hashcat often for hash cracking.

PassWare is the more polished Tool but JTR will do.

BTW - If you need the HaveIBeenPawned Wordlist I can share it as hashes.org is down since a while.

[PCLAB]

Very interesting!!

[Fraser Corrance]

So, while we are on the subject, does anyone know if there is a similar process for cracking FileVault? If the Mac is connected to an iCloud account the password can usually be reset using the iCloud password but every so often I come across a situation where that either is not an option or simply does not work. It's always nice to have another option to fall back on. 

I could not possibly count how many times over the years I have had to tell clients that I have no way of getting past their encryption on a drive that I was recovering. It makes me wish I would have made a list of names and numbers so I could call them up and get them to come back in. lol

Fraser

You received this message because you are subscribed to a topic in the Google Groups "DataRecoveryCertification" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/datarecoverycertification/FuBWBH32hR0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to datarecoverycertif...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/datarecoverycertification/cb6da898-71a7-4350-aa89-23cc07438069n%40googlegroups.com.

[Markus Bauer]

Here: https://tinyapps.org/docs/cracking-filevault.html

PassWare Forensic Kit also deal with FileVault.

There is always a way with bruteforce- or dictionary attacks but you never know if they work or how long does that take. E.g. my GTX1660 will do aprox. 150000 hashes / sec. on MD5 passwords from a MySQL dump but with another hash (e.g. SHA1) you will just get 1/3 of that performance,

I can tell you that graphics cards are much faster then a CPU for that task and it all depends on the complexity of the hash. Then you need a good wordlist:

The rockyou.txt has ca. 14.3 million entries in many languages - so it's great to identify week passwords for most countries and nationalities.

The HaveIBeenPwned-wordlist is a compilation of some cracked password from real leaks and holds ca. 500 million passwords.

Both have real passwords used by people and so they are the best option for such attacks.

This tools can be used for cracking may passwords from WLAN over hashed passwords in a databese and Word- or ZIP-files till full disk encryption.

PassWare would be the way to go for forensics but come with a price-tag of 1000+ USD. Hashcat is free. Both offer bruteforcing based on a pattern oder dictionary-attacks. Some examples you can see in one of my books: https://books.google.cz/books?id=tREgEAAAQBAJ&pg=PA88&dq=%22hacking+with+kali+linux%22+hashcat&hl=de&sa=X&ved=2ahUKEwjR3vuolrLxAhXOiqQKHeENDPYQ6AEwAHoECAIQAg#v=onepage&q=%22hacking%20with%20kali%20linux%22%20hashcat&f=false

[Fraser Corrance]

Markus, about how long does it usually take to crack Bitlocker and FileVault encryptions with the setup you are using? 

I briefly skimmed your book, that's some impressive work. I am going to have to spend some time going through it a bit more thoroughly. 

Thanks for sharing. 

Fraser

[Markus Bauer]

Hi,

that all depends on the size of the image, the password and the hash. Extraction of hash take quite a while depending on the size of the image and then you start the cracking process. I fould the following benchmark-results from a GTX1660 Super:

Hashmode: 22100 - BitLocker (Iterations: 1048576)
Speed.#1.........: 1022 H/s (85.98ms) @ Accel:1 Loops:4096 Thr:1024 Vec:1

Hashmode: 16700 - FileVault 2 (Iterations: 19999)
Speed.#1.........: 43723 H/s (52.58ms) @ Accel:32 Loops:64 Thr:1024 Vec:1

So after extracting the hash you will need aprox.

•  4h for checking the rockyou.txt with the Bitlocker hash,
• 136h for checking the HaveIBeenPwned.txt with the Bitlocker hash,
• 5 min. for checking the rockyou.txt with the FileVault 2 hash and
• 190 min. for checking the HaveIBeenPwned.txt with the FileVault 2 hash

If you find the password in the list it take longer and if you use a stronger GPU like a RTX3090 you will reach:

Hashmode: 22100 - BitLocker (Iterations: 1048576)
Speed.#1.........: 4248 H/s (76.91ms) @ Accel:1 Loops:4096 Thr:1024 Vec:1

But even the aprox. 6 days my old GTX1660 would need to crack a Bitlocker encrypted drive is not that long.

But if the password is not in the dictionary then you will just waste your time. So after 6-7 days at most you will know if you find a password. You can also try a bruteforce-attack and let hashcat calculate all possible combinations but that would take with a 8 character long PW which include upper and lowercase as well as numbers and special characters 12 or 530 days with the GTX1660 and 1/4 of that time with a RTX3090. So I would consider that a option for FileVault but not for Bitlocker.

As more the client can tell you about the PW as better for you and you can exclude uppercase or special characters and save so a ton of time.

[Markus Bauer]

One more thing - as a consumer GPU is not made for 24/7 operation especially under load, so you should pay attention to cooling. Good airflow, liquid metal instead of thermal paste or watercooling would be good.

[Fraser Corrance]

YES! Now I have a way to convince my boss to buy me that RTX3090 I always wanted! lol

Thanks for all the great info, Markus. 

To view this discussion on the web visit https://groups.google.com/d/msgid/datarecoverycertification/8de1ad0c-480f-4fe9-877c-ae230a9fdb44n%40googlegroups.com.

[Zin Ho]

You can speed up the cracking process by using multiple gpus. Ask your boss to get 6 - RTX3090 (if you can find it at MSRP) and build yourself a gpu miner to use for hashcat.

[Markus Bauer]

Here you can see why a GPU is needed: https://books.google.cz/books?id=tREgEAAAQBAJ&pg=PA82&dq=hacking+with+kali+linux+aircrack&hl=de&sa=X&ved=2ahUKEwi-q9WQn7bxAhWLyqQKHTg0AcMQ6AEwAnoECAQQAg#v=onepage&q=hacking%20with%20kali%20linux%20aircrack&f=false

The Ryzen 2700 needed aprox. 27x longer then the GTX1660. Even a cheapo GT1030 wipe the floor with a CPU which cost 3x more at that time... 

[Fraser Corrance]

Will this same process work on the T2 macs?

[Markus Bauer]

I didn't try that. As far as I hear there are some tools to crack that but I don't think that is hashcat in that case. Hashcat is more usefull for dictionary-attacks but I guess if you can extract some hash you could try to crack it but that can take a while with a bruteforce attack. 

As far as I remember MacQuisition and PassWare have some options for that and you could have a look as M3 Data Recovery.