During a penetration test you acquire an employee's Windows 10 laptop that uses BitLocker in its default TPM-only mode. The lid is closed, placing the machine in sleep but the system is still powered. You must gain access to the disk without any user credentials. Which technique offers the greatest likelihood of recovering BitLocker's full-volume encryption key from the device?
Perform a cold-boot attack and dump the laptop's RAM to an external device
Boot a Linux live USB and copy the SAM and SYSTEM hives for offline password cracking
Launch a GPU-accelerated brute-force attack against the AES-XTS volume header
Extract the sealed key from the TPM's non-volatile memory via a physical chip-off procedure
When BitLocker is configured in TPM-only mode, the drive is automatically unlocked once the operating system starts. While the screen is merely locked or the computer is in sleep/stand-by, the full-volume encryption key remains resident in DRAM. A cold-boot attack exploits the data-remanence property of RAM by rapidly power-cycling the machine, then copying the memory contents to another medium before they decay. The captured image can be searched for the 128-bit or 256-bit AES key that BitLocker uses, allowing the tester to decrypt the entire drive.
Brute-forcing the AES-XTS header is computationally infeasible with current technology, extracting the key directly from TPM non-volatile storage is ineffective because the key is never stored there in plain form, and copying the SAM/SYSTEM hives only helps recover Windows logon credentials, not the in-memory disk-encryption keys.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is BitLocker TPM-only mode?
Open an interactive chat with Bash
How does a cold-boot attack work?
Open an interactive chat with Bash
Why is brute-forcing the AES-XTS header infeasible?
Open an interactive chat with Bash
What is a cold-boot attack and how does it work?
Open an interactive chat with Bash
What role does the TPM play in BitLocker encryption?
Open an interactive chat with Bash
Why is brute-forcing the AES-XTS volume header not feasible?
Open an interactive chat with Bash
Certified Ethical Hacker (CEH)
Cryptography
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .