Share via

Bitlocker and memory remanence attack - basic question

BenEUC 1 Reputation point
2022-09-10T01:29:32.707+00:00

Hi, basic bitlocker question

If you aren't setting a TPM + Startup PIN, it doesn't matter if you configure the close lid behaviour to sleep or hibernate does it? Meaning if the laptop is stolen and either in sleep or hibernate state, as soon as the attacker opens the lid and wakes the computer, the bitlocker keys get transferred to RAM once you're at the login screen and then they can perform the attack. Is that correct? Same for if the laptop was powered on and at the lock screen when it was stolen.

Relevant article:
https://social.technet.microsoft.com/Forums/msonline/en-US/f7c84aec-ca57-4523-91a3-8b0dddd4a1ab/bitlocker-protection-and-sleep-mode-hibernation-security?forum=w8itprosecurity

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,977 questions
0 comments

5 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Reza-Ameri 17,011 Reputation points
    2022-09-10T15:40:28.9+00:00

    Hibernate is safe, because it will save your system's state to the hard disk and shutdown your PC.
    So, when you turn on your PC, it loads from the hard disk and bitlocker protects it.
    Hibernate is similar to shut down but will load your state.
    However, there is risk when you put the system into sleep and like you said because the key is inside the RAM, so it is good idea to disable the sleep while using BitLocker.
    I also recommend disabling the DMA, have a look at:
    https://learn.microsoft.com/en-us/archive/blogs/motiba/locking-up-your-bitlocker

  2. BenEUC 1 Reputation point
    2022-09-12T01:01:39.33+00:00

    Thank you Reza-Ameri,

    The fundamental thing I'm trying to understand at this point is this: is it correct to state that if you are only using TPM as a protector, so long as the laptop can boot to the Windows logon screen, the Bitlockers keys will then be in RAM and can be attacked. So it doesn't matter whether the laptop is shutdown or any low power mode state (hibernate, sleep, hybrid sleep, fast startup)?

    Supporting text:

    "It is important to understand that a fully encrypted BitLocker volume will be automatically mounted and unlocked during the Windows boot process, long before the user signs in to the system with their Windows credentials. The TPM module will release the encryption metadata and decrypt the protected volume master key (VMK) automatically during the boot sequence, as shown in the image below.

    This allows performing a quite unique attack often called the ‘cold boot attack. The attacker would start the computer and wait while the system boots up. By the time the computer presents the login prompt, the BitLocker volume would be already mounted, and the VMK decrypted and stored in the computer’s RAM. The attacker would then dump the content of the computer’s volatile memory (by using a side attack or by physically removing the modules), extract VMK and decrypt the volume."
    https://blog.elcomsoft.com/2020/05/unlocking-bitlocker-can-you-break-that-password/

  3. BenEUC 1 Reputation point
    2022-09-12T01:48:36.647+00:00

    One thing I've come to realise is that what we're discussing here may be two distinct scenarios:

    1. Attacker is targeting the data in the RAM at the time the laptop was put in sleep state. This could include any M365 documents open at the time accessed from M365 Cloud.
    2. Attacker is targeting the volume master key from the RAM in order to reconnect and mount the storage device in other system, then decrypt the SD thus target the data on it. This won't include M365 documents accessed from sources other than what's on that drive eg M365 Cloud.

    I can see for scenario 1 how hibernate secures against that but yes my fundamental question still stands with regards to scenario 2.

    0 comments
  4. Limitless Technology 39,786 Reputation points
    2022-09-12T20:24:22.23+00:00

    Hi,

    Thank you for your question and reaching out.
    Yes, that is correct. If the computer is turned off or goes into hibernation, the BitLocker encryption and decryption process will resume where it stopped the next time Windows starts. This is true even if the power is suddenly unavailable.

    To understand more on how this goes, you may refer to this link to gather further information: https://learn.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions

    ----------------------------------------------------------------------------------------------------------------------------------------

    If the reply was helpful, please don’t forget to Upvote or Accept as answer.

    0 comments
  5. BenEUC 1 Reputation point
    2025-01-07T02:51:24.28+00:00

    A year later I came back to this question and I discovered that indeed hibernate state is more secure than other states when it comes to DMA attacks. And that is because in those particular attacks, they rely on the system being in S3 sleep/standby mode where the RAM can be attacked by a rogue memory controller which is inordinately more difficult to perform in any other state including S4 hibernate. And additionally typically a Windows computer is put in S3 state when it goes to sleep mode.

    Further detail and reading/listening: Anna and Dan - Taking DMA attacks to the next level - YouTube

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.