During a red-team engagement you obtain a 90-second window of physical access to an active Windows 10 laptop that uses BitLocker in its default TPM-only configuration and has not yet been put to sleep. You want to access the disk contents later, after the machine is shut down. Which technique offers the best chance of recovering the BitLocker volume master key under these conditions?
Put the laptop into hibernation, copy hiberfil.sys, and extract plaintext data from the file.
Install a malicious UEFI bootloader that records credentials at the next startup.
Clone the encrypted disk and launch a GPU-accelerated brute-force attack against the BitLocker header offline.
Perform a cold boot attack by cutting power and immediately dumping the laptop's RAM to capture residual BitLocker keys.
With TPM-only BitLocker, the volume master key resides unprotected in system RAM once the operating system has booted. A cold boot attack takes advantage of data-remanence: DRAM cells retain their contents for seconds to minutes after power is removed, especially if cooled. By quickly cutting power, transplanting the DIMMs (or rebooting into a minimal OS) and dumping memory, an attacker can capture the decrypted BitLocker keys before they decay.
Brute-forcing the BitLocker header is infeasible because AES-128/256 keys are randomly generated and never derived from a user password in TPM-only mode. Replacing the bootloader hopes to record credentials at the next boot, but TPM-only systems supply the key automatically-no password or PIN is entered-so nothing useful would be captured. Copying the hibernation file will not work because Windows encrypts hiberfil.sys with a key protected by BitLocker, which you do not yet possess. Therefore, performing a rapid cold boot memory dump is the most effective choice.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a cold boot attack?
Open an interactive chat with Bash
What is TPM and how does it relate to BitLocker encryption?
Open an interactive chat with Bash
Why is brute-forcing the BitLocker header ineffective in TPM-only mode?
Open an interactive chat with Bash
Why does a cold boot attack work on systems using BitLocker with TPM-only mode?
Open an interactive chat with Bash
What is data remanence, and why is it relevant to cold boot attacks?
Open an interactive chat with Bash
Why is brute-forcing the BitLocker header not feasible in TPM-only mode?
Open an interactive chat with Bash
Certified Ethical Hacker (CEH)
Cryptography
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .