![22560188_Abstract_digital_background_with_technology_circuit_3 [Converted]-01-01.png](https://static.wixstatic.com/media/3f4fbc_43487ad5d28b42339f5ee39183a07fb4~mv2.png/v1/fill/w_980,h_128,al_c,q_85,usm_0.66_1.00_0.01,enc_avif,quality_auto/3f4fbc_43487ad5d28b42339f5ee39183a07fb4~mv2.png)
Blog
Defeating Microsoft's Default Bitlocker Implementation
This training walks participants through the entire process required to successfully tap BitLocker TPM bus communications. Within two days, the necessary knowledge about SMD soldering, the inner workings of notebooks, TPM basics, logic analyzers, basic forensic data collection and BitLocker theory is imparted. At the end, participants will not only be able to carry out an attack on a test notebook that they can take home, but they will also fully understand what they are doing and how to successfully use the attack on notebooks.
​
In addition, it is shown how tamper protection switches on notebooks can be bypassed and how the BitLocker recovery password can be decrypted with the tapped data in order to be able to further process the data using standard forensic tools. All of the hardware required for the attack is part of the hardware kit that participants take with them at the end of the training.
​
The training is structured as a step-by-step guide to carrying out the attack. For each step, participants receive the necessary theoretical background before taking the step in practice.
On the first day, your own attack adapters are soldered, which will be used later. After warming up with the soldering iron, the participants learn micro-soldering on test boards. The practical experience is followed by a theoretical block that delves deeply into the inner workings of modern notebooks. With the help of circuit diagrams, circuit board views and data sheets, the search for the TPM on the test notebook is instructed. Since these documents are not available for all notebooks, a manual search is first carried out on the test notebook. After the TPM has been found in the test notebook, the fine pins of the TPM can be connected to the attack adapter.
​
After preparing the test notebook on the first day, the tools will be presented on the second day. On the second day, you will learn how to use a logic analyzer in order to be able to carry out attacks on bus communication in general. The theory learned is then applied in practice and the hardware attack part ends with the tapping of the TPM communication. Before the key material can be extracted from the communication, the basics of BitLocker are taught and where to look for the Volume Master Key (VMK) in the TPM communication. With this knowledge, participants are now able to extract the BitLocker VMK and decrypt the data on their test notebook.
![27456383_questions_three_orange [Converted]fd-01-01.png](https://static.wixstatic.com/media/3f4fbc_eb84a73c692b46d5af8c96d473633ac9~mv2.png/v1/fill/w_980,h_255,al_c,q_85,usm_0.66_1.00_0.01,enc_avif,quality_auto/3f4fbc_eb84a73c692b46d5af8c96d473633ac9~mv2.png)