Diagnostics and Recovery Toolset and BitLocker: Discussions on Encryption
A customer recently commented to us: "Why would I use BitLocker when tools like DaRT and COFEE can easily decrypt it?"
First up lets set the scene what BitLocker is all about (again) and then discuss if DaRT (or COFEE for that matter) compromises its intent.
BitLocker focuses on two things. Full volume encryption (FVE) means your data gets encrypted and you can use a TPM and PIN, USB key etc to provide access to the keys to decrypt the volume. See this TechNet article for more information.
The second part of BitLocker is system integrity. As each system loads the boot sequence is checked for integrity, and if it differs to what we expect we stop the boot...as explained by the TechNet article:
"...BitLocker uses the TPM to verify the integrity of early boot components and boot configuration data. This helps ensure that BitLocker makes the encrypted volume accessible only if those components have not been tampered with and the encrypted drive is located in the original computer.
BitLocker helps ensure the integrity of the startup process by:
- Providing a method to check that early boot file integrity has been maintained, and help ensure that there has been no adversarial modification of those files, such as with boot sector viruses or rootkits.
- Enhancing protection to mitigate offline software-based attacks. Any alternative software that might start the system does not have access to the decryption keys for the Windows operating system volume.
- Locking the system when tampered with. If any monitored files have been tampered with, the system does not start. This alerts the user to the tampering, since the system fails to start as usual. In the event that system lockout occurs, BitLocker offers a simple recovery process...."
Now we understand where its focused and by further reading we understand how the keys can be accessed in order to decrypt the volume. Of course if you dont provide any protection to those keys (say via a PIN) then anyone can gain access to decrypt the volume. Otherwise you need to use the recovery key, which is generated at the time the volume is abotu to be encrypted....and for the sys admins out there, you can escrow that key into Active Directory for later use.
So back to the original concern, why would I use BitLocker if the DaRT tools can violate it? This implies to me that people think theres a backdoor to BitLocker...which we have repeatedly stated there isnt.
Like you starting the machine, DaRT can only decrypt the volume if it knows the key to decrypt the volume. You need to provide that. And we get that by knowing the recovery key. So there isnt some violation here or a security issues. Or some magical and mysterious backdoor...
COFEE is a set of forensic tools for law enforcement. The interesting part is the excerpt from this article:
"...COFEE is a USB drive that allows law enforcement to run more than 150 commands on a live computer system and save the results on the portable drive for later analysis. This preserves valuable information that could be lost if the computer had to be shut down and transported to a lab--files that are stored in active memory would otherwise be lost, for example..."
Note the "live computer system" part. That means the machine has to be running. Which means the volume is already accessible by the OS. Which means the key has already been provided. Game over.
Sorry to tell you conspiracy theorists - there isnt a backdoor. BitLocker still preserves the intent of the two areas it focused on. And extends them further in Windows 7...